I have a ASA5585 running 8.4 that is redirecting Internet http to a websense server via GRE.
The integration is working fine, except when a user PC sends a large packet (~1500 bytes).
With WCCP/GRE headers, the user packet is too large to be transmitted to websense, so the ASA fragments the packet in two and transmits both to websense.
A sniffer trace confirms that both fragments reach the websense server, but the TCP packet is never acknowledged.
User-side TCP retransmits the large packet three times over 15 seconds, and eventually retransmits fine with smaller packets. The 15 second delay is of course not acceptable.
Users and Websense server are both on the Inside interface.
We are considering imposing browser proxy to websense (which works fine), but would prefer not, considering the increasing diversity of devices.
Would appreciate if anybody with websense-ASA-GRE experience could comment.
Solved! Go to Solution.
If the issue is with MTU being too large when trasmitted from the client side, then i would suggest to implement tcp mss to adjust the size to something smaller so when GRE header has been incorporated it is no larger than 1500 bytes, hence it doesn't get fragmented on the ASA.
sysopt connection tcpmss 1420
The default sysopt connection tcpmss in the ASA is already at 1380. We have played with this value but it does not seem to apply to the WCCP GRE tunnel.
Also, we though of playing with the MSS in the core, but the switch is a Nexus 5548 and does not support adjusting MSS.
Still strange that the websense server does not handle simple things like IP fragments.
Thanks for your input,
Seems that Websense does not like fragmented packets.
Websense tech support were aware of the problem and did put in a fix that reduces the MSS sent back to the client in the SYN-ACK.
Websense reponds to the client with an MSS of 1432 instead of 1460.
1432 + 40 bytes of IP-TCP + 28 bytes of IP-GRE-WCCP makes a total of 1500 bytes, so the ASA does not need to fragment anymore when tunnelling to Websense.