cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

402
Views
5
Helpful
4
Replies
Rene Mueller
Contributor

https issues after ASA Upgrade to 9.1.(6)6

Hello,

 

I did a ASA 5520 Upgrade from 8.4.7 to 9.1(6)6.

 

Since I am running the new Version I am not able to use https Connections with Clients which are connected to the ASA by Cisco Anyconnect Client. Client is Version 3.1 and Connection type is IPSEC (no SSL). Users are not able to open stuff like Microsoft OWA, https Websites or Cisco Jabber 10.6 (which is also working with https Connections).

I found out, that the Clients ISP is using IPv4 and IPv6 public Adresses. I guess it might have something to do with IPv6 <-> https <-> and the new Version 9.1 of the ASA.

 

Hope someone can help or has at least some ideas, because I am currently fishing in the dark :-(

 

Regards

Rene

4 REPLIES 4
Rene Mueller
Contributor

We raced a TAC case for this issue and Cisco was able to solve the Problem. They caputured traffic on the ASA and found out the following. Here is a short summary what TAC did:

Er the previous engineer analysis on capin2 (capture collected on ASA inside) we see frame# 6,7 and 8 which is the server hello. In capture capture_client2 (capture collected on virtual adapter on the client machine), we see only the 3 segment being received and not the first 2. [frame# 20]. in the capture collected on the ASA's outside interface chapout2.pcap, we see the ASA sending the packet with size 782 as the biggest packet [frame# 16]. when we access the CUCM server [1.2.3.4], the ASA sends the following to the server: 

4.3.2.1 > 1.2.3.4: icmp: 2.2.2.2 unreachable - need to frag (mtu 1386)

On the show crypto ipsec sa, we see that when we try and access the CUCM server, encaps increase and not encrypts [few packets get encapsulated but not encrypted] and the PMTUs sent counter increases. the Path MTU is shown as 1452, however when we tried to ping the ASAs Outside interface from the client machine, we could not ping with packets more than 1425 size with df bit set. Issue was first observed when the ASA was upgraded to 9.1(6) from 8.4(7) and the issue is only observed with the user who connects to one particular DSL modem.

There has been changes in the code between 8.4 and the 9.1(6) you are running regarding the overhead calculation which can be the root; it could be that the unreachable ICMP is being dropped in the middle. Since you are ok to avoid fragmentation so we lowered the MSS and that resolved the problem.

Hope this helps.

Regards,

Rene

Dear Rene,

We have similar issue on ASA5540 that blocks some https sites like bank payments.

But I can't resolve it, what size of mss do you use for eliminating problem?

However I don't know if our problem relates to it or not, because the banking site uses TLS1.2 and the 9.1 version of ASA only supports TLS1

Sincerely

Hello,

we configured

sysopt connection tcpmss 1300

Thanks, but this doesn't solve our problem, It seems that it is a certification problem but I don't know how to solve it.

Some https sites blocked with message "Connection not secure (-- Verify by: Not specified)" and bypassing ASA the site works properly (verified by certplus).

Sincerely

Content for Community-Ad