On Feb 13, 2008 3:51 AM, Michael Stecher <Michael dot Stecher at cib dot de> wrote:
> we've got a running IPSec tunnel betwenn two locations. Now we've got the problem that some
packets get lost. We've changed the mtu on a client PC to 1400 an anything works fine.
> Now my question: Is it possible to change the mtu-site (or the mss-value) of the tunnel?
> More datailed information ist described here: http://forum.m0n0.ch/index.php/topic,1630.0.html
I had the same MTU problem with an IPSEC tunnel a few years ago. Both
were are cable and I checked with the ISP but they told me they saw no
problems. I ended up setting up tunnels from both sites (I'll call
them A and B) to a third location known to be working with IPSEC VPN
to track down the problem. From site A to the third site, the tunnel
worked perfectly at any packet size. From site B to the third site I
saw the same MTU problem with large packets lost on the VPN. I went
back to the ISP with this information and they found out that the
cable modem at site B had known problems with IPSEC. They replaced it
with the same model that we had at site A (Cisco UBR900) and then the
MTU problem went away and the tunnel worked great.
Maybe this is relevant to your problem, maybe not, but I did see you
mentioned some type of modem at your remote site. Creating tunnels to
a third site might be a useful test and if it turns up similar results
you might check that modem or swap it out.