It's true in that you can only set the MTU on the concentrator (or the client) by interface. Worse yet, doing so drops *all* tunnels on the concentrator, forcing them to rebuild. The concentrator admin is wise to avoid this if possible.
That said, changing the MTU setting on the client and concentrator interfaces may not be necessary, depending on your problem. If the problem has to do with packets that are encapsulated being fragmented, you can address this by modifying the IPSec Fragmentation Policy on the client, the concentrator, or both. Try changing this setting to 'fragment prior to encap w/ path discovery' (probably not the exact wording, but close enough). This will set the defrag bit on fragmented packets and the concentrator should reorder and defrag packets as they are decapsulated on its internal interface. This may require making the same change on the concentrator, but try changing it on just the client first.
Good luck!
PaulM
> -----Original Message-----
> I'm working one end of a VPN performance problem that seems to be MTU
> and fragmentation related. My end is a CISCO Hardware VPN 3002 client.
> The other end is a CISCO VPN Concentrator.
>
> I recommended lowering the MTU setting on both ends and then testing.
> But the admin on the VPN Concentrator end just told me it is impossible
> to change the MTU for a paritcular tunnel, that you can only change the
> MTU for all the tunnels, and there are several other remote sites.
>
> Is this true? Is there any way around this?
_______________________________________________
firewall-wizards mailing list
firewall-wizards_at_honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Received on Sep 08 2003
Intro
