03-20-2020 07:14 AM
Hi,
I am working on a Cisco 5500 offering Anyconnect remote VPN services to customers. For 1 particular case I am getting the following log message.
6 | Mar 10 2020 | 06:07:28 | 602101 | PMTU-D packet 1349 bytes greater than effective mtu 1280, dest_addr=1.1.1.1, src_addr=2.2.2.2, prot=UDP |
The destination sets a DF bit on its packets with MTU size larger than Anyconnect can support. To, remedy that I have enabled "anyconnect ssl df-bit igore" with the group-policy. However, these MTU/Fragment errors still keep popping up. Not sure why the ASA is ignoring the df-bit igore. The user has logged off and back in for the change to take effect but still the same.
Here is the group-policy config:
group-policy GP internal
group-policy GP attributes
wins-server none
vpn-idle-timeout 480
vpn-tunnel-protocol ssl-client
split-tunnel-policy tunnelspecified
ipv6-split-tunnel-policy tunnelspecified
address-pools value Anyconnect_Pool
ipv6-address-pools value Pool_V6
webvpn
anyconnect ssl dtls none
anyconnect mtu 1300
anyconnect profiles value dfltprofile type user
anyconnect ssl df-bit-ignore enable
Is there anything I am missing that could still be causing the issue?
03-20-2020 12:29 PM
Hi,
Can you try setting the following, in order to affect both TLS and DTLS: "anyconnect mtu 1280"?
Regards,
Cristian Matei.
03-27-2020 10:04 AM
03-20-2020 12:34 PM
03-20-2020 01:33 PM
03-21-2020 08:10 PM
03-27-2020 10:06 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide