Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1409
Views
0
Helpful
3
Replies

VPN Packet Fragmentation

Steve Babcock
Level 1
Level 1

‎03-01-2019 01:25 PM

CIsco ASA 5505 (9.1.7 31)

with Cisco 881 (12.4 22) and 1921 (15.4-3.M9) as remote Site -to - Site

 

Users are seeing  performance problems on RDS

 

Here are the asp drop stats

 

Frame drop:
IPSEC tunnel is down (ipsec-tun-down) 245
VPN reclassify failed (vpn-reclassify-failed) 2
ttl exceeded (ttl-exceeded) 12
No valid adjacency (no-adjacency) 428
No route to host (no-route) 1127
Flow is denied by configured rule (acl-drop) 301843
Invalid SPI (np-sp-invalid-spi) 6988
First TCP packet not SYN (tcp-not-syn) 134246
TCP failed 3 way handshake (tcp-3whs-failed) 7931
TCP RST/FIN out of order (tcp-rstfin-ooo) 332553
TCP SEQ in SYN/SYNACK invalid (tcp-seq-syn-diff) 1
TCP SYNACK on established conn (tcp-synack-ooo) 12
TCP packet SEQ past window (tcp-seq-past-win) 489
TCP invalid ACK (tcp-invalid-ack) 3
TCP RST/SYN in window (tcp-rst-syn-in-win) 305
TCP packet failed PAWS test (tcp-paws-fail) 373
Slowpath security checks failed (sp-security-failed) 108401
ICMP Inspect seq num not matched (inspect-icmp-seq-num-not-matched) 4
ICMP Error Inspect no existing conn (inspect-icmp-error-no-existing-conn) 8
DNS Inspect invalid packet (inspect-dns-invalid-pak) 11
DNS Inspect id not matched (inspect-dns-id-not-matched) 548
FP L2 rule drop (l2_acl) 364
Interface is down (interface-down) 2
Non-IP packet received in routed mode (non-ip-pkt-in-routed-mode) 1
Packet shunned (shunned) 84311
Dropped pending packets in a closed socket (np-socket-closed) 142
Connection to PAT address without pre-existing xlate (nat-no-xlate-to-pat-pool) 338094

Last clearing: Never

Flow drop:
Tunnel has been torn down (tunnel-torn-down) 4
Need to start IKE negotiation (need-ike) 5966
VPN decryption missing (vpn-missing-decrypt) 8
Flow shunned (shunned) 3342
Inspection failure (inspect-fail) 34560
SSL handshake failed (ssl-handshake-failed) 6

 

Am wondering is this is a fragmentation issue

 

There are no ip tcp adjust-mss statements on the inside interface of any of the routers

There are no IP mtu                  statements on the outside interface of any of the routers

 

 

Thanks,

Steve

 

 

Labels:
0 Helpful
3 Replies 3

Rahul Govindan
VIP Alumni
VIP Alumni

‎03-01-2019 01:59 PM

Difficult to say if fragmentation is the cause of your performance issues by just looking at this output. Also, the ASA sets the TCP mss value to 1380 by default.

asa# show run all sysopt
sysopt connection tcpmss 1380

That being said, you might have to apply packet captures at the ASA inside, router inside to see if there are a large number of drops/re-transmissions that could cause slowness. Plus, you are sending traffic through the internet, so the service providers may also rate limit traffic if there is a large amount of data. Also, if you can, try adding an MSS of at least 1400 on the router LAN side so that you eliminate the need for fragmentation for pre-encrypted TCP traffic.

 

 

 

 

 

0 Helpful

Steve Babcock
Level 1
Level 1
In response to Rahul Govindan

‎03-03-2019 01:59 PM

So, to clarify ...

 

On the 881 and 1921. set the tcp adjust-mss to 1400 on the inside interface ?

0 Helpful

Rahul Govindan
VIP Alumni
VIP Alumni
In response to Steve Babcock

‎03-04-2019 07:59 AM

Sorry, MSS has to be set to 1360 bytes. This effectively sets the MTU of all the TCP packets to 1400 and avoids fragmentation of encrypted packets. 

0 Helpful
Customers Also Viewed These Support Documents