Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4142
Views
5
Helpful
4
Replies

ASA WCCP-GRE redirection to Websense times out

Go to solution
emorgan
Level 4
Level 4

‎12-10-2012 03:02 PM - edited ‎03-11-2019 05:35 PM

Hi,

I have a ASA5585 running 8.4 that is redirecting Internet http to a websense server via GRE.

The integration is working fine, except when a user PC sends a large packet (~1500 bytes).

With WCCP/GRE headers, the user packet is too large to be transmitted to websense, so the ASA fragments the packet in two and transmits both to websense.

A sniffer trace confirms that both fragments reach the websense server, but the TCP packet is never acknowledged.

User-side TCP retransmits the large packet three times over 15 seconds, and eventually retransmits fine with smaller packets.  The 15 second delay is of course not acceptable.

Users and Websense server are both on the Inside interface.

We are considering imposing browser proxy to websense (which works fine), but would prefer not, considering the increasing diversity of devices.

Would appreciate if anybody with websense-ASA-GRE experience could comment.

Thanks,

Eric

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee
In response to emorgan

‎12-12-2012 03:26 AM

Excellent, and thanks heaps for sharing the valuable information.

Pls kindly mark your post answered to help others who has the same issue. Thank you.

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee

‎12-11-2012 04:58 AM

If the issue is with MTU being too large when trasmitted from the client side, then i would suggest to implement tcp mss to adjust the size to something smaller so when GRE header has been incorporated it is no larger than 1500 bytes, hence it doesn't get fragmented on the ASA.

sysopt connection tcpmss 1420

0 Helpful

Go to solution
emorgan
Level 4
Level 4
In response to Jennifer Halim

‎12-11-2012 05:30 AM

Hi,

The default sysopt connection tcpmss in the ASA is already at 1380.  We have played with this value but it does not seem to apply to the WCCP GRE tunnel.

Also, we though of playing with the MSS in the core, but the switch is a Nexus 5548 and does not support adjusting MSS.

Still strange that the websense server does not handle simple things like IP fragments.

Thanks for your input,

Eric

0 Helpful

Go to solution
emorgan
Level 4
Level 4

‎12-11-2012 11:39 AM

Solved !

Seems that Websense does not like fragmented packets.

Websense tech support were aware of the problem and did put in a fix that reduces the MSS sent back to the client in the SYN-ACK.

Websense reponds to the client with an MSS of 1432 instead of 1460.

1432 + 40 bytes of IP-TCP + 28 bytes of IP-GRE-WCCP makes a total of 1500 bytes, so the ASA does not need to fragment anymore when tunnelling to Websense.

Eric

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee
In response to emorgan

‎12-12-2012 03:26 AM

Excellent, and thanks heaps for sharing the valuable information.

Pls kindly mark your post answered to help others who has the same issue. Thank you.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card