Chapter 63
Configuring IKE, Load Balancing, and NAC
Changing the MTU or the pre-fragmentation option on any interface tears down all existing connections.
Note
For example, if 100 active tunnels terminate on the public interface, and you change the MTU or the
pre-fragmentation option on the external interface, all of the active tunnels on the public interface are
dropped.
Fields
•
•
Modes
The following table shows the modes in which this feature is available:
Firewall Mode
Routed
•
Edit IPsec Pre-Fragmentation Policy
Use this pane to modify an existing IPsec pre-fragmentation policy and do-not-fragment (DF) bit policy
for an interface selected on the parent pane, Configuration > VPN > IPsec > Pre-Fragmentation
Fields
•
•
•
Modes
The following table shows the modes in which this feature is available:
OL-20339-01
Pre-Fragmentation—Shows the current pre-fragmentation configuration for every configured
interface.
Interface—Shows the name of each configured interface.
–
Pre-Fragmentation Enabled—Shows, for each interface, whether pre-fragmentation is
–
enabled.
DF Bit Policy—Shows the DF Bit Policy for each interface.
–
Edit—Displays the Edit IPsec Pre-Fragmentation Policy dialog box.
Security Context
Transparent Single
—
•
Interface—Identifies the chosen interface. You cannot change this parameter using this dialog box.
Enable IPsec pre-fragmentation—Enables or disables IPsec pre-fragmentation. The adaptive
security appliance fragments tunneled packets that exceed the MTU setting before encapsulating
them. If the DF bit on these packets is set, the adaptive security appliance clears the DF bit,
fragments the packets, and then encapsulates them. This action creates two independent,
non-fragmented IP packets leaving the public interface and successfully transmits these packets to
the peer site by turning the fragments into complete packets to be reassembled at the peer site.
DF Bit Setting Policy—Choose the do-not-fragment bit policy: Copy, Clear, or Set.
Multiple
Context
System
—
—
Cisco ASA 5500 Series Configuration Guide using ASDM
Configuring IPsec
63-17