During this issue, Site-to-Site VPN, which includes file copies, pinging, and the Remote Desktop Protocol (RDP), works on the PIX/ASA firewall. But, the Microsoft Windows Active Directory replication fails.
This issue potentially correlates to the TCP segment size.
Note: 1200 bytes works well as the value in most cases.
Both the host and the server can set the maximum segment size when they first establish a connection. If either maximum exceeds the value specified by the sysopt connection tcpmss command, the security appliance overrides the maximum and inserts the specified value. If either maximum is less than the value specified by the sysopt connection tcpmss minimum command, the security appliance overrides the maximum and inserts the minimum value. The minimum value is actually the smallest maximum allowed. For example, if you set a maximum size of 1200 bytes and a minimum size of 400 bytes, when a host requests a maximum size of 1300 bytes, the security appliance alters the packet to request 1200 bytes, the maximum. If another host requests a maximum value of 300 bytes, the security appliance alters the packet to request 400 bytes, the minimum.
The default of 1380 bytes allows room for header information so that the total packet size does not exceed 1500 bytes, which is the default Maximum Transmission Unit (MTU) for the Ethernet. Refer to this calculation:
1380 data + 20 TCP + 20 IP + 24 AH + 24 ESP_CIPHER + 12 ESP_AUTH + 20 IP = 1500 bytes
If the host or server does not request a maximum segment size, the security appliance assumes that the Request for Comments (RFC) 793 default value of 536 bytes is in effect.
If the maximum size is set to be greater than 1380, the packets can fragment. This behavior depends upon the MTU size, which is 1500 bytes by default. Large numbers of fragments can impact the performance of the security appliance when it uses the Frag Guard feature. Set the minimum size so that the TCP server does not send many small TCP data packets to the client and impact the performance of the server and the network.
Note: The default maximum value is 1380 bytes. The minimum feature is disabled by default, which means that it is set to zero.
Hi,we have ISP1 and ISP2. There is metric 1 for ISP1 and metric 2 for ISP2. both ISP are in separate zone. when i create flexconfig for specific souce with ISP2 which is not working and still hitting ISP1 only.\ i have configured below flexconfig.1. ...
Hi Guys,I am experiencing some issues that for some reason my user certificate is not able to use for 802.1x authentication even though my user certificate usage is set to Client Authentication.Are there any permissions needed in the AD/GPO for the user c...
Hello, I have a lab configured on dmvpn with eigrp, but on the hub i can't view any spoke and on the spoke there are the ip of the Hub but with a state : NHRP ( configuration below)there are anyone here can help me please to make the state up. H...
HiWe have FMC 100 and FTD 2130, when I do a packet tracer on the device its saying traffic is allowed but I cant find the ACL on the ACP that would allow this traffic, its almost as though there is an hidden ACL which is allowing certain traffic which it ...