04-11-2011 07:10 AM
Hi all
We are experiencing an issue with a B2B VPN. We are seeing traffic outbound but nothing in, and other end say the same. The VPN is established but no traffic is flowing. Below is tcpdum, was wondering if anyone can help with the little info provided? Does this dump look normal?!
Thanks
FW01[admin]# tcpdump -i eth1 host
172.17.40.70 (Source)
tcpdump: listening on eth1
12:04:33.948025 O 172.17.40.70.10004 > 172.21.2.78.50714: S 3959131180:3959131180(0) win 64240 <mss 1380,nop,nop,sackOK>
12:04:33.949556 I 172.21.2.78.50714 > 172.17.40.70.10004: S 1461196193:1461196193(0) ack 3959131181 win 5840 <mss 1460> (DF)
12:04:36.486339 O 172.17.40.70.10004 > 172.21.2.78.50714: S 3959131180:3959131180(0) win 64240 <mss 1380,nop,nop,sackOK>
12:04:36.487291 I 172.21.2.78.50714 > 172.17.40.70.10004: S 1461196193:1461196193(0) ack 3959131181 win 5840 <mss 1460> (DF)
12:04:37.948786 I 172.21.2.78.50714 > 172.17.40.70.10004: S 1461196193:1461196193(0) ack 3959131181 win 5840 <mss 1460> (DF)
12:04:42.503693 O 172.17.40.70.10004 > 172.21.2.78.50714: S 3959131180:3959131180(0) win 64240 <mss 1380,nop,nop,sackOK>
12:04:42.504314 I 172.21.2.78.50714 > 172.17.40.70.10004: S 1461196193:1461196193(0) ack 3959131181 win 5840 <mss 1460> (DF)
12:04:43.949438 I 172.21.2.78.50714 > 172.17.40.70.10004: S 1461196193:1461196193(0) ack 3959131181 win 5840 <mss 1460> (DF)
12:04:56.148761 I 172.21.2.78.50714 > 172.17.40.70.10004: S 1461196193:1461196193(0) ack 3959131181 win 5840 <mss 1460> (DF)
12:05:20.148433 I 172.21.2.78.50714 > 172.17.40.70.10004: S 1461196193:1461196193(0) ack 3959131181 win 5840 <mss 1460> (DF)
12:06:08.348728 I 172.21.2.78.50714 > 172.17.40.70.10004: S 1461196193:1461196193(0) ack 3959131181 win 5840 <mss 1460> (DF)
04-11-2011 07:24 AM
Hi Colin,
The captures show that the SYN is going fine, and the SYNACK is coming back as well.
However the SYN-ACK has an MSS set to 1460 and the DF (do not fragment) bit is set.
As a result the firewall is unable to send the packet over the VPN.
The MSS needs to be set to 1380, OR, the DF bit should be cleared.
Hope this helps.
-Shrikant
P.S.: Please mark this question resolved if it has been answered. Do rate helpful posts. Thanks.
04-11-2011 08:38 AM
Hi Shrikant
Many thanks for the prompt reply. This setting is for the other end of the VPN? Also I notice this is a global command, and we have lots of similar VPN's passing traffic no problem
Thanks
04-11-2011 09:17 AM
Hi Colin,
I think the settings need to be changed on the server 172.21.2.78. Though the ASA can be configured to clear the DF bit.
Please refer to this link: http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008081e621.shtml
under "PIX/ASA 7.x - Clear Don't Fragment (DF)"
Hope this helps.
-Shrikant
P.S.: Please mark this question resolved if it has been answered. Do rate helpful posts. Thanks.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide