03-31-2020 08:04 AM - edited 03-31-2020 08:08 AM
Hello,
we have AnyConnect 4.7.x running on our Windows clients. They connect to a 29xx Series Router in our Branch office via IPSec VPN. However, the Clients Anyconnect Virtual Adapter's (VA) MTU size is set to 1406 which makes problems. When changing the MTU setting for this VA via netsh command we get the problem fixed.
Now my question is, can I setup something on the IOS Router so that the MTU size of Anyconnect VA on the client will set to a specific value whenever they connect to the Router? Or can I maybe set this up in the XML Profile?
Or any other idea how I can get this done without manually set the MTU value on the client.
Thanks,
René
03-31-2020 08:42 AM
Hi,
I assume you are using FlexVPN configuration on your router? You can define the MTU on the virtual-template, e.g:-
interface Virtual-Template1 type tunnel
ip mtu 1400
HTH
04-01-2020 01:11 AM
Hello,
yes, using FlexVPN. I did a change to the virtual-template, but it did not change the MTU on my client, as it is still 1406 after connecting to the router.
This is what I setup:
interface Virtual-Template2 type tunnel ip unnumbered GigabitEthernet0/0 ip mtu 1400 ip tcp adjust-mss 1352 tunnel mode ipsec ipv4 tunnel protection ipsec profile ipsec-profile_AnyConnect
And this is the sh interface:
Virtual-Template2 is up, line protocol is down Hardware is Virtual Template interface Interface is unnumbered. Using address of GigabitEthernet0/0 (41.164.55.132) MTU 17940 bytes, BW 100 Kbit/sec, DLY 50000 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation TUNNEL, loopback not set Keepalive not set Tunnel linestate evaluation down - no IPv4 tunnel destination address Tunnel source UNKNOWN Tunnel protocol/transport IPSEC/IP Tunnel TTL 255 Tunnel transport MTU 1500 bytes Tunnel transmit bandwidth 8000 (kbps) Tunnel receive bandwidth 8000 (kbps) Tunnel protection via IPSec (profile "ipsec-profile_AnyConnect") Last input never, output never, output hang never Last clearing of "show interface" counters 18w0d Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0 Queueing strategy: fifo Output queue: 0/0 (size/max) 5 minute input rate 0 bits/sec, 0 packets/sec 5 minute output rate 0 bits/sec, 0 packets/sec 0 packets input, 0 bytes, 0 no buffer Received 0 broadcasts (0 IP multicasts) 0 runts, 0 giants, 0 throttles 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort 0 packets output, 0 bytes, 0 underruns 0 output errors, 0 collisions, 0 interface resets 0 unknown protocol drops 0 output buffer failures, 0 output buffers swapped out
I am confused that the interface shows 1500 bytes for the tunnel mtu.
any other idea?
04-01-2020 02:57 AM
Hi,
1. Read mode here on the the AnyConnect MTU functionality (per DTLS and TLS, and the difference between what's configured and used, where the physical NIC MTU plays a role): https://community.cisco.com/t5/security-documents/the-importance-of-understanding-mtu-value-in-anyconnect-vpn/ta-p/3164026
2. You could deploy a script to the end systems to set the MTU, if this fixed your problem.
3. Your experience may vary based on the IOS, but the Virtual-Template, being just a template, should remain with an MTU of 1500 and the configured MTU should show up on Virtual-Access derived interfaces for each new client session coming up.
Regards,
Cristian Matei.
04-01-2020 01:28 PM
Hello Cristian Matei,
thank you for this Link. That gives a good overview. However, I still don't get it what is wrong in my setup as the Virtual Tunnel still has not the MTU that it should have :-(
router#sh int virtual-access 12 Virtual-Access12 is up, line protocol is up Hardware is Virtual Access interface Interface is unnumbered. Using address of GigabitEthernet0/0 (1.2.3.4) MTU 17862 bytes, BW 100 Kbit/sec, DLY 50000 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation TUNNEL Tunnel vaccess, cloned from Virtual-Template2 Vaccess status 0x4, loopback not set Keepalive not set Tunnel linestate evaluation up Tunnel source 1.2.3.4, destination 5.6.7.8 Tunnel protocol/transport IPSEC/IP Tunnel TTL 255 Tunnel transport MTU 1422 bytes Tunnel transmit bandwidth 8000 (kbps) Tunnel receive bandwidth 8000 (kbps) Tunnel protection via IPSec (profile "ipsec-profile_AnyConnect") Last input never, output never, output hang never Last clearing of "show interface" counters 14:18:29 Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0 Queueing strategy: fifo Output queue: 0/0 (size/max) 5 minute input rate 0 bits/sec, 0 packets/sec 5 minute output rate 0 bits/sec, 0 packets/sec 274327 packets input, 62501835 bytes, 0 no buffer Received 0 broadcasts (0 IP multicasts) 0 runts, 0 giants, 0 throttles 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort 295410 packets output, 198153680 bytes, 0 underruns 0 output errors, 0 collisions, 0 interface resets 0 unknown protocol drops 0 output buffer failures, 0 output buffers swapped out
In your link they are talking about "AnyConnect VA gets its MTU value from SSL Server (ASA or IOS. We will focus more on ASA). The default value is 1406-bytes...". So the question is still open how I can set the MTU on the Windows client VA via Router settings? Or is the only solution to run a script on the windows machine?
Sorry that I have to ask twice, as I am not the crypto expert :-/
René
04-02-2020 12:33 AM
Hi,
1. What is your exact problem with MTU of 1406? And to what value are you configuring it manually to fix the problem?
2. There is a difference between the configured AC VA MTU and the used/negotiated AC VA MTU.
3. IF you look closer, the Virtual-Access interface on the router shows up a non-1500 MTU, as expected, and it's not really based on your configuration, but it's rather automatic calculation based on the overhead:
Tunnel transport MTU 1422 bytes
Regards,
Cristian Matei.
04-03-2020 12:21 AM
Hello Cristian,
let me explain the situation.
Some users are having this problem, but not all users. Maybe it has something to do with their ISP they use at home. If they work from home and have AC started they cannot connect to Windows shared folders (mapped network drives) and Cisco Jabber cannot connect to it's Callmanager for registration. So what I did was, I first reduced AC VA MTU to 1300 and everything started up working immediately. Then I did some testing with mturoute tool and it ended up that file shares and Jabber Registration are working with a max MTU value of 1352. That's why I need to reduce the default MTU value of 1406. All other Interface MTU values on this computer is set to default 1500.
René
04-05-2020 06:15 AM
Hi,
What you're looking for is a hardcoding of the Anyconnect VA, from the default of 1406 to 1300; this can only be done manually or scripted. The VPN headend could only influence the MTU for that session, but not the hardcoded MTU of AnyConnect VA, which is in the end used by AC to detect the correct MTU for that session. It's a chicken egg issue.
Regards,
Cristian Matei.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide