AppendixB Site-to-Site VPN User Interface Reference
Site to Site VPN Policies
B-52
User Guide for CiscoSecurity Manager3.0.1
OL-8214-02
DF Bit Supported on Cisco IOS routers, Catalyst 6500/7600 devices,
PIX 7.0 and ASA devices.
A Don't Fragment (DF) bit within an IP header determines whether
a device is allowedto fragment a packet. For more information, see
Understanding Fragmentation, page 9-72.
Select the required setting for the DF bit:
•Copy—Tocopy the DF bit from the encapsulated header in the
current packet to all the device’spackets. If the packet’s DF bit
is set to fragment, all future packets will be fragmented. This is
the default option.
•Set—To set the DF bit in the packet you are sending. A large
packet that exceeds the MTU will be dropped and an ICMP
message sent to the packet’s initiator.
•Clear—If you want the device to fragment packets regardless
of the original DF bit setting. If ICMP is blocked, MTU
discovery will fail and packets will only be fragmented after
encryption.
Enable Fragmentation Before
Encryption Supported on Cisco IOS routers, Catalyst 6500/7600 devices,
PIX 7.0 and ASA devices.
Whenselected, enables fragmentation to occur before encryption, if
the expected packet size exceeds the MTU.
Lookahead Fragmentation (LAF) is used before encryption takes
place to calculate the packet size that would result after encryption,
depending on the transform sets configuredon the IPSec SA. If the
packet size exceeds the specified MTU, the packet will be
fragmented before encryption.
Enable Notification on
Disconnection Supported on PIX 7.0 and ASA devices.
When selected, enables the device to notify qualified peers of
sessions that are about to be disconnected. The peer receiving the
alert decodes the reason and displays it in the event log or in a
pop-up panel. This feature is disabled by default.
TableB-18 VPN Global Settings Page> General Settings Tab (continued)
Element Description