topic Re: MSS clamping IPSEC tunnel -ASA in Network Security

MSS clamping IPSEC tunnel -ASA

Kevin Michael Pratt — Tue, 17 Jan 2023 15:04:35 GMT

Hello Community,

We have a number of ipsec tunnels on our ASA 5545 running software version 9.6.

We have deployed a cloud based DDOS solution using GRE tunnels for any inbound traffic ingressing into the network via the internet upstream of the ASAs. Hence the ASAs are downstream of our internet routers (ASR platform) that have traffic ingressing into them via the GRE tunnels from the DDOS provider. The physical connections to the ISP already have the TCP MSS adjust value configured.

The vendor also recommends configuring MSS values at the IPsec tunnels. here is their recommendation :

If you are using IPsec inside GRE, set the MSS clamp at the IPsec tunnel interface and subtract 24 bytes from your current MSS value, which may be 1360 bytes or lower. This is because the physical interface will see IPsec-encrypted packets, not TCP packets, and MSS clamping will not apply to those.

A few questions regarding this:

What or is there a command that could be run on the ASA to see the current MSS value of the IPSEC tunnels?

Since our existing IPsec tunnels are up and passing traffic, will changing the MSS value cause an impact to traffic ?

Is there any links that show the proper configuration changes to make in order to adjust the MSS value for IPsec on an ASA?

Thanks in advance!

Re: MSS clamping IPSEC tunnel -ASA

MHM Cisco World — Tue, 17 Jan 2023 18:09:57 GMT

ciscoasa(config)# show crypto ipsec sa
interface: outside2
    Crypto map tag: def, local addr: 10.132.0.17
      local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
      remote ident (addr/mask/prot/port): (172.20.0.21/255.255.255.255/0/0)
      local ident (addr/mask/prot/port): (::/0/0/0)
      remote ident (addr/mask/prot/port): (3000::1/128/0/0)
      current_peer: 172.20.0.21
      dynamic allocated peer ip: 10.135.1.5
      dynamic allocated peer ip(ipv6): 3000::1
      #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
      #pkts decaps: 1145, #pkts decrypt: 1145, #pkts verify: 1145
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 2, #pre-frag failures: 1, #fragments created: 10
      #PMTUs sent: 5, #PMTUs rcvd: 2, #decapstulated frags needing reassembly: 1
      #send errors: 0, #recv errors: 0
      local crypto endpt.: 10.132.0.17, remote crypto endpt.: 172.20.0.21
      path mtu 1500, ipsec overhead 60, media mtu 1500
      current outbound spi: DC15BF68
    inbound esp sas:
      spi: 0x1E8246FC (511854332)
         transform: esp-3des esp-md5-hmac
         in use settings ={L2L, Transport, Manual key, (OSPFv3), }
         slot: 0, conn_id: 3, crypto-map: def
         sa timing: remaining key lifetime (sec): 548
         IV size: 8 bytes
         replay detection support: Y

Re: MSS clamping IPSEC tunnel -ASA

Kevin Michael Pratt — Tue, 17 Jan 2023 18:38:55 GMT

@MHM Cisco World Thanks very much for the quick reply!

Could you please elaborate on the below, i looked at an existing connection on an ASA and noticed the following

path mtu 1500, ipsec overhead 74(44), media mtu 1500

Am i reading it correctly that the tunnel is using 74 bytes overhead? What is the meaning of the number in parenthesis - (44)?

Found the below link - https://www.cisco.com/c/en/us/td/docs/security/asa/asa96/configuration/general/asa-96-general-config/interface-mtu.html which states by default ASA is using an MSS value of 1380, and that the necessary configuration to modify the MSS value would be the command "sysopt connection tcpmss 1356" say if we wanted to change the MSS from 1380 to 1356. Am i on the correct path?

I am assuming that making the change will cause the tunnels to bounce correct?

Re: MSS clamping IPSEC tunnel -ASA

MHM Cisco World — Tue, 17 Jan 2023 18:42:56 GMT

I will run lab and config L2L VPN between two ASA and show the MTU values appear for each case I will test.

Re: MSS clamping IPSEC tunnel -ASA

Kevin Michael Pratt — Wed, 18 Jan 2023 18:44:55 GMT

@MHM Cisco World I know your busy, curious if any progress was made with the lab for the L2L VPN and the different MSS/MTU scenarios? We are looking to complete implementation of this in the next two weeks and want to ensure that we have the steps correct. Appreciate your help with this.

Re: MSS clamping IPSEC tunnel -ASA

MHM Cisco World — Wed, 18 Jan 2023 20:43:51 GMT

in ASA
show crypto ipsec sa
give us some info. about the MTU use in IPsec and overhead,
let start
show crypto ipsec sa <<- without change the config of ASA OUT interface, so it default equal to media mtu = 1500

I change the MTU for ASA OUT interface to be 1450,
now the path MTU will be 1450 BUT the media MTU still default equal to 1500 (media here is ethernet).

show crypto ipsec sa <<- also show us overhead, overhead is depend on the transform set you config
the show crypto ipsec sa also show us what transform set we use in VPN, here in my lab I use

esp-ase-256 esp-sha-hmac

but he we can calculate it,
the cisco have nice online calculator, you can use it to count the IPsec overhead (note it within range +- 4 bytes) but it very helpful
IPsec Overhead Calculator (cisco.com)

Re: MSS clamping IPSEC tunnel -ASA

Kevin Michael Pratt — Wed, 18 Jan 2023 22:38:42 GMT

@MHM Cisco World This is very helpful. Thank you!! I believe the approach will be to make the MSS change from 1380 to 1356 using

"sysopt connection tcpmss 1356" and then check the status of the l2l tunnels using "show crypto ipsec sa" and associated commands.

Are there any show commands that will show the default MSS is now changed or just check the running config?

Changing the MSS value will not require us to reload the FW correct?

Re: MSS clamping IPSEC tunnel -ASA

Kevin Michael Pratt — Fri, 20 Jan 2023 18:35:44 GMT

@MHM Cisco World Any update regarding the following? Again thank you for your research and quick help!

Are there any show commands that will show the default MSS is now changed or just check the running config?

Changing the MSS value will not require us to reload the FW correct?

Re: MSS clamping IPSEC tunnel -ASA

MHM Cisco World — Sat, 21 Jan 2023 19:59:54 GMT

if you change the TCP MSS with
sysopt connection tcpmss 1356 <<-
you can see the new value via
show run all sysopt

for the need if reload the ASA FW after change the TCP MSS, I run lab as you can see I change the TCP MSS to be 450 and I dont need to reload, the new tcp value was set to 450, automatic.

Re: MSS clamping IPSEC tunnel -ASA

Kevin Michael Pratt — Wed, 01 Feb 2023 17:24:08 GMT

@MHM Cisco World I am sorry that I did not respond sooner to this, Thank You very much for your diligent work! This is very helpful.

Re: MSS clamping IPSEC tunnel -ASA

MHM Cisco World — Wed, 01 Feb 2023 17:25:07 GMT

You are so so welcome