When a wide area network uses a VPN, additional overhead will cause packet fragmentation that can slow the network down and cause Microsoft Active Directory to grind to a halt. You can use Ping.exe and the [x+28=MTU] rule to determine the effective MTU that should be configured on the Cisco Router. MTU is the Maximum Transmittal Unit packet size. For this exercise [10.1.1.1] is the remote IP of another Microsoft box that we are going to test pings to.
1. From a Microsoft box, ping 10.1.1.1 – to make sure it is up across the VPN.
2. ping 10.1.1.1 -f -l 1473 This will show you what a failed fragment ping looks like. 1473+28=1501 which automatically gets fragmented because it is greater than 1500, the default MTU.
3. Ping 10.1.1.1 -f -l 1449 This failed for me, meaning an MTU of 1449+28=1477 wasn’t small enough.
4. Ping 10.1.1.1 -f -l 1448 This pinged successfully for me, meaning an MTU of 1448+28=1476 didn’t get fragmented – which is good. I’m looking for the largest number I can get that doesn’t fail. Now I know what MTU to configure on my VPN routers – 1476.
5. Now go to the Cisco router configuration terminal mode for the VPN interface and add the line “ip mtu 1476” or whatever number you come up with in the last step. You shouldn’t have to add the line to the Ethernet interfaces because that would squelch all of the traffic, even browser traffic that doesn’t use the VPN.
When you hold down the MTU anywhere along the line of the router path, the routers will advertise the smallest MTU as part of the TCP/UDP negotiation process. You’d think MTU discovery would be automatic, but it is only half-automatic. Still this is better than using Regedit on every computer to tweek the MTU downward.