12-11-2008 05:51 PM
I heard that there was a program that would test your link and allow you to properly set your MTU for you IPsec vpn's in order to avoid fragmenting packets. Does anyone know what this program is how one could test to optimize MTU sizes?
12-11-2008 07:29 PM
I think if you really want a free tool to test the BW, you can try googling for "iperf".
But for the VPN issue, it really depends on the type of vpn configuration you are setting. Based on the encrytion, there is a specific amount of over head we will need to add for the IPSEC header.
With that, you can pretty much calculate the MTU size you should set. In most cases, many customers have tried with 1350 or 1300. With those in general even with vpn overheads there will still be almost no fragmentation.
Hope this helps.
12-11-2008 10:48 PM
You can also use windows cmd prompt. Ping across the vpn but with DF bit set (-f), then specify the size with -l:
ping 22.214.171.124 -f -l 1300
The size you specify here is the ICMP payload size, so
1300 bytes ICMP payload
8 bytes ICMP header
20 bytes IP header
1328 bytes Total (MTU).
Juniper firewalls calculate MTU based on total length specified in IP header.
You can use "get sa stat" on the firewall to see if there are any fragments sent/received.