cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
345
Views
0
Helpful
1
Replies

Certificate, dropped IKE packet, 3005 MTU oddity, any workaround?

alexm
Level 1
Level 1

Greetings,

We have a situation where our 3005 concentrator fragments the packet containing its certificate during IKE Phase 1. This happens regardless of whether it's UDP IKE or tunnelled over TCP port 10000. The packet is fragmented using the MTU of the 3005's public interface *regardless of the MTU of the Cisco client*. Many hotel broadband connections drop the second fragment of this packet, causing negotiation failure and the dreaded "Remote peer not responding". The remote networks are beyond our control, and the Cisco IPSec fragmentation workarounds do not apply to IKE. Is there another workaround available?

The 3005 is running v3.6.7 and this occurs with Cisco clients up to and including 3.6.3(B). I can demonstrate with a packet trace if you're curious. I've tested with various concentrator and client MTUs and fragmentation before encapsulation and the behavior is always the same.

1 Reply 1

alexm
Level 1
Level 1

Cisco bug CSCdz30124 addresses the "IKE pre-fragmentation" issue. No workaround is given, but the assumption is that smaller certificates (ones that don't need to be fragmented) should work.