I have a number of VPN sites where the MTU is lower than standard (1500). I have had at least one site where fragmentation of packets has had an effect on the success of building an IPSEC tunnel.
I am able to set the MTU on the equipment at the remote sites. However, at head office I wouldn't want to set the MTU to the lowest common denominator.
Is there a way of setting an MTU lower for traffic destined to a specific IP address?
Is fragmentation something I need to worry about for functioning VPN connections? Is it worth addressing this where I don't have problems?
HQ equipment is an ASA 5510. Remote sites have ASA 5505.
Best Answer
Not that I know of.. virtual tunnel interfaces would sure be nice.
Try
crypto ipsec df-bit clear-df outside, to let everything fragment - this won't really fix MTU issues, but it'll work around them by letting packets fragment instead of dropping.Also, do the tunnels successfully do path MTU discovery? MTU issues in the path should get a path MTU ICMP response, which should trigger the tunnel to dynamically adjust its MTUs (the
#PMTUs ...line of the sh crypto ipsec sa command).