Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5726
Views
10
Helpful
7
Replies

MTU Size DTLS 1.2

gaigl
Level 3
Level 3

‎01-01-2019 10:57 PM

Hello,

 

I've updatet our ASA to 9.10.1 and the anyconnect-client to 4.7.00136, now I receive a lot of messages: 

 

the connections are working and I don't see any drops, but it's annoying.

 

Does anyone know about this or what Vlue to set?

Received large packet 1406 (threshold 1390)

 

5 people had this problem
Labels:
0 Helpful
7 Replies 7

Mohammed al Baqari
Level 11
Level 11

‎01-01-2019 11:15 PM

Hi,

I am not sure if the default value changed in version 9.10 or you changed
it manually but the default MTU in earlier version is 1406 bytes.

Anyway the bigger MTU the better as long as you aren't hitting
fragmentation threshold and the VA will use the lower value between
physical NIC and ASA setting.

Do one thing, change the value on ASA CLI as below.

group-policy custom_group_policy attributes

webvpn

anyconnect mtu 1420
0 Helpful

gaigl
Level 3
Level 3
In response to Mohammed al Baqari

‎01-01-2019 11:47 PM

Hi Mohammed,

 

that didn't change something, the MTU Size was the default of 1406, I've changed to 1420 and the messages still appear.

I think I need to change the treshold, or not?

0 Helpful

Mohammed al Baqari
Level 11
Level 11
In response to gaigl

‎01-02-2019 12:11 AM

Apologize, I copied this from my notes without changing the value. It should be as

group-policy custom_group_policy attributes
webvpn
anyconnect mtu 1320

You can start from higher value and keep lower it until the message disappear. Other ways of changing it include changing MSS value which isn't something I prefer.
0 Helpful

monty.muth
Level 1
Level 1
In response to Mohammed al Baqari

‎02-22-2019 08:44 AM

Doesn't work. ASA 9.10.1(7) anyconnect-client 4.7.00136 with DTLS 1.2. DPD is on default (30s/30s)

Received large packet 1336 (threshold 1320)

ccubeman
Level 1
Level 1
In response to monty.muth

‎02-23-2019 06:12 PM

Can confirm. No mtu value will resolve the ‘large packet’ message with 9.10.1.7 and client 4.7.00136.

Kidney
Level 1
Level 1
In response to ccubeman

‎08-28-2019 03:19 PM

Was this ever resolved?

 

I have this exact issue. No matter what I set the MTU to.. it's always 16 bytes too large.

0 Helpful

Kurena09
Cisco Employee
Cisco Employee
In response to Kidney

‎12-03-2019 01:48 PM

It's probably a little late, but there is one bug that is responsible of those logs when the packets always exceed the threshold for 16 bytes:

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvp07143

"

When using AnyConnect 4.7.x (which supports DTLS v1.2) connecting to ASA 9.10.x/9.12.x, ....the ASA is replying to AnyConnect oMTU DPD packets with DPD responses of a different size (16 bytes larger than the DPD request).

The ASA responses are unexpected, as AnyConnect expects a DPD reply from the ASA to be the same size packet as sent by AnyConnect. This is specific to AES-GCM. AES-GCM is the default encryption for DTLS1.2."

0 Helpful
Customers Also Viewed These Support Documents