ANNOUNCEMENT - The community will be down for maintenace this Thursday August 13 from 12:00 AM PT to 02:00 AM PT. As a precaution save your work.
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
941
Views
0
Helpful
2
Replies
Highlighted
Beginner

ASA VPN IPSec: MTU issue or CFG error?!

Hi,

I have a strange trouble... If I established an IPSec tunnel vs an ASA, it goes up but only works if the packet +/- under 150 bytes ... if packet size exceeded, the ASA don't send it to IPSec client; The size is related to the type of configured tunnels:

VPNclient setupping -f -l xxx
IPSec over TCP152
IPSEC over UDP 123
No Transport Tunnelling 115

debug icmp report alway ping request and reply but with packet sniffing on outside vlan don't see a packet for reply when I try with higher values than those given:

ping 'small':
22   3.748396   x.x.x.x   192.168.y.y   ESP   ESP  (SPI=0x7106d9e3) <- ping request
23   3.748884   192.168.y.y   x.x.x.x  ESP   ESP (SPI=0x05d0db4a) <- ping reply

ping 'big':
27   2.981950   x.x.x.x   192.168.y.y   ESP   ESP(SPI=0x7106d9e3) <- ping request missing ping reply!


The problem occurs with any protocol (TCP, UDP, ICMP) and verifying the configuration with another ASA did not find notable differences.

The ASA is an 5505 with fw 8.0(4) and IPSec microcode  CNlite-MC-IPSECm-MAIN-2.05.

Thanks,

Arturo.

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Cisco Employee

Re: ASA VPN IPSec: MTU issue or CFG error?!

This sounds very much like the following bug:

CSCsu26649    Large packets dropped with ip-comp enable configured

Can you confirm that you have "ip-comp enable" in your vpn config? If so, disable that and you should be ok.

Better yet, upgrade to 8.0(5).

hth

Herbert

View solution in original post

2 REPLIES 2
Highlighted
Cisco Employee

Re: ASA VPN IPSec: MTU issue or CFG error?!

This sounds very much like the following bug:

CSCsu26649    Large packets dropped with ip-comp enable configured

Can you confirm that you have "ip-comp enable" in your vpn config? If so, disable that and you should be ok.

Better yet, upgrade to 8.0(5).

hth

Herbert

View solution in original post

Highlighted
Beginner

Re: ASA VPN IPSec: MTU issue or CFG error?!

Thank you,

I am damned for several hours trying to determine if there was some configuration problem, and when I tried it on another device, I suspect that had anything to do the firmware. But I could not find means to determine what happened.... Among others, the bug does not occur on older versions of firmware .

Pending update, I disabled the compression and now works

73

Arturo