I have a number of Site-to-Site VPN tunnels in my network configurations. They are configured using Cisco ASA devices.
To resolve some performance issues I am trying to change the MTU for traffic through the VPN tunnel to 1400. My question is: In order to change the MTU for traffic through the tunnel, which interface do I need to change the MTU on? Do I just need to change it for the Outside interface? Or do I also need to change it for the Inside/other interface(s)?
Best Answer
The outside interface, but you need to be very careful with doing that, especially if you're setting the DF (don't fragment) bit rather than allowing fragmentation. If you set the DF bit and then send larger packets than the MTU allows for, you're gonna drop packets and cause issues. You will either need to make sure you're clearing the DF bit (to allow fragmentation) or make sure that you're only sending packets within your MTU range on both ends.