Solved: ASA 5512 L2TP VPN drops some packets

adm.malax · ‎05-27-2013

Hello.

I am troubleshooting an issue and was hoping that someone could point me to the right direction, because I'm out of ideas.

We have ASA 5512 with 9.0(2) firmware version.

We have two types of remote acess VPN setup:

1. AnyConnect VPN. Cisco AnyConnect Secure Mobility Client v 3.1.03103, wich works fine for most of the users except Windows 8. There are some well known issues with that and because of it we have second type of VPN.

2. L2TP/IPSec VPN.

Split tunnel is setup for both VPNs. Users access internal resources over VPN and couple of publicly available external hosts. Rest of the traffic goes via their usual default gateway.

Internal resources work 100% fine with both VPN, but public resources...

There is a server somewhere outside wich accepts packets only from our office source IP address. Because of that we route all packets to that server through VPN and NAT them. There is a service on this remote server that listens on tcp port 7711. We connect to that port over http, run predefined queries and it returns plain text results (looks like simple http page without formatting).

It runs without any problems over AnyConnect VPN, but with L2TP VPN it fails, but fails very interesting:

Users still can ping that host. When they do tracert it shows that packets are routed via VPN. They can telnet to that server IP and port 7711 and see server's responses. Server's logs indicates that client are connecting from permitted source ip, hence NAT does work. They can run _some_ queries and they will be fine, but other queries fails.

From user's perspective it looks like server is never responding and simply timeouts.

I've tried to capture packets on ASA and as far as I can tell, on every query remote server does send replies, they reach ASA, but never reach VPN client. And I couldn't get a reason why ASA drops them (if drops at all).

I can't explain why it's so selective and what's the difference between 2 queries - they are the same, they return just 1 sometimes more lines of text.

Basically query looks like this: http://x.x.x.x:7711/log?comm=V&filter=!122872&n=50

I can't explain why it's affecting only L2TP VPN users. I thought it might be related to asa access rules - but no, if it were it would've affect AnyConnect as well. Maybe the response size and packet fragmentation, but I can RDP to that server just fine. Not sure though if it proves anything.

As far as I can tell, remote server is not behind NAT, but since it's not our infrastructure I can't tell for sure.

Any ideas will be appreciated. Thank you.

malshbou · ‎08-19-2013

It looks like an MSS issue. can you try reducing the MSS ?

ASA(config) sysopt connection tcpmss 1200

Regards.
Mashal Shboul

------------------ Mashal Shboul

View solution in original post

Roman Polyachkov · ‎08-19-2013

I have the same symptoms with L2TPoverIPSec RA VPN on ASA 5515-X (tryed versions - 9.0(2), 9.0(3), 9.1(2) ). I can ping, traceroute, telnet to outside servers by ports from Windows command line, but from any web brousers I can't to access to sites All IKEv1 and ESP SA installed correctly, NAT - works.

" I've tried to capture packets on ASA and as far as I can tell, on every query remote server does send replies, they reach ASA, but never reach VPN client. And I couldn't get a reason why ASA drops them (if drops at all)." - absolutly the same issue.

Is it a bug?

malshbou · ‎08-19-2013

It looks like an MSS issue. can you try reducing the MSS ?

ASA(config) sysopt connection tcpmss 1200

Regards.
Mashal Shboul

------------------ Mashal Shboul

Roman Polyachkov · ‎08-20-2013

Mashal, thanks a lot! It works!