Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3962
Views
5
Helpful
6
Replies

Cisco Anyconnect Packet Fragment issue

Jay47110
Level 1
Level 1

‎03-20-2020 07:14 AM

Hi,

 

I am working on a Cisco 5500 offering Anyconnect remote VPN services to customers. For 1 particular case I am getting the following log message.

6Mar 10 202006:07:28602101    PMTU-D packet 1349 bytes greater than effective mtu 1280, dest_addr=1.1.1.1, src_addr=2.2.2.2, prot=UDP

The destination sets a DF bit on its packets with MTU size larger than Anyconnect can support. To, remedy that I have enabled  "anyconnect ssl df-bit igore" with the group-policy. However, these MTU/Fragment errors still keep popping up. Not sure why the ASA is ignoring the df-bit igore. The user has logged off and back in for the change to take effect but still the same.

Here is the group-policy config:

group-policy GP internal
group-policy GP attributes
wins-server none
vpn-idle-timeout 480
vpn-tunnel-protocol ssl-client
split-tunnel-policy tunnelspecified
ipv6-split-tunnel-policy tunnelspecified
address-pools value Anyconnect_Pool
ipv6-address-pools value Pool_V6
webvpn
anyconnect ssl dtls none
anyconnect mtu 1300
anyconnect profiles value dfltprofile type user
anyconnect ssl df-bit-ignore enable

 

Is there anything I am missing that could still be causing the issue?

0 Helpful
6 Replies 6

Cristian Matei
VIP Alumni
VIP Alumni

‎03-20-2020 12:29 PM

Hi,

 

   Can you try setting the following, in order to affect both TLS and DTLS: "anyconnect mtu 1280"?

 

Regards,
Cristian Matei.

0 Helpful

Jay47110
Level 1
Level 1
In response to Cristian Matei

‎03-27-2020 10:04 AM

Thanks, will give it a go.
0 Helpful

Maykol Rojas
Cisco Employee
Cisco Employee

‎03-20-2020 12:34 PM

For me, the documentation is a bit confusing in regards to the command. Would you be able to set the same command but put it to "disable"? Same thing, have the client disconnect, and then reconnect.

https://www.cisco.com/c/en/us/td/docs/security/asa/asa-command-reference/A-H/cmdref1/a2.html
Mike
0 Helpful

Jay47110
Level 1
Level 1
In response to Maykol Rojas

‎03-20-2020 01:33 PM

Thanks for the reply.
“Anyconnect df-bit ignore enable” is the correct command bcz I have other users using the same group-policy that this command does takes effect for(should have mentioned that in the main post) but then there is 1 user on the same group policy that this command does nothing for

Maykol Rojas
Cisco Employee
Cisco Employee
In response to Jay47110

‎03-21-2020 08:10 PM

Jay;

You are absolutely right. Could be something with the machine itself? Like with the AC software? I would give it a shot and also take pre-post captures to see the behavior.
Mike
0 Helpful

Jay47110
Level 1
Level 1
In response to Maykol Rojas

‎03-27-2020 10:06 AM

Hi Mykol,

Thats what I though but the AC software is the same as other users. Will continue to investigate the PC.
0 Helpful
Customers Also Viewed These Support Documents