Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
8183
Views
0
Helpful
16
Replies

MTU size via ASA 5520

mahesh18
Level 6
Level 6

‎04-23-2014 12:10 PM

 

Hi everyone,

 

We have 3rd PArty Vendor at our site and he is connecting to his company network via our Internet ASA?

IT uses Nortel VPN client to connect to his office network  on port 10001 and 500.

He can connect fine and access all the resources.

 

Issue is with email --Vendors Exchange server was trying to send a large packet (>1400 bytes) to his  laptop, but the packet does not go through.  Then it eventually fails and times out the connection.  We  did a ping test  while user was connected to VPN ---he was able to ping with a 1350 byte packet, but when he tried a ping with a 1450 byte packet they all failed.

 

 

When user is at his home and uses same VPN he can access the emails from the exchange server fine.

On ASA i see that it only shows user is connected on port 10001 and 500.

 

Is there any way that i can increase the maximum MTU for his connection on my Internet ASA?

 

 

Labels:
0 Helpful
16 Replies 16

Marvin Rhoads
Hall of Fame
Hall of Fame

‎04-23-2014 12:21 PM

Mahesh,

We typically try to have clients set their system MTU lower.

This is so that once their own VPN and any local ASA are finished adding their overhead bits, the left over portion is all theirs to fill up as they need.

0 Helpful

mahesh18
Level 6
Level 6
In response to Marvin Rhoads

‎04-23-2014 04:30 PM

 

Hi Marvin,

 

So you mean to say that user can lower the MTU size on its PC and what value it should lower it to?

But same user when he is at his home he can connect to his office VPN and he has no issues.

 

Regards

Mahesh

0 Helpful

Vishnu Sharma
Level 1
Level 1

‎04-23-2014 04:11 PM

Please apply this command on the ASA:

sysopt connection tcpmss 1300

crypto ipsec df-bit clear-df outside

 

Ask user to disconnect and reconnect and try.

Let me know if this helps.

 

Vishnu

 

 

0 Helpful

mahesh18
Level 6
Level 6
In response to Vishnu Sharma

‎04-23-2014 04:38 PM

 

Hi Vishnu,

I can do this tomorrow as user is gone for the day now.

IF i config  above commands will that cause any issue to existing connections to ASA?

 

Regards

Mahesh

0 Helpful

Vishnu Sharma
Level 1
Level 1
In response to mahesh18

‎04-23-2014 04:40 PM

It is not going to cause any issues because these are mainly for the VPN connection. 

 

0 Helpful

mahesh18
Level 6
Level 6
In response to Vishnu Sharma

‎04-23-2014 04:45 PM

 

Hi Vishnu,

 

I ran the command

sh run all | inc 1380
sysopt connection tcpmss 1380

Seems current MTU max size is 1380.

 

Regards

MAhesh

 

0 Helpful

Vishnu Sharma
Level 1
Level 1
In response to mahesh18

‎04-23-2014 05:25 PM

Do not confuse this with MTU. 

 

Please refer this document to understand the relevance of this command: http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/82444-fragmentation.html

 

Vishnu

0 Helpful

mahesh18
Level 6
Level 6
In response to Vishnu Sharma

‎04-24-2014 10:21 AM

 

Hi Vishnu,

 

I tried above config and it does not make any difference.

User is able to connect to outlook but unable to download any emails.

So next thing i asked user is to decrease the MTU size on his PC.

IS there anything else i can try?

 

Regards

MAhesh

0 Helpful

David_Che
Level 1
Level 1
In response to mahesh18

‎04-26-2014 01:48 AM

You can also try MSS slamping by 'ip tcp adjust-mss 1300' or less on ASA wan interface.

 

Regards,

David

0 Helpful

mahesh18
Level 6
Level 6
In response to David_Che

‎04-26-2014 08:40 AM

 

Hi David,

here is setup

User PC--ASA1---ASA2-----ASA3-----cloud----------Vendors VPN ASA.

Should i config this command on ASA1?

I can test this on monday.

Regards

MAhesh

0 Helpful

David_Che
Level 1
Level 1
In response to mahesh18

‎04-27-2014 08:49 AM

Hi MAhesh,

Right now I went through the post from the top to the end, I find that lower the PC's MTU is  the best solution to the problem.

As the vendor installed ezVPN on his PC, so the traffic was protected by encryption, MSS slamping has no way to see the clear text of those traffic.

This problem was caused by ASA or other intermediate device block 'ICMP type 3', so the PMTUD between PC and SERVER get failed, all the bigger packets than path MTU will get dropped and client or server did not recognize  this issue as they did not receive ICMP like 'fragment needed  but DF bit set'.

By lowing the PC's MTU, indirectly decease the TCP MSS, so PC will send mail packet by smaller size which is smaller than the path mtu.

Regards,

David

 

Please rate useful post

 

 

 

 

 

 

 

 

 

0 Helpful

mahesh18
Level 6
Level 6
In response to David_Che

‎04-27-2014 10:11 AM

 

Hi David,

How can i  check which device is blocking the ICMP type 3?

Also on monday i will ask user to decrease the MTU size on his PC and see how it goes.

Also when you say path MTU does it mean 1380?

Regards

Mahesh

0 Helpful

mahesh18
Level 6
Level 6
In response to David_Che

‎04-28-2014 01:06 PM

 

Hi David,

 

I saw the packet capture between user PC and Exchange server

i see lot of TCP retransmissions.

Regards

Mahesh

0 Helpful

David_Che
Level 1
Level 1
In response to mahesh18

‎04-28-2014 06:27 PM

Hi Mahesh,

This issue was caused by IP packets size(DF bit set to1) > intimidate router outgoing interface MTU, so TCP will transmit the dropped segments after timeout.

You can ' ping "exchange server ip"  -f -l xxxx'   on PC to get the maximum path mtu size. For example, first try xxxx=1500, no ok, then try 1300, if ok, try 1400...until you get the maximum.

regards,

David

 

0 Helpful
Customers Also Viewed These Support Documents