Re: How to use CSM Variable DEST_UNREACHABLE_MASK

hussainmo · ‎05-14-2008

Hello,

We have some VPN customers complaining accessing SAP via the CSM. Direct access to the servers works fine. Based on the situation we think that the CSM is not passing on ICMP Unreachables (RFC 792) from the firewalls to the servers so that MSS can be lowered.

I think the variable DEST_UNREACHABLE_MASK can help solve this issue but I don't know how to use it to allow ICMP Unreachables to the servers.

Thanks,

Murtaza

Gilles Dufour · ‎05-15-2008

By default the CSM does allow all unreachable messages.

This is what you should see :

gdufour-cat6k-2#sho mod csm 3 var | i DEST

DEST_UNREACHABLE_MASK 0xffff

If you do not have 0xffff, then it means you changed the default and should reset back to the default.

Regarding your primary issue, I would recommend a sniffer trace of the CSM portchannel and see why the vpn connection fails.

Gilles.

hussainmo · ‎05-21-2008

We took a trace and it looks like the CSM is not forwarding the ICMP unreachable to the backend system. I have checked the mask and it looks ok on the device.

-M

Gilles Dufour · ‎05-22-2008

Open a service request with the TAC and if necessary they will esalate it to me.

Send me the case # if you want me to have an early look.

Gilles.

hussainmo · ‎05-22-2008

The TAC SR number is 608638139. I have already attached the sniffer trace and sh tech to the case.

-M