Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
343
Views
0
Helpful
1
Replies

Certificate, dropped IKE packet, 3005 MTU oddity, any workaround?

alexm
Level 1
Level 1

‎02-21-2003 09:41 AM - edited ‎03-09-2019 02:12 AM

Greetings,

We have a situation where our 3005 concentrator fragments the packet containing its certificate during IKE Phase 1. This happens regardless of whether it's UDP IKE or tunnelled over TCP port 10000. The packet is fragmented using the MTU of the 3005's public interface *regardless of the MTU of the Cisco client*. Many hotel broadband connections drop the second fragment of this packet, causing negotiation failure and the dreaded "Remote peer not responding". The remote networks are beyond our control, and the Cisco IPSec fragmentation workarounds do not apply to IKE. Is there another workaround available?

The 3005 is running v3.6.7 and this occurs with Cisco clients up to and including 3.6.3(B). I can demonstrate with a packet trace if you're curious. I've tested with various concentrator and client MTUs and fragmentation before encapsulation and the behavior is always the same.

Labels:
0 Helpful
1 Reply 1

alexm
Level 1
Level 1

‎02-25-2003 11:56 AM

Cisco bug CSCdz30124 addresses the "IKE pre-fragmentation" issue. No workaround is given, but the assumption is that smaller certificates (ones that don't need to be fragmented) should work.

0 Helpful
Customers Also Viewed These Support Documents