Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Create a new article
6746
Views
0
Helpful
0
Comments

The Microsoft Windows Active Directory replication fails across the VPN tunnel on the PIX/ASA firewall

TCC_2
Level 10
Level 10

‎06-22-2009 05:38 PM - edited ‎03-08-2019 06:26 PM

Core issue

During this issue, Site-to-Site VPN, which includes file copies, pinging, and the Remote Desktop Protocol (RDP), works on the PIX/ASA firewall. But, the Microsoft Windows Active Directory replication fails.

This issue potentially correlates to the TCP segment size.

Resolution

In order to resolve this issue, use the sysopt connection tcpmss command on both side of  VPN end-point devices.

This command ensures that the maximum TCP segment size does not exceed the set value and that the maximum is not less than a specified size.  For example:

hostname(config)#sysopt connection tcpmss 1200

Note: 1200 bytes works well as the value in most cases.

Both the host and the server can set the maximum segment size when they first establish a connection. If either maximum exceeds the value specified by the sysopt connection tcpmss command, the security appliance overrides the maximum and inserts the specified value. If either maximum is less than the value specified by the sysopt connection tcpmss minimum command, the security appliance overrides the maximum and inserts the minimum value. The minimum value is actually the smallest maximum allowed. For example, if you set a maximum size of 1200 bytes and a minimum size of 400 bytes, when a host requests a maximum size of 1300 bytes, the security appliance alters the packet to request 1200 bytes, the maximum. If another host requests a maximum value of 300 bytes, the security appliance alters the packet to request 400 bytes, the minimum.

The default of 1380 bytes allows room for header information so that the total packet size does not exceed 1500 bytes, which is the default Maximum Transmission Unit (MTU) for the Ethernet. Refer to this calculation:

1380 data + 20 TCP + 20 IP + 24 AH + 24 ESP_CIPHER + 12 ESP_AUTH + 20 IP = 1500 bytes

If the host or server does not request a maximum segment size, the security appliance assumes that the Request for Comments (RFC) 793 default value of 536 bytes is in effect.

If the maximum size is set to be greater than 1380, the packets can fragment. This behavior depends upon the MTU size, which is 1500 bytes by default. Large numbers of fragments can impact the performance of the security appliance when it uses the Frag Guard feature. Set the minimum size so that the TCP server does not send many small TCP data packets to the client and impact the performance of the server and the network.

Note: The default maximum value is 1380 bytes. The minimum feature is disabled by default, which means that it is set to zero.

Labels:
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents