Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1252
Views
0
Helpful
2
Replies

ASA VPN IPSec: MTU issue or CFG error?!

Go to solution
Arturo Bianchi
Level 1
Level 1

‎02-25-2010 08:48 AM - edited ‎02-21-2020 04:31 PM

Hi,

I have a strange trouble... If I established an IPSec tunnel vs an ASA, it goes up but only works if the packet +/- under 150 bytes ... if packet size exceeded, the ASA don't send it to IPSec client; The size is related to the type of configured tunnels:

VPNclient setupping -f -l xxx
IPSec over TCP152
IPSEC over UDP 123
No Transport Tunnelling 115

debug icmp report alway ping request and reply but with packet sniffing on outside vlan don't see a packet for reply when I try with higher values than those given:

ping 'small': 
22   3.748396   x.x.x.x   192.168.y.y   ESP   ESP  (SPI=0x7106d9e3) <- ping request 
23   3.748884   192.168.y.y   x.x.x.x  ESP   ESP (SPI=0x05d0db4a) <- ping reply 

ping 'big': 
27   2.981950   x.x.x.x   192.168.y.y   ESP   ESP(SPI=0x7106d9e3) <- ping request 
missing ping reply!


The problem occurs with any protocol (TCP, UDP, ICMP) and verifying the configuration with another ASA did not find notable differences.

The ASA is an 5505 with fw 8.0(4) and IPSec microcode  CNlite-MC-IPSECm-MAIN-2.05.

Thanks,

Arturo.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Herbert Baerten
Cisco Employee
Cisco Employee

‎02-25-2010 01:54 PM

This sounds very much like the following bug:

CSCsu26649    Large packets dropped with ip-comp enable configured

Can you confirm that you have "ip-comp enable" in your vpn config? If so, disable that and you should be ok.

Better yet, upgrade to 8.0(5).

hth

Herbert

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Herbert Baerten
Cisco Employee
Cisco Employee

‎02-25-2010 01:54 PM

This sounds very much like the following bug:

CSCsu26649    Large packets dropped with ip-comp enable configured

Can you confirm that you have "ip-comp enable" in your vpn config? If so, disable that and you should be ok.

Better yet, upgrade to 8.0(5).

hth

Herbert

0 Helpful

Go to solution
Arturo Bianchi
Level 1
Level 1
In response to Herbert Baerten

‎02-26-2010 12:03 AM

Thank you,

I am damned for several hours trying to determine if there was some configuration problem, and when I tried it on another device, I suspect that had anything to do the firmware. But I could not find means to determine what happened.... Among others, the bug does not occur on older versions of firmware .

Pending update, I disabled the compression and now works

73

Arturo

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents