Solved: Re: some HTTP traffic gets droped over VPN

peter.janickovic · ‎09-23-2021

Hi,

I m currently facing an interesting problem to say at least. We do have over 80 vpn tunnels site to site consisting of ASA 5515 as our concentrator (192.168.11.0/24 range) and mostly 890 / 891 routers as endpoints (10.40.0.0/16 or 10.55.0.0/16 range etc..). Configurations basically vary whenever there was need for more vlans, dhcp or whenever client required to forward a port or two. So when i take some config and change vtp / ip / domain i can re use it on another device with little to no changes at all.

Since 891 model is no longer available we switched to isr 1111-8p model. Config needed to be slightly modified (cause it no longer knows ip cef but knows ip cef distirb... ETC , nothing mayor and when there was a problem it was corrected).

Router connects to VPN , and everything works as it should. We can ping devices, mstsc to windows machines/vms , ssh to linux/vms, vnc/teamviewer. EXCEPT, that there is a monitoring and we cant access its http or and we cant access dells idrac https page. Both of these are pingable and i can ssh into them and configure them like that.

The problem gets more bizzare when i started a hotspot for android and could access http of monitoring and https of idrac through anyconnect vpn (we connect to our concentrator and than we can access rest of the network). I ve provided some diagram with a few color variations. PROBLEM is RED , thats the local computer/s that cant access http / https through new router on site. It can access rest of the network (green lines). And of course there are BLUE lines (vpn anyconnect clients) that can access everything normally.

Ip range for our asa / local computers / vpn anyconnect clients

192.168.11.0/24

ip range for s2s clients

for example 10.65.0.0/16 , 10.70.0.0/16...etc

There is nothing in the asa logs , or router logs that is even remotely connected to the problem.

Attached diagram as i already said, and obfuscated config of the not working config (TESR), or working but not for computers that are local. Can provide of course another configs / asa if needed.

My first time posting here so i hope i m in the right section. And somebody will shed some light into this problem.

Thank you.

Elliot Dierksen · ‎09-24-2021

It isn't the MTU of the WAN interface, it is what the MTU is of the tunnel. In IOS (or IOS-XE), you can fix that by applying this to the tunnel interface.

ip tcp adjust-mss 1300

In an ASA, you could do this. It is a global value there.

sysopt connection tcpmss 1300

I don't have a ready answer for FTD.

View solution in original post

MHM Cisco World · ‎09-23-2021

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/113137-asa-83-browse-00.html

peter.janickovic · ‎09-24-2021

Interesting. I thought at first that MTU will be problem, and tried to lower it at isr wan interface , to only find out that minimum is 1500... So i gave up on that idea.

I have followed the instructions from the article just to find out that my packet captures were empty no mss exceeded packets.

Anyway it pointed me the right direction. I lowered the MTU on ASA wan side to as low as 1380 and everything works now.

MHM Cisco World · ‎09-24-2021

You are so so welcome friend,

Elliot Dierksen · ‎09-24-2021

It isn't the MTU of the WAN interface, it is what the MTU is of the tunnel. In IOS (or IOS-XE), you can fix that by applying this to the tunnel interface.

ip tcp adjust-mss 1300

In an ASA, you could do this. It is a global value there.

sysopt connection tcpmss 1300

I don't have a ready answer for FTD.

peter.janickovic · ‎09-24-2021

I acctually did what you said, just didnt said it

Did not lowered the mtu but changed the "Force maximum segment size for TCP connection to be.. " and with value 1380

Sorry for the confusion