cisco ASA MTU Range

icecream-guy · October 25, 2021, 01:06:46 PM

TIL, ASA interface MTU has limitations, in some coder versions, not sure why.

Code version   MTU Range
9.1.7.16   64 - 9198
9.6.3.9   64 - 9198
9.6.3.12   64 - 9198
9.6.4.3   64 - 9198
9.7.1.4   64 - 9198
9.8.2    64 - 9198
9.8.4.32   64 - 9198
9.10.1.37   64 - 9198
9.12.2   64 - 9198
9.12.3.12   64 - 9184
9.12.4.4   64 - 9198
9.12.4.7   64 - 9184
9.12.4.29   64 - 9198
9.13.1.12   64 - 9184

maybe I'll have toopen a TAc case.

Otanx · October 25, 2021, 02:17:27 PM

That is weird. 4 bytes makes my first guess is something with 802.1q tags.

-Otanx

deanwebb · October 25, 2021, 07:17:16 PM

It goes up and down, like somebody keeps reintroducing code from an old version over and over.

icecream-guy · October 28, 2021, 07:54:50 AM

TAC had no answers. they just said to settle on the same version of code for all devices that have the same MTU feature.

deanwebb · October 28, 2021, 09:47:32 AM

Quote from: icecream-guy on October 28, 2021, 07:54:50 AM
TAC had no answers. they just said to settle on the same version of code for all devices that have the same MTU feature.

"We need the latest security update patch!"
"No! That will mess up our MTUs!"

icecream-guy · October 28, 2021, 09:48:50 PM

Quote from: deanwebb on October 28, 2021, 09:47:32 AM
Quote from: icecream-guy on October 28, 2021, 07:54:50 AM
TAC had no answers. they just said to settle on the same version of code for all devices that have the same MTU feature.

"We need the latest security update patch!"
"No! That will mess up our MTUs!"

WHA? the downstream MTU's need to be smaller than the upstream MTUs , that what the data fits down the hole....
like a funnel.

deanwebb · October 29, 2021, 09:29:57 AM

Quote from: icecream-guy on October 28, 2021, 09:48:50 PM
Quote from: deanwebb on October 28, 2021, 09:47:32 AM
Quote from: icecream-guy on October 28, 2021, 07:54:50 AM
TAC had no answers. they just said to settle on the same version of code for all devices that have the same MTU feature.

"We need the latest security update patch!"
"No! That will mess up our MTUs!"

WHA? the downstream MTU's need to be smaller than the upstream MTUs , that what the data fits down the hole....
like a funnel.

Jumbo frames to the edge, baby!

Wait, why are all my OSPF adjacencies screwed up?

icecream-guy · November 09, 2021, 05:22:30 AM

The MTU setting is driven by the hardware platform:

Dieselboy · November 12, 2021, 12:30:16 AM

Quote from: deanwebb on October 25, 2021, 07:17:16 PM
It goes up and down, like somebody keeps reintroducing code from an old version over and over.

That's what they do, that's how they get bug regression. It highlights poor coding practices. Don't have high expectations that they will fix it.

What's the reason for MTU above 1500 ?

icecream-guy · November 12, 2021, 07:12:36 AM

Quote from: Dieselboy on November 12, 2021, 12:30:16 AM

What's the reason for MTU above 1500 ?

uh, jumbo frames

Dieselboy · November 18, 2021, 11:02:40 PM

Quote from: icecream-guy on November 12, 2021, 07:12:36 AM
Quote from: Dieselboy on November 12, 2021, 12:30:16 AM

What's the reason for MTU above 1500 ?

uh, jumbo frames

That's not the reason, that's the technology.

Running storage through the ASA or something?

deanwebb · November 19, 2021, 08:07:51 AM

So, is there any real need for jumbo frames any more? I've read more than a few articles about how they should go away since they don't give that much more benefit and only serve to screw things up, kind of like daylight savings time.

Otanx · November 19, 2021, 10:50:58 AM

The real need is to not have arguments with storage vendors. I used to fight it, and now we just set it up. I make sure all our infrastructure links support at least 9100, and let the server guys all set to 9000 which makes them happy. For us we do have some storage running through the firewall. Storage arrays get put where they are used the most. Typically with the hypervisors. Occasionally there is a requirement for some random server to have an iscsi attachment. Instead of dual homing those we make them go through the firewall.

-Otanx