No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search


To have a better experience, please upgrade your IE browser.


AR500, AR510, and AR530 V200R007 Commands Reference

This document describes all the configuration commands of the device, including the command function, syntax, parameters, views, default level, usage guidelines, examples, and related commands.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
tunnel pathmtu enable

tunnel pathmtu enable


The tunnel pathmtu enable command enables the device to learn the maximum transmission unit (MTU) of packets allowed on an IPSec tunnel.

The undo tunnel pathmtu enable command disables the device from learning the MTU of packets allowed on an IPSec tunnel.

By default, the device cannot learn the MTU of packets allowed on an IPSec tunnel.


tunnel pathmtu enable

undo tunnel pathmtu enable




Tunnel interface view, Tunnel-Template interface view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

When the local device sends IPSec packets along a created IPSec tunnel, the IPSec packets are discarded if the packet MTU exceeds the MTU allowed on the IPSec tunnel and the local device receives an ICMP Unreachable packet.

The local device uses the MTU in the ICMP Unreachable packet and the Security Parameter Index (SPI) of the SA, and then automatically adjusts the interface MTU to a proper value to allow IPSec packets to pass.


This command takes effect only when the encapsulation mode of the tunnel interface has been set to IPSec or GRE using the tunnel-protocol command or the destination command has been configured on the tunnel interface.

The Don't Fragment (DF) field of the IPSec tunnel has been set to 1 using the ipsec df-bit set command, indicating that packet fragmentation is not allowed on the IPSec tunnel.


If there is a firewall on the network, this command cannot take effect because the firewall blocks ICMP packets.

If devices have the NAT traverse function enabled, this command cannot take effect because the format of IPSec packets have changed after the NAT traverse and the devices cannot identify the SPI values of SAs.


# Enable the device to learn the MTU allowed on an IPSec tunnel on a virtual tunnel interface.

<Huawei> system-view
[Huawei] interface tunnel 0/0/1
[Huawei-Tunnel0/0/1] tunnel-protocol ipsec
[Huawei-Tunnel0/0/1] tunnel pathmtu enable
Updated: 2019-05-29

Document ID: EDOC1000097293

Views: 92519

Downloads: 126

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Previous Next