Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
759
Views
5
Helpful
4
Replies

https issues after ASA Upgrade to 9.1.(6)6

Rene Mueller
Level 5
Level 5

‎08-10-2015 09:31 AM - edited ‎03-11-2019 11:24 PM

Hello,

 

I did a ASA 5520 Upgrade from 8.4.7 to 9.1(6)6.

 

Since I am running the new Version I am not able to use https Connections with Clients which are connected to the ASA by Cisco Anyconnect Client. Client is Version 3.1 and Connection type is IPSEC (no SSL). Users are not able to open stuff like Microsoft OWA, https Websites or Cisco Jabber 10.6 (which is also working with https Connections).

I found out, that the Clients ISP is using IPv4 and IPv6 public Adresses. I guess it might have something to do with IPv6 <-> https <-> and the new Version 9.1 of the ASA.

 

Hope someone can help or has at least some ideas, because I am currently fishing in the dark :-(

 

Regards

Rene

1 person had this problem
Labels:
0 Helpful
4 Replies 4

Rene Mueller
Level 5
Level 5

‎02-27-2017 01:14 AM

We raced a TAC case for this issue and Cisco was able to solve the Problem. They caputured traffic on the ASA and found out the following. Here is a short summary what TAC did:

Er the previous engineer analysis on capin2 (capture collected on ASA inside) we see frame# 6,7 and 8 which is the server hello. In capture capture_client2 (capture collected on virtual adapter on the client machine), we see only the 3 segment being received and not the first 2. [frame# 20]. in the capture collected on the ASA's outside interface chapout2.pcap, we see the ASA sending the packet with size 782 as the biggest packet [frame# 16]. when we access the CUCM server [1.2.3.4], the ASA sends the following to the server: 

4.3.2.1 > 1.2.3.4: icmp: 2.2.2.2 unreachable - need to frag (mtu 1386)

On the show crypto ipsec sa, we see that when we try and access the CUCM server, encaps increase and not encrypts [few packets get encapsulated but not encrypted] and the PMTUs sent counter increases. the Path MTU is shown as 1452, however when we tried to ping the ASAs Outside interface from the client machine, we could not ping with packets more than 1425 size with df bit set. Issue was first observed when the ASA was upgraded to 9.1(6) from 8.4(7) and the issue is only observed with the user who connects to one particular DSL modem.

There has been changes in the code between 8.4 and the 9.1(6) you are running regarding the overhead calculation which can be the root; it could be that the unreachable ICMP is being dropped in the middle. Since you are ok to avoid fragmentation so we lowered the MSS and that resolved the problem.

Hope this helps.

Regards,

Rene

0 Helpful

zolfaghar
Level 1
Level 1
In response to Rene Mueller

‎02-27-2017 09:05 PM

Dear Rene,

We have similar issue on ASA5540 that blocks some https sites like bank payments.

But I can't resolve it, what size of mss do you use for eliminating problem?

However I don't know if our problem relates to it or not, because the banking site uses TLS1.2 and the 9.1 version of ASA only supports TLS1

Sincerely

0 Helpful

Rene Mueller
Level 5
Level 5
In response to zolfaghar

‎02-28-2017 05:21 AM

Hello,

we configured

sysopt connection tcpmss 1300

zolfaghar
Level 1
Level 1
In response to Rene Mueller

‎02-28-2017 07:14 AM

Thanks, but this doesn't solve our problem, It seems that it is a certification problem but I don't know how to solve it.

Some https sites blocked with message "Connection not secure (-- Verify by: Not specified)" and bypassing ASA the site works properly (verified by certplus).

Sincerely

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card