During this issue, Site-to-Site VPN, which includes file copies, pinging, and the Remote Desktop Protocol (RDP), works on the PIX/ASA firewall. But, the Microsoft Windows Active Directory replication fails.
This issue potentially correlates to the TCP segment size.
Note: 1200 bytes works well as the value in most cases.
Both the host and the server can set the maximum segment size when they first establish a connection. If either maximum exceeds the value specified by the sysopt connection tcpmss command, the security appliance overrides the maximum and inserts the specified value. If either maximum is less than the value specified by the sysopt connection tcpmss minimum command, the security appliance overrides the maximum and inserts the minimum value. The minimum value is actually the smallest maximum allowed. For example, if you set a maximum size of 1200 bytes and a minimum size of 400 bytes, when a host requests a maximum size of 1300 bytes, the security appliance alters the packet to request 1200 bytes, the maximum. If another host requests a maximum value of 300 bytes, the security appliance alters the packet to request 400 bytes, the minimum.
The default of 1380 bytes allows room for header information so that the total packet size does not exceed 1500 bytes, which is the default Maximum Transmission Unit (MTU) for the Ethernet. Refer to this calculation:
1380 data + 20 TCP + 20 IP + 24 AH + 24 ESP_CIPHER + 12 ESP_AUTH + 20 IP = 1500 bytes
If the host or server does not request a maximum segment size, the security appliance assumes that the Request for Comments (RFC) 793 default value of 536 bytes is in effect.
If the maximum size is set to be greater than 1380, the packets can fragment. This behavior depends upon the MTU size, which is 1500 bytes by default. Large numbers of fragments can impact the performance of the security appliance when it uses the Frag Guard feature. Set the minimum size so that the TCP server does not send many small TCP data packets to the client and impact the performance of the server and the network.
Note: The default maximum value is 1380 bytes. The minimum feature is disabled by default, which means that it is set to zero.
I'm reaching out to see if anyone knows how to configure a Cisco ASA to send RADIUS attribute 8 FRAMED-IP-ADDRESS to ISE. I would like this communicated to ISE so that it receives a VPN'd users IP address. Thanks.
Hi Guys, just want to double check with you. In FTD, I have 2 subnet and if I need to have intervlan for those 2 VLAN, do I still need to configure an identity NAT or any NAT?My target is doing intervlan routing between the 2 VLAN without any IP change.th...
Hi,I set up DVTI in EVE with 2 routers. HUB------SPOKE.Virtual-template is not showing up/down. Instead of up/up.Checked Phase1 and Phase2 parameters but not sure where I made a mistake.Attached diagram and configuration.Please take a look.
I tested using both Cisco ISE 2.4 (patch 9) and Cisco ISE 2.6 (patch 1). I have a user who successfully authenticated via RADIUS against ISE. Under ISE, Operations > Live Logs (and Live sessions), I see the user authenticated. After the accounting requ...