01-27-2009 09:03 AM - edited 03-11-2019 07:42 AM
Problem Details: Hi,
I've recently migrated from PIX to ASA5540 Version 8.0(3)6.
On the new ASA we've setup L2L tunnels and
Remote access and everything seems to be working fine. However, we have a radiologist
group who are using VPN remote access via the new ASA and have been reporting some slow
down and intermittent time out issue while they are reading the studies. When it happens
the VPN is still connected, after a minute or so they tare able to ready the images again.
This happens with a bunch of doctors who are connected to the ASA via different ISPs.
Sometime they notice, after 30 minutes of not reading any studies they try to refresh the page and they see nothing listed.
After a minute or so the studies are displays again. Yet they are still connected
Prior to the new ASA we
Were using PIX along with the VPN 3000 appliance, they were configured to access the
System, this old PIX and the VPN appliance is still in place, when they connect through
the old PIX/VPN 3000 none of these behaviors are seen. The VPN group name is
We checked configuration multiple times and nothing seems to suggest a
configuration issue. Any idea ? You're help is highly appreciated.
01-29-2009 09:37 AM
It sounds like an issue with the VPN idle timeout (default is 30 minutes). Do you currently have a custom value defined in the affected user group?
01-29-2009 10:56 AM
Thanks for getting back to me. I did change the The idle time out value to not to expire a few weeks ago,unfortyantly that didn't do it. However, I did capture some traffic and sent it to Cisco TAC for futhher evaluation, they came back telling me that there is a TCP connection that negotiates an MSS of 1460, which is pretty close to 1500 the maximum segment size. To reslove this I need to add some extra-bytes to the header due to the IPSec encryption, the packet might exceed the 1500 byte size and fragmentation could occur.
I added the following commands. So far so good. I still need to have some more users test it for at least another week to get more consistent results.
"Crypto ipsec df-bit clear outside"
"sysopt connection tcpmss 1280"
Thanks again.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide