Guest

Cisco Email Security Appliance

Decrease MTU on the Cisco ESA

Document ID: 117962

Updated: Jul 16, 2014

Contributed by Valter Pereira da Costa, Cisco TAC Engineer.

   Print

Introduction

This document describes how to decrease MTU on the Cisco ESA, because it can not communicate with certain domains.

Prerequiste

Cisco recommends that you have knowledge of these topics:

  • Cisco Email Security Appliances (ESA)
  • All versions of AsyncOS

Background

The path of Maximum Transmission Unit (MTU) discovery relies on Internet Control Message Protocol (ICMP) to determine the optimal MTU size. If the firewall is blocking the ICMP path discover packets, then the ICMP can't fragment errors can not get back to the source host. This means that the host will not know that the packets it is sending are too large. It will keep trying to send the same large packet, and it will keep dropping silently from the view of any system on the other side of the filter.

Configure

ICMP is an integral part of the Internet and can not be filtered without due consideration for the effects. Many packet filters will allow you to set up filters to only allow certain types of ICMP messages through. If you reconfigure them to let ICMP can't fragment (type 3, code 4) messages through, the problem should be solved.

For testing if MTU is the cause of the problems, you can change the MTU via the CLI command.

CLI: etherconfig -> MTU

The default MTU size on the ESA interface is 1500; however, you can set that to a lower value and check if this solves the issue. This should be considered as a temporary workaround only; the better solution is to activate/unblock path discovery on the firewall.

This is actually an issue that should be fixed by allowing path discovery with ICMP on the firewall. Changing the MTU on the ESA means it will no longer send packets large enough to cause problems; however, the root cause will still exist.

Updated: Jul 16, 2014
Document ID: 117962