Using advanced features
202 Avaya VPNmanager Configuration Guide Release 3.7
As a packet is routed through different networks, it may be necessary for a router to divide the
packet into smaller pieces because it might be too large to transmit as a single packet on a
different network. This may occur at the interfaces of physically different networks.
The MTU of a security gateway passing secure traffic is 1404 bytes, which includes the
additional IPSec information. The MTU of a security gateway passing unprotected traffic is 1514
bytes.
If Path MTU Discovery is running, a security gateway does not convert the following types of
packets into secured traffic, and it uses an ICMP message to ask the source of the packets to
fragment them.
●
Packets larger than 1404 bytes
●
Packets with the Don’t Fragment Bit set
●
Packets being the first fragment in the IP datagram
Following are reasons why you may not want a security gateway to participate in Path MTU:
●
A firewall sits between the security gateway and the source of packets needing VPN
services. This would prevent the source from receiving security gateway ICMP messages
indicating that fragmentation is needed.
●
The source of packets needing VPN services does not fragment packets, even when
notified by a security gateway ICMP message.
●
A router in the network is outdated and will not send an ICMP need fragmentation
message, or will not send a message at all.
The symptom of either of these situations would be that a network sniff indicates the security
gateway is sending a fragmentation-needed ICMP message, but the traffic initiator is
retransmitting the original packet.
To configure the Path MTU Discovery:
1. From the Device>Contents column, select the security gateway you want to configure.
2. Click the Advanced tab to bring it to the front.
3. From the Properties column, select MTU Path Discovery to display the MTU Path
Discovery values.
4. From the Values list, do the following.
●
Select the On radio button to run MTU Path Discovery.
●
Select the Off radio button to disable MTU Path Discovery.
5. Enter the Path MTU Timeout value.
The path MTU timeout value is the number of minutes the SG will remember the new MTU
learned for a path. When the timeout expires, the SG will attempt to send the maximum
configured packet size. The default value is1000. The timeout value 0 means that the path
MTU will never timeout.
Summary of Contents for 3.7
Page 1: ...VPNmanager Configuration Guide Release 3 7 670 100 600 Issue 4 May 2005...
Page 4: ......
Page 20: ...Preface 20 Avaya VPNmanager Configuration Guide Release 3 7...
Page 32: ...Overview of implementation 32 Avaya VPNmanager Configuration Guide Release 3 7...
Page 53: ...Preferences Issue 4 May 2005 53 Figure 16 Tunnel End Point Policy...
Page 54: ...Using VPNmanager 54 Avaya VPNmanager Configuration Guide Release 3 7...
Page 244: ...Using advanced features 244 Avaya VPNmanager Configuration Guide Release 3 7...
Page 292: ...Upgrading firmware and licenses 292 Avaya VPNmanager Configuration Guide Release 3 7...