https://community.cisco.com/t5/network-security/msb-client-vpn-issue/m-p/1253756#M857945 <HTML><HEAD></HEAD><BODY><P>got the solution from another co-worker so sharing:</P><P></P><P>The "bigmss (MTU) fixup" is used when VPN is not connecting from hosts behind a MSB firewall. Symptoms are:</P><P></P><P>- no ISAKMP return traffic seen by the client</P><P>- the "test" rule allowing ISAKMP inbound increments, indicating the return traffic made it to the firewall outside interface</P><P>- no login prompt (popup window)</P><P></P><P>To resolve do the below in sequence and when complete have the connection tested. The VPN login prompt (popup window) should now be seen. This works with many to one NAT or one to one NAT</P><P></P><P>1) acl for fixup</P><P>access-list tcp_norm line 5 extended permit tcp any any </P><P></P><P>2) class maps</P><P>parameter-map type connection TCPMAP</P><P> exceed-mss allow</P><P> exit</P><P></P><P>class-map match-all cmTCPNORM</P><P> 2 match access-list tcp_norm</P><P> exit</P><P></P><P>3) policy map</P><P>policy-map multi-match bigmss</P><P> class cmTCPNORM</P><P> connection advanced-options TCPMAP</P><P> exit</P><P> exit</P><P></P><P>4) apply the policy map to both the external and internal interfaces</P><P>interface internal</P><P> service-policy input bigmss</P><P>exit</P><P>interface external</P><P> service-policy input bigmss</P><P>exit</P><P>exit</P><P></P><P>Ensure you save the policy</P><P></P></BODY></HTML> Wed, 30 Sep 2009 21:15:20 GMT 5creedus 2009-09-30T21:15:20Z https://community.cisco.com/t5/network-security/msb-client-vpn-issue/m-p/1253755#M857944 <P>customer unable to connect to vpn endpoint when going through a MSB. </P><P></P><P>He changes the gateway on the host to use the ASA as the exit point and has no problems.</P><P></P><P>The endpoint is reachable from either the MSB or ASA.</P><P></P><P>Any know issues with MSB and Cisco client VPN.</P> Mon, 11 Mar 2019 16:21:33 GMT https://community.cisco.com/t5/network-security/msb-client-vpn-issue/m-p/1253755#M857944 5creedus 2019-03-11T16:21:33Z https://community.cisco.com/t5/network-security/msb-client-vpn-issue/m-p/1253756#M857945 <HTML><HEAD></HEAD><BODY><P>got the solution from another co-worker so sharing:</P><P></P><P>The "bigmss (MTU) fixup" is used when VPN is not connecting from hosts behind a MSB firewall. Symptoms are:</P><P></P><P>- no ISAKMP return traffic seen by the client</P><P>- the "test" rule allowing ISAKMP inbound increments, indicating the return traffic made it to the firewall outside interface</P><P>- no login prompt (popup window)</P><P></P><P>To resolve do the below in sequence and when complete have the connection tested. The VPN login prompt (popup window) should now be seen. This works with many to one NAT or one to one NAT</P><P></P><P>1) acl for fixup</P><P>access-list tcp_norm line 5 extended permit tcp any any </P><P></P><P>2) class maps</P><P>parameter-map type connection TCPMAP</P><P> exceed-mss allow</P><P> exit</P><P></P><P>class-map match-all cmTCPNORM</P><P> 2 match access-list tcp_norm</P><P> exit</P><P></P><P>3) policy map</P><P>policy-map multi-match bigmss</P><P> class cmTCPNORM</P><P> connection advanced-options TCPMAP</P><P> exit</P><P> exit</P><P></P><P>4) apply the policy map to both the external and internal interfaces</P><P>interface internal</P><P> service-policy input bigmss</P><P>exit</P><P>interface external</P><P> service-policy input bigmss</P><P>exit</P><P>exit</P><P></P><P>Ensure you save the policy</P><P></P></BODY></HTML> Wed, 30 Sep 2009 21:15:20 GMT https://community.cisco.com/t5/network-security/msb-client-vpn-issue/m-p/1253756#M857945 5creedus 2009-09-30T21:15:20Z