I did some research on purposeful reducing MTU on an IPsec enabled interface but must admit I can't see the benefit.
Here's the situation I have found:
ciscoasa/context1# sh run mtu mtu outside 1450 mtu inside 1500
ciscoasa/context1 # sh ipsec sa peer x.x.x.x | i mtu path mtu 1450, ipsec overhead 58, media mtu 1500
I suppose the intent for lowering the mtu was to prevent fragmentation due to ipsec overhead but I can't have it confirmed in my tests. For testing purposes, I have preserved the df-bit for outgoing packets, by setting:
crypto ipsec df-bit copy-df outside
If I send a ping over the tunnel with "df-bit size 1398", it gets through, icmp reply is received ok.
If I send a ping over the tunnel with " df-bit size 1399", it gets dropped, ping fails.
Unlike I expected, not 1450 but 1398 proved to be the max size allowed through without fragmentation. It seems that the ASA - in addition to the lowered mtu - also takes the ipsec overhead into account to compute the max size. BTW, the resulting ESP (IPv4) packet is 1448 bytes, which indicates that the actual overhead is 50 bytes.
If I send a ping to an Internet host (outside my encryption domain), the result is predictable with 1450 being max size.
In both cases, the 50 bytes subtracted from the original mtu (1500) looks like a loss to me, not benefit.
If I revert the mtu outside to 1500, I can send a ping with df-bit size 1446 over the tunnel but 1447 fails.
So what is the magic about reducing the mtu on the outside interface?
And why these discrepancies between the overhead declared (show ipsec sa) and found (MTU - max packet size)?
... View more
I know this thread is old but I found it relevant to my question and hopefully Marvin or someone else can elaborate Windows Logon Enforcement behavior.
I find the Cisco's explanations confusing to me. At a first glance, "Single Local Logon" appears more restrictive compared to "Single Logon" because it is a default setting and because mentions a local user only - both opposed to "Single Logon". Yet, moving through "Single Logon" characteristics, I get a feeling that more restrictions apply here.
I was unsure what the author meant by "local user". Marvin's interpretation is more clear to me but in my test I could establish a Remote Access VPN regardless of whether I was logged on to RDP via a local account or via domain authentication.
So I also checked if there was any difference if I connect to Windows machine via RDP or via a VMWare console (however I realize the latter does not fulfill the purpose of a VPN session established from a RDP session). Again, no difference.
I hope someone can rephrase the feature description, especially by exposing the difference between its two settings. Thank you.
Source: AnyConnect Profile Editor, Preferences (Part 1)
Windows Logon Enforcement — Allows a VPN session to be established from a Remote Desktop Protocol (RDP) session. Split tunneling must be configured in the group policy. AnyConnect disconnects the VPN connection when the user who established the VPN connection logs off. If the connection is established by a remote user, and that remote user logs off, the VPN connection terminates.
Single Local Logon (Default)—Allows only one local user to be logged on during the entire VPN connection. Also, a local user can establish a VPN connection while one or more remote users are logged on to the client PC. This setting has no effect on remote user logons from the enterprise network over the VPN connection.
Single Logon—Allows only one user to be logged on during the entire VPN connection. If more than one user is logged on, either locally or remotely, when the VPN connection is being established, the connection is not allowed. If a second user logs on, either locally or remotely, during the VPN connection, the VPN connection terminates. No additional logons are allowed during the VPN connection, so a remote logon over the VPN connection is not possible.
... View more
Gerald, Have you (not) considered aggregating E0/0+E0/1 and E0/2+E0/3, one EtherChannel for data and the other for failover, then the data EtherChannel further divided into subinterfaces, one - for outside, another for inside, third for dmz1...?
... View more
Hi I know this thread is old but did not find a more relevant one for my question and could not find any specific guidelines on cisco.com abt. using one dedicated interface for both failover and state vs. creating two subinterfaces - one for failover and the other for state. In my setup, EtherChannel (Gi0/4 + Gi0/5) is dedicated for both failover and state and two L2 catalyst stacks connected in series sit between the ASAs: ASA1=STACK1=STACK2=ASA2 In this setup STACK ports facing the ASAs are regular access ports (with a dedicated VLAN present in the 802.1q trunk between the stacks) Alternatively, I can imagine breaking down the EtherChannel interfaces into subinterfaces on the ASAs and converting the ASA=STACK links from access into trunks. But in the end, are there any practical advantages which would justify the configuration/management slight overhead? Regards, Rafal
... View more
Gentlemen, While preparing a multihome BGP-based setup for my customer, I ran into a dilemma: use a single clustered router or two routers? Router [AB] stands for my customer's logical edge router, currently statically interconnecting company's LAN, DMZ and internet. Router [AB] is build up of two physical units (A and B) assuring HA in Active-Active mode (it isn't from Cisco but still IGPs- and BGP-capable and Cisco VSS might be the analogy here). It has ca. 750 MB RAM available. Apart from [AB], there are two older and out-of-service units with 512 MB total RAM, otherwise identical to [AB] - let's call them [CD]. They can be used or not at my discretion. The AS300 stands for the company's DMZ (with services available publicly). The MLS is a LAN core switch doing both switching and routing (collapsed two-tier LAN topology). This MLS is both IGPs- and BGP-capable (Cisco Catalyst 4500-series). In scenario 1, Router [AB] is an eBGP peer for both ISP1 and ISP2 as displayed here: http://www.cisco.com/en/US/tech/tk365/technologies_configuration_example09186a008009456d.shtml#diag ("Router A" displayed meaning [AB] in my scenario) In scenario 2, the [AB] cluster is split into undependant A and B units, having an eBGP session with SP-A and SP-B respectively. They are also running iBGP between themselves, as it can be seen here: http://www.cisco.com/en/US/tech/tk365/technologies_tech_note09186a00800c95bb.shtml#ebgpibgp I have considered 2 wariants to that scenario: 2a. Router A and B run VRRP between them for both intranet (MLS) and DMZ. 2b. Router A and B run iBGP with MLS. My plans and preferences are: a) to request at least partial BGP updates from both ISPs, b) to be able to load-balance both outbound and inbound internet traffic on both internet links. c) to keep MLS within "campus block" (out of company's edge block following Cisco's ECNM guidelines, so to my understanding avoid iBGP on it). d) to keep the setup preferably simple for me and my substitute admin. Following these preferences, I believe that scenario 1 is best suited. Owing to the HA nature of Router [AB], I cannot see any redundancy caveats, as usually associated with the single-router setup. My questions are: - am I missing any other attractive option with the hardware available? - am I missing any pros and cons of the scenarios mentioned? Will appreciate your opinions. Cheers, Rafal
... View more