Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
876
Views
0
Helpful
2
Replies

Anyconnect and performace problem with new Internet service provider

l.buschi
Level 2
Level 2

‎09-04-2020 01:01 AM

Hi, 

I have 2 ASA5510 working perfectly from many years, connecting my LAN to Internet ISP-A.

My costumer changed ISP to ISP-B so I needed to change public addresses on outside interface and default route. No other changes were made.

After migration to ISP-B users get very often disconnected from anyconnect or the keep to be connected but loose many pings to my internal server while ASA is pingable from outisde.

Another issue costumer noticed is that from corporate LAN, opening web pages sometimes requires many seconds, this happen intermittently.

Could it be a MTU or tcp IMSS problem? 

What can I do?

Tks

Johnny

 

Labels:
0 Helpful
2 Replies 2

Karsten Iwen
VIP
VIP

‎09-04-2020 01:49 AM

> Could it be a MTU or tcp MSS problem?

 

yes, could be, but first I would check if the duplex-setting to the ISP-device is correct.

 

Not related to this: The ASA 5510 is EOL for a long time and has probably many unfixed security-bugs. You could replace it with a crossover-cable for similar security but reduced energy-consumption.

0 Helpful

l.buschi
Level 2
Level 2
In response to Karsten Iwen

‎10-06-2020 09:05 AM

Now I splitted my cluster and let one firewall work with the old connection while the other with the new.

The old connection doesn't have any problem, the new connection is very poor on performance and get may disconnections.

I checked all cable and LAN interface, no problem.

I tryed to modify anyconnect MTU with the following command inside the group policy:

webvpn

anyconnect mtu 1300

 

problem are the same.

what i notice is that TCPMSS is greater than MTU: 

 

np_svc_create_session(0x1BC000, 0xa970a080, TRUE)
webvpn_svc_np_setup
SVC ACL Name: NULL
SVC ACL ID: -1
vpn_put_uauth success for ip 10.21.230.169!
No SVC ACL
Iphdr=20 base-mtu=1500 def-mtu=1500 conf-mtu=1300
tcp-mss = 1380
path-mtu = 1380(mss)
TLS Block size = 0
mtu = 1380(path-mtu) - 0(opts) - 5(ssl) = 1375
mod-mtu = 1375(mtu) & 0x0(complement) = 0
tls-mtu = 0(mod-mtu) - 8(cstp) - 0(mac) - 1(pad) = 65527
computed tls-mtu=65527 dtls-mtu=0 conf-mtu=1300
overide computed tls-mtu=65527 with conf-mtu=1300
tls-mtu=1300 dtls-mtu=0
Legacy mode so default dtls mtu to tls mtu
SVC: adding to sessmgmt
Unable to initiate NAC, NAC might not be enabled or invalid policy
SVC: Sending response
Sending X-CSTP-Remote-Address-IP4: XXXXXXXX
Sending X-CSTP-Local-Address-IP4: XXXXXXXXX
Sending X-CSTP-DNS: 10.20.10.2
Sending X-CSTP-DNS: 10.10.67.41
Sending X-CSTP-Split-Include msgs: for ACL - SPLIT: Start
Sending X-CSTP-Split-Include: 10.0.0.0/255.224.0.0
Sending X-CSTP-Split-Include: 192.168.0.0/255.255.192.0
Sending X-CSTP-Split-Include: 172.16.1.0/255.255.255.0
Sending X-CSTP-MTU: 1300
Sending X-CSTP-FW-RULE msgs: Start
Sending X-CSTP-FW-RULE msgs: Done
Sending X-CSTP-Quarantine: false
Sending X-CSTP-Disable-Always-On-VPN: false
Sending X-CSTP-Client-Bypass-Protocol: false
CSTP state = CONNECTED

 

0 Helpful
Customers Also Viewed These Support Documents