Problem with MTU
Problem
One of our customer has two branches. There is Site-2-Site VPN (based on Cisco ASA devices) between those two branches. There was weird problem when traffic went through that Site-2-Site VPN tunnel. Some communications were fine, but most of them didn’t work. Problems that we noticed:
- OutlookAnywhere didn’t work
- Domain controllers from both sides couldn’t replicate
- HTTPS connections didn’t work
- ESX client didn’t connect to ESXi server via tunnel (Call “ServiceInstance.RetrieveContent” for object “ServiceInstance” on Server…)
Solution
Change MTU on computer to something lower than 1500 MTU. You can use following commands:
netsh int ip show int
netsh interface ipv4 set subinterface “Local Area Connection” mtu=1300 store=persistent
If everything works, you need to adjust MTU on Cisco ASA devices. There is great article about it HERE. We used Method 2.
This change made local administrators very very very happy 🙂
Categories: Computer network
Hi Ondrik,
Nice observation! I hope, though, that you haven’t left the end hosts with the decreased MTU.
By the way, there’s also another way of testing for MTU issues without meddling with the sensitive interface settings such as MTUs – just use the ping with the DF bit set while varying the payload size. With all things good, pings of up to 1500 bytes including IP and ICMP headers should be sent and received well. If any MTU issue exists along the path, you’ll either get no responses, or Destination Unreachable/Packet Too Big replies from routers on the path, for all pings whose total size approaches, though isn’t equal to, 1500 bytes.
Best regards,
Peter
Hello Peter 🙂
Thank you for your comment. MTU on end user machine was not changed. It was solved by changing settings on ASAs.
(palimpsests). In the XIII-XV centuries in