09-18-2008 02:39 AM
Hi,
Since upgrading to version 8.04 (from 7.0 thru 7.2...) we now have an issue connecting to certain services over our remote access VPN.
The problem manifests as being able to use SSH v1 to connect to hosts over the VPN, but not SSH v2. This is commonly down to MTU size issues. We are also having issues with other services (VMware VI Client, for example).
Working through some diagnostics, the following can be seen:
Using a Windows XP host, and connecting to the VPN using the Cisco VPN Client, 'ping -f -l 152 10.3.8.1' works, but 'ping -f -l 153 10.3.8.1' does not. Local MTU is 1300.
10.3.8.1 is the address of the ASA 5510 management interface, but this problem exists for any hosts on the management network.
This system is currently in test at our local network, so there is very little in between the client and server:
XP Client 192.168.3.175/20 <---> 192.168.1.254/20 ( Linux Firewall ) 82.108.63.253/25 <-----> 82.108.63.176/25 (ASA 5510)
Running 'tcpdump -n -i any host 82.108.63.176 and not port 53' on the Linux firewall shows that the return packets at size 153 are leaving the ASA device, delayed and fragmented, but are not correctly reassembled:
ping -n 1 -f -l 152 10.3.8.1:
11:17:46.224255 IP 192.168.3.175.1105 > 82.108.63.176.10000: . 528:660(132) ack 977 win 65535
11:17:46.224289 IP 82.108.63.253.1105 > 82.108.63.176.10000: . 528:660(132) ack 977 win 65535
11:17:46.225290 IP 82.108.63.176.10000 > 82.108.63.253.1105: . 977:1221(244) ack 660 win 65535
11:17:46.225348 IP 82.108.63.176.10000 > 192.168.3.175.1105: . 977:1221(244) ack 660 win 65535
ping -n 1 -f -l 153 10.3.8.1:
11:21:14.689728 IP 192.168.3.175.1105 > 82.108.63.176.10000: . 2012:2144(132) ack 1801 win 65535
11:21:14.689765 IP 82.108.63.253.1105 > 82.108.63.176.10000: . 2012:2144(132) ack 1801 win 65535
11:21:22.263653 IP 192.168.3.175.1105 > 82.108.63.176.10000: . 2144:2260(116) ack 1801 win 65535
11:21:22.263688 IP 82.108.63.253.1105 > 82.108.63.176.10000: . 2144:2260(116) ack 1801 win 65535
11:21:22.265601 IP 82.108.63.176.10000 > 82.108.63.253.1105: . 1801:1917(116) ack 2260 win 65535
11:21:22.265642 IP 82.108.63.176.10000 > 192.168.3.175.1105: . 1801:1917(116) ack 2260 win 65535
QUESTION: Why are the packets being fragmented at such a low size (152+28 = 180 byte MTU!), and what could be causing this?
09-25-2008 01:55 AM
What are your firewall interface MTU's set at?
What is the tcp mss set to in the firewall? default 1380.
REMEMBER the MSS is negotiated between "Client" and "Server" typically the NIC MTU - the IP & TCP headers....=1460
The issue could be with the endpoint devices and NIC configuration - check that also.
HTH>
10-21-2008 09:57 AM
Hey,
I had the same issue. Try to disable ip compression on your crypto config.
I has solved my problem.
Take a look on this bug:
Hope it helps,
Rodrigo
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide