Buy or Renew
Buy or Renew
NOTICE: You can now engage in the community. Learn about the great new Cisco Umbrella content.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
598
Views
0
Helpful
1
Replies

MSB Client VPN issue

5creedus
Level 1
Level 1

‎09-30-2009 09:56 AM - edited ‎03-11-2019 09:21 AM

customer unable to connect to vpn endpoint when going through a MSB.

He changes the gateway on the host to use the ASA as the exit point and has no problems.

The endpoint is reachable from either the MSB or ASA.

Any know issues with MSB and Cisco client VPN.

Labels:
0 Helpful
1 Reply 1

5creedus
Level 1
Level 1

‎09-30-2009 02:15 PM

got the solution from another co-worker so sharing:

The "bigmss (MTU) fixup" is used when VPN is not connecting from hosts behind a MSB firewall. Symptoms are:

- no ISAKMP return traffic seen by the client

- the "test" rule allowing ISAKMP inbound increments, indicating the return traffic made it to the firewall outside interface

- no login prompt (popup window)

To resolve do the below in sequence and when complete have the connection tested. The VPN login prompt (popup window) should now be seen. This works with many to one NAT or one to one NAT

1) acl for fixup

access-list tcp_norm line 5 extended permit tcp any any

2) class maps

parameter-map type connection TCPMAP

exceed-mss allow

exit

class-map match-all cmTCPNORM

2 match access-list tcp_norm

exit

3) policy map

policy-map multi-match bigmss

class cmTCPNORM

connection advanced-options TCPMAP

exit

exit

4) apply the policy map to both the external and internal interfaces

interface internal

service-policy input bigmss

exit

interface external

service-policy input bigmss

exit

exit

Ensure you save the policy

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card