Files larger than 1K are not able to go through the tunnel.
The remote desktop session does not come up for remote machines on the far end.
The VPN tunnel is established and pinging is functional. But, applications that use large packets such as File Transfer Protocol (FTP), Remote desktop Protocol (RDP) or Structured Query Language (SQL) do not work.
The problem is related to either of these issues:
Maximum Transmission Unit (MTU)/Maximum Segment Size (MSS) size
Fragmentation policy during encryption
Complete these steps in order to resolve this issue:
Perform a sniffer trace from the client to the server side in order to find out which is the best MTU to use.
You can also use the ping test:
ping -l 1400 192.168.1.1 -f
192.168.1.1 is the IP address of the remote machine.
Continue to reduce the value of 1400 by 20 until there is a reply.
Note: The magical value, which works in most instances, is 1300.
After the appropriate maximum segment size is acheived, adjust it appropriately for the devices in use:
Note: If this does not resolve the issue on the router, issue the crypto ipsec df-bit clear command in orto set the Don't Fragment (DF) bit for the encapsulating header in tunnel mode on all interfaces. This also helps to resolve most of the application issues with IPSec over Generic Router Encapsulation (GRE) tunnel interfaces.
Refer to these documents for more illustrative information on fragmentation and MSS:
Hi, I tried to configure ECMP with traffic Zones on my ASA 5516-x through FMC's FlexConfig, and it seems not working. I finally did it: At first, I have created a Flex object (In FMC: Objects - Object Management - FlexConfig - F...
Hi all, Trying to set up FlexVPN on an ISR4431 and i've currently got it showing as not secure if i go to the web page of the router as it shows there's no HTTPS and that the certificate is invalid (this is in chrome) but if i go into the certificate it l...
Hi All, I'm after some advice on the attached setup and wondering about the ASA order of Operations here along with PBR/Encryption. I'm comfortable with the VPN itself and PBR etc. This is more to see if anyone has a better understanding of how the P...
Hello, I am adding new VPN certificate on ASA. I've received certificate with .pfx format.Could anyone please guide me with the steps required to do it.Also we have two firewalls in active/standby mode and do I have to upload certificate on both ASAs...
Hi! Is Security level conception still actual for Cisco 5516-x w/ Firepower Services latest versions? Right now I set it up via Firepower Management Center, I connected my device to it and see it in devices tab.Also, I read about basic ASA...