In Site-to-site VPN tunnel if packets are exceeding mtu 1500 are getting dropped how you will fix it

Packets which are come in with the df bit set, and when they get encrypted, they exceed the 1500 MTU size limitation and they gets dropped.To overcome this issue there are two ways

1) DF bit override using the command
You can use the command ‘crypto ipsec df-bit clear’ to override the df bit setting in the packet

2) DF bit override using the route map

Here 145 is the access-list number.


access-list 190 permit ip any any

route-map clear_df permit 10
match ip address 145
set ip df 0

interface lan_interface_name
policy route-map clear_df