Hello,

yes, using FlexVPN. I did  a change to the virtual-template, but it did not change the MTU on my client, as it is still 1406 after connecting to the router.

This is what I setup:

interface Virtual-Template2 type tunnel
 ip unnumbered GigabitEthernet0/0
 ip mtu 1400
 ip tcp adjust-mss 1352
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile ipsec-profile_AnyConnect

And this is the sh interface:

 Virtual-Template2 is up, line protocol is down
  Hardware is Virtual Template interface
  Interface is unnumbered. Using address of GigabitEthernet0/0 (41.164.55.132)
  MTU 17940 bytes, BW 100 Kbit/sec, DLY 50000 usec,
     reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation TUNNEL, loopback not set
  Keepalive not set
  Tunnel linestate evaluation down - no IPv4 tunnel destination address
  Tunnel source UNKNOWN
  Tunnel protocol/transport IPSEC/IP
  Tunnel TTL 255
  Tunnel transport MTU 1500 bytes
  Tunnel transmit bandwidth 8000 (kbps)
  Tunnel receive bandwidth 8000 (kbps)
  Tunnel protection via IPSec (profile "ipsec-profile_AnyConnect")
  Last input never, output never, output hang never
  Last clearing of "show interface" counters 18w0d
  Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
  Queueing strategy: fifo
  Output queue: 0/0 (size/max)
  5 minute input rate 0 bits/sec, 0 packets/sec
  5 minute output rate 0 bits/sec, 0 packets/sec
     0 packets input, 0 bytes, 0 no buffer
     Received 0 broadcasts (0 IP multicasts)
     0 runts, 0 giants, 0 throttles
     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
     0 packets output, 0 bytes, 0 underruns
     0 output errors, 0 collisions, 0 interface resets
     0 unknown protocol drops
     0 output buffer failures, 0 output buffers swapped out

I am confused that the interface shows 1500 bytes for the tunnel mtu.

any other idea?

Hi,

   1. Read mode here on the the AnyConnect MTU functionality (per DTLS and TLS, and the difference between what's configured and used, where the physical NIC MTU plays a role): https://community.cisco.com/t5/security-documents/the-importance-of-understanding-mtu-value-in-anyconnect-vpn/ta-p/3164026

   2. You could deploy a script to the end systems to set the MTU, if this fixed your problem.

   3. Your experience may vary based on the IOS, but the Virtual-Template, being just a template, should remain with an MTU of 1500 and the configured MTU should show up on Virtual-Access derived interfaces for each new client session coming up.

Regards,

Cristian Matei.

Hello Cristian Matei,

thank you for this Link. That gives a good overview. However, I still don't get it what is wrong in my setup as the Virtual Tunnel still has not the MTU that it should have :-(

router#sh int virtual-access 12
Virtual-Access12 is up, line protocol is up
  Hardware is Virtual Access interface
  Interface is unnumbered. Using address of GigabitEthernet0/0 (1.2.3.4)
  MTU 17862 bytes, BW 100 Kbit/sec, DLY 50000 usec,
     reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation TUNNEL
  Tunnel vaccess, cloned from Virtual-Template2
  Vaccess status 0x4, loopback not set
  Keepalive not set
  Tunnel linestate evaluation up
  Tunnel source 1.2.3.4, destination 5.6.7.8
  Tunnel protocol/transport IPSEC/IP
  Tunnel TTL 255
  Tunnel transport MTU 1422 bytes
  Tunnel transmit bandwidth 8000 (kbps)
  Tunnel receive bandwidth 8000 (kbps)
  Tunnel protection via IPSec (profile "ipsec-profile_AnyConnect")
  Last input never, output never, output hang never
  Last clearing of "show interface" counters 14:18:29
  Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
  Queueing strategy: fifo
  Output queue: 0/0 (size/max)
  5 minute input rate 0 bits/sec, 0 packets/sec
  5 minute output rate 0 bits/sec, 0 packets/sec
     274327 packets input, 62501835 bytes, 0 no buffer
     Received 0 broadcasts (0 IP multicasts)
     0 runts, 0 giants, 0 throttles
     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
     295410 packets output, 198153680 bytes, 0 underruns
     0 output errors, 0 collisions, 0 interface resets
     0 unknown protocol drops
     0 output buffer failures, 0 output buffers swapped out

In your link they are talking about "AnyConnect VA gets its MTU value from SSL Server (ASA or IOS. We will focus more on ASA). The default value is 1406-bytes...". So the question is still open how I can set the MTU on the Windows client VA via Router settings? Or is the only solution to run a script on the windows machine? 

Sorry that I have to ask twice, as I am not the crypto expert :-/

René

Hi,

   1. What is your exact problem with MTU of 1406? And to what value are you configuring it manually to fix the problem?

   2. There is a difference between the configured AC VA MTU and the used/negotiated AC VA MTU.

   3. IF you look closer, the Virtual-Access interface on the router shows up a non-1500 MTU, as expected, and it's not really based on your configuration, but it's rather automatic calculation based on the overhead:

Tunnel transport MTU 1422 bytes

Regards,

Cristian Matei.

Hello Cristian,

let me explain the situation.

Some users are having this problem, but not all users. Maybe it has something to do with their ISP they use at home. If they work from home and have AC started they cannot connect to Windows shared folders (mapped network drives) and Cisco Jabber cannot connect to it's Callmanager for registration. So what I did was, I first reduced AC VA MTU to 1300 and everything started up working immediately. Then I did some testing with mturoute tool and it ended up that file shares and Jabber Registration are working with a max MTU value of 1352. That's why I need to reduce the default MTU value of 1406. All other Interface MTU values on this computer is set to default 1500.

René

Hi,

    What you're looking for is a hardcoding of the Anyconnect VA, from the default of 1406 to 1300; this can only be done manually or scripted. The VPN headend could only influence the MTU for that session, but not the hardcoded MTU of AnyConnect VA, which is in the end used by AC to detect the correct MTU for that session. It's a chicken egg issue.

Regards,

Cristian Matei.