Log In

Come Join Us!

Are you a
Computer / IT professional?
Join Tek-Tips Forums!
  • Talk With Other Members
  • Be Notified Of Responses
    To Your Posts
  • Keyword Search
  • One-Click Access To Your
    Favorite Forums
  • Automated Signatures
    On Your Posts
  • Best Of All, It's Free!
  • Students Click Here

*Tek-Tips's functionality depends on members receiving e-mail. By joining you are opting in to receive e-mail.

Posting Guidelines

Promoting, selling, recruiting, coursework and thesis posting is forbidden.

Students Click Here


ASA 5505 and MTU issues

ASA 5505 and MTU issues

ASA 5505 and MTU issues

I just put an ASA 5505 into a site that previously had a pix 501.  When I did about 1/3 the users couldn't get to resources across the connecting lan 2 lan tunnel.  On some of the desktops I loaded the vpn client which defaults the MTU to 1300.  This so far has resolved this.

This is the second site (they are not related) that had similar issues.

When I ping the server on the other side of the tunnel I cannot send beyond 1272 mtu size

ping -f -l 1273 asks for the packet to be fragmented.

Anyone else seen this?   

RE: ASA 5505 and MTU issues

There is a command in the ASA that sets the MTU value for TCP sessions, according to my notes it defaults to 1300 bytes. As your using ICMP to test this, I would have expected you should have been able to use a larger packet size in your testing.

the command is, `sysopt connection tcpmss <bytes>'

On the ASA's I've used, this command isnt displayed in the running config, but it does work. You could try `show sysopt'

Perhaps your ASA has had the default value altered? I suppose it could be set to a value that is too high for the VPN process to transmit it without fragmentation, and the clients may be set to dont fragment in the IP header.


RE: ASA 5505 and MTU issues

I checked it.  When I do the sh run sysopt I get:
sysopt connection tcpmss 1500
sysopt connection tcpmss minimum 0
no sysopt nodnsalias inbound
no sysopt nodnsalias outbound
no sysopt radius ignore-secret
sysopt connection permit-vpn

The mtu size in the config for both inside and outside interfaces are set to 1500.

From what I read the tcpmss max is 1380.  Yet this one says 1500.  Not sure about that.

RE: ASA 5505 and MTU issues

Try setting  `sysopt connection tcpmss 1300' that should fix your issue.
It should be set to this as a default value, something must have gone wrong in your ASA's.

The Interface MTU values should be 1500, as they are standard Ethernet interfaces. The sysopt command sets the ASA to `sniff' the TCP handshake, and reduce the value to one that is suitable for an encrypted connection, to take into consideration the increased packet header size.

Red Flag This Post

Please let us know here why this post is inappropriate. Reasons such as off-topic, duplicates, flames, illegal, vulgar, or students posting their homework.

Red Flag Submitted

Thank you for helping keep Tek-Tips Forums free from inappropriate posts.
The Tek-Tips staff will check this out and take appropriate action.

Reply To This Thread

Posting in the Tek-Tips forums is a member-only feature.

Click Here to join Tek-Tips and talk with other members!

Close Box

Join Tek-Tips® Today!

Join your peers on the Internet's largest technical computer professional community.
It's easy to join and it's free.

Here's Why Members Love Tek-Tips Forums:

Register now while it's still free!

Already a member? Close this window and log in.

Join Us             Close