05-14-2008 07:48 AM
Hello,
We have some VPN customers complaining accessing SAP via the CSM. Direct access to the servers works fine. Based on the situation we think that the CSM is not passing on ICMP Unreachables (RFC 792) from the firewalls to the servers so that MSS can be lowered.
I think the variable DEST_UNREACHABLE_MASK can help solve this issue but I don't know how to use it to allow ICMP Unreachables to the servers.
Thanks,
Murtaza
05-15-2008 04:42 AM
By default the CSM does allow all unreachable messages.
This is what you should see :
gdufour-cat6k-2#sho mod csm 3 var | i DEST
DEST_UNREACHABLE_MASK 0xffff
If you do not have 0xffff, then it means you changed the default and should reset back to the default.
Regarding your primary issue, I would recommend a sniffer trace of the CSM portchannel and see why the vpn connection fails.
Gilles.
05-21-2008 07:05 AM
We took a trace and it looks like the CSM is not forwarding the ICMP unreachable to the backend system. I have checked the mask and it looks ok on the device.
-M
05-22-2008 12:30 AM
Open a service request with the TAC and if necessary they will esalate it to me.
Send me the case # if you want me to have an early look.
Gilles.
05-22-2008 12:34 AM
The TAC SR number is 608638139. I have already attached the sniffer trace and sh tech to the case.
-M
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide