01-17-2023 07:04 AM
Hello Community,
We have a number of ipsec tunnels on our ASA 5545 running software version 9.6.
We have deployed a cloud based DDOS solution using GRE tunnels for any inbound traffic ingressing into the network via the internet upstream of the ASAs. Hence the ASAs are downstream of our internet routers (ASR platform) that have traffic ingressing into them via the GRE tunnels from the DDOS provider. The physical connections to the ISP already have the TCP MSS adjust value configured.
The vendor also recommends configuring MSS values at the IPsec tunnels. here is their recommendation :
If you are using IPsec inside GRE, set the MSS clamp at the IPsec tunnel interface and subtract 24 bytes from your current MSS value, which may be 1360 bytes or lower. This is because the physical interface will see IPsec-encrypted packets, not TCP packets, and MSS clamping will not apply to those.
A few questions regarding this:
What or is there a command that could be run on the ASA to see the current MSS value of the IPSEC tunnels?
Since our existing IPsec tunnels are up and passing traffic, will changing the MSS value cause an impact to traffic ?
Is there any links that show the proper configuration changes to make in order to adjust the MSS value for IPsec on an ASA?
Thanks in advance!
Solved! Go to Solution.
01-21-2023 11:59 AM
if you change the TCP MSS with
sysopt connection tcpmss 1356 <<-
you can see the new value via
show run all sysopt
for the need if reload the ASA FW after change the TCP MSS, I run lab as you can see I change the TCP MSS to be 450 and I dont need to reload, the new tcp value was set to 450, automatic.
01-17-2023 10:09 AM
ciscoasa(config)# show crypto ipsec sa interface: outside2 Crypto map tag: def, local addr: 10.132.0.17 local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0) remote ident (addr/mask/prot/port): (172.20.0.21/255.255.255.255/0/0) local ident (addr/mask/prot/port): (::/0/0/0) remote ident (addr/mask/prot/port): (3000::1/128/0/0) current_peer: 172.20.0.21 dynamic allocated peer ip: 10.135.1.5 dynamic allocated peer ip(ipv6): 3000::1 #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0 #pkts decaps: 1145, #pkts decrypt: 1145, #pkts verify: 1145 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0 #pre-frag successes: 2, #pre-frag failures: 1, #fragments created: 10 #PMTUs sent: 5, #PMTUs rcvd: 2, #decapstulated frags needing reassembly: 1 #send errors: 0, #recv errors: 0 local crypto endpt.: 10.132.0.17, remote crypto endpt.: 172.20.0.21 path mtu 1500, ipsec overhead 60, media mtu 1500 current outbound spi: DC15BF68 inbound esp sas: spi: 0x1E8246FC (511854332) transform: esp-3des esp-md5-hmac in use settings ={L2L, Transport, Manual key, (OSPFv3), } slot: 0, conn_id: 3, crypto-map: def sa timing: remaining key lifetime (sec): 548 IV size: 8 bytes replay detection support: Y
01-17-2023 10:38 AM
@MHM Cisco World Thanks very much for the quick reply!
Could you please elaborate on the below, i looked at an existing connection on an ASA and noticed the following
path mtu 1500, ipsec overhead 74(44), media mtu 1500
Am i reading it correctly that the tunnel is using 74 bytes overhead? What is the meaning of the number in parenthesis - (44)?
Found the below link - https://www.cisco.com/c/en/us/td/docs/security/asa/asa96/configuration/general/asa-96-general-config/interface-mtu.html which states by default ASA is using an MSS value of 1380, and that the necessary configuration to modify the MSS value would be the command "sysopt connection tcpmss 1356" say if we wanted to change the MSS from 1380 to 1356. Am i on the correct path?
I am assuming that making the change will cause the tunnels to bounce correct?
01-17-2023 10:42 AM
I will run lab and config L2L VPN between two ASA and show the MTU values appear for each case I will test.
01-18-2023 10:44 AM
@MHM Cisco World I know your busy, curious if any progress was made with the lab for the L2L VPN and the different MSS/MTU scenarios? We are looking to complete implementation of this in the next two weeks and want to ensure that we have the steps correct. Appreciate your help with this.
01-18-2023 12:43 PM
in ASA
show crypto ipsec sa
give us some info. about the MTU use in IPsec and overhead,
let start
show crypto ipsec sa <<- without change the config of ASA OUT interface, so it default equal to media mtu = 1500
I change the MTU for ASA OUT interface to be 1450,
now the path MTU will be 1450 BUT the media MTU still default equal to 1500 (media here is ethernet).
show crypto ipsec sa <<- also show us overhead, overhead is depend on the transform set you config
the show crypto ipsec sa also show us what transform set we use in VPN, here in my lab I use
esp-ase-256 esp-sha-hmac
but he we can calculate it,
the cisco have nice online calculator, you can use it to count the IPsec overhead (note it within range +- 4 bytes) but it very helpful
IPsec Overhead Calculator (cisco.com)
01-18-2023 02:38 PM
@MHM Cisco World This is very helpful. Thank you!! I believe the approach will be to make the MSS change from 1380 to 1356 using
"sysopt connection tcpmss 1356" and then check the status of the l2l tunnels using "show crypto ipsec sa" and associated commands.
Are there any show commands that will show the default MSS is now changed or just check the running config?
Changing the MSS value will not require us to reload the FW correct?
01-20-2023 10:35 AM
@MHM Cisco World Any update regarding the following? Again thank you for your research and quick help!
Are there any show commands that will show the default MSS is now changed or just check the running config?
Changing the MSS value will not require us to reload the FW correct?
01-21-2023 11:59 AM
if you change the TCP MSS with
sysopt connection tcpmss 1356 <<-
you can see the new value via
show run all sysopt
for the need if reload the ASA FW after change the TCP MSS, I run lab as you can see I change the TCP MSS to be 450 and I dont need to reload, the new tcp value was set to 450, automatic.
02-01-2023 09:24 AM
@MHM Cisco World I am sorry that I did not respond sooner to this, Thank You very much for your diligent work! This is very helpful.
02-01-2023 09:25 AM
You are so so welcome
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide