Device Advanced
Issue 4 May 2005 203
6. In the Fragmentation Control for Encapsulated VPN Traffic area, select the appropriate
Do Not Fragment (DF) bit property.
Note:
Note: If DF bit is set in the IP header, the packet would not be fragmented further down
the network path.
Copy DF bit from the source packet. If this property is selected, the DF bit from the
source IP header is copied to the VPN traffic. When Path MTU is enabled (On), the copy
DF bit from the source packet property is the default behavior. When Path MTU is
disabled (Off), the copy DF bit from the source packet property is a configurable
behavior.
Set DF bit. If this property is selected, the DF bit VPN traffic is always ON. When Path
MTU disabled (Off), the set DF bit property is a configurable behavior.
Clear DF bit. If this property is selected, the DF bit for the VPN traffic is always OFF.
When Path MTU disabled (Off), the clear DF bit property is a configurable behavior.
7. When finished, click Save.
8. When you want to send the configuration to one or more VSUs, click Update Devices.
NAT Traversal
Configurable NAT traversal is available for VPNos 4.31 and later.
Note:
Note: For VPNos 3.2, NAT Traversal is enabled by default. You cannot change or
disable it.
When a NAT device exists in a network path between security gateways th at are p art of a VPN,
NAT Traversal allows the VPN traffic to successfully pass from one device to another. The
default is NAT traversal is enabled.
You can do the following:
Disable NAT traversal. Avaya recommends that yo u do not di sable NAT traversal even if a
NAT device does not exist in the network path of two VPNs.
Set the value for KeepAlive. The time configured here is used when the security gateway
is in the private network of a NAT device. The security gateway behind the NAT device
sends a keep alive packet to reserve the dynamic source port. The default is 20 seconds.
Because NAT devices can clear port assignments after a period of inactivit y, a still open
VPN session may be broken. When a new packet arrives after a certain period of inactivity,
a NAT device can assign a new dynamic source port for the packet which causes the VPN
connection to fail. To avoid this problem, keep alive packets are sent from the VPN peer
which is behind the NAT device.