Yesterday I was having trouble turning up an IPSec connection between R1 and R4 in this topology.
The issue was the certificate sent by R1 produced a ~2200 byte datagram fragmented into two packets of 1500 bytes and 700 bytes.
R3 had a bogus MTU[1] configured on its upstream Ethernet interface, was dropping "oversize" frames on ingress.
Eventually I managed to get R3's interface reconfigured, but before that was possible I decided to test by setting ip mtu 1400 on the relevant interfaces of R1 (IOS-XE 16.6.2) and R4 (IOS 15.6M). I expected this configuration to cause both of those routers to fragment their traffic differently (1400 bytes and 800 bytes), and the certificate exchange to survive the trip through R3.
That is not the behavior I observed. A sniffer near R2 still showed 1500 byte packets originated by both R1 and R4 after the change to their interface MTU.
Am I missing something obvious about the ip mtu interface directive and control plane traffic?
[1] Please don't bicker with me about MTU vs. MRU at R3. The device in question only has one lever and it's labeled MTU. Curiously, R3 had no problem transmitting R4's large packets, even with the small MTU configured. The MTU setting seemed to only make a difference in the receive direction. <shrug>
No comments:
Post a Comment