cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3200
Views
0
Helpful
7
Replies

issues with passing Kerberos authentication through an IPSEC tunnel with ASA.

selva Kathir
Level 1
Level 1

Hi All,

I am facing issues with passing kerbros authentication through the ipsec vpn between my sites it seems failing  the same setup seems to work with MPLS vpn sites. I am having asa as my VPN device.

Note : its is a new setup its not working from the beginning and no no issues with the servers hence same services are working fine through MPLS.


Thanks in advance ...

Selva ....

7 Replies 7

Marcin Latosiewicz
Cisco Employee
Cisco Employee

Selva, 

 

You might be running into the same old problem of fragmentation of large UDP packets. 

Can I suggest switching to TCP for Kerberos?

 

M.

Bravo Marcin !

Thanks for your immediate response. Can you tell me is there any changes required on the asa configuration to switch to TCP.  can you guide how this can be done !!

It depends on your proxy IDs, but if you're tunneling IP and not UDP (or TCP?) only there should not be any changes needed on ASA side. ASA will decrease the MSS by default to something which should be viable to transport without fragmentation over IPsec. 

Check:

show run all sysopt

Thanks marcin again,

I have hardcoded the mss  value to 1200 on my device to be on safer side still issue seems to remain. Can you suggest if anything else can be checked...

 

ASA# sh running-config all sysopt
no sysopt connection timewait
sysopt connection tcpmss 1200
sysopt connection tcpmss minimum 0
sysopt connection permit-vpn
no sysopt connection reclassify-vpn
no sysopt connection preserve-vpn-flows
no sysopt nodnsalias inbound
no sysopt nodnsalias outbound
no sysopt radius ignore-secret
no sysopt noproxyarp inside
no sysopt noproxyarp outside

 

So you changed the MSS, but did you switch to kerberos over TCP? Did you look a sniffer trace to see what's going on now?

 

M.

Cheers Marcin thanks again i will try this out and post in this forum Can you confirm one more thing if change this tcp settings only on the client side will it do the job for me ?