Cisco ASA - crypto ipsec df-bit clear-df. [TESTED]

When you use Cisco ASA to build a VPN you better make sure that you’re passing packets with max size with DF-bit enabled. Here is the way to do it:

crypto ipsec df-bit clear-df outside

Before:

Router#ping vrf TEST 1.1.1.1 size 1500 df-bit
Type escape sequence to abort.
Sending 5, 1500-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
Packet sent with the DF bit set
M.M.M
Success rate is 0 percent (0/5)
Router#

“M” means “Could not fragment.”

After:

Router#ping vrf TEST 1.1.1.1 size 1500 df-bit
Type escape sequence to abort.
Sending 5, 1500-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
Packet sent with the DF bit set
.!!!!
Router#

Good luck!

Admin area