Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1551
Views
20
Helpful
10
Replies

MSS clamping IPSEC tunnel -ASA

Go to solution
Kevin Michael Pratt
Level 1
Level 1

‎01-17-2023 07:04 AM

Hello Community,

We have a number of ipsec tunnels on our ASA  5545 running software version 9.6.

We have deployed a cloud based DDOS solution using GRE tunnels for any inbound traffic ingressing into the network via the internet upstream of the ASAs. Hence the ASAs are downstream of our internet routers (ASR platform) that have traffic ingressing into them via the GRE tunnels from the DDOS provider. The physical connections to the ISP already have the TCP MSS adjust value configured.  

The vendor also recommends configuring MSS values  at the IPsec tunnels.  here is their recommendation :

If you are using IPsec inside GRE, set the MSS clamp at the IPsec tunnel interface and subtract 24 bytes from your current MSS value, which may be 1360 bytes or lower. This is because the physical interface will see IPsec-encrypted packets, not TCP packets, and MSS clamping will not apply to those.

A few questions regarding this:

What or is there a  command that could be run on the ASA to see the current MSS value of the IPSEC tunnels?

Since our existing IPsec tunnels are up and passing traffic, will changing the MSS value cause an impact to traffic ?

Is there any links that show the proper configuration changes to make in order to adjust the MSS value for IPsec on an ASA?

Thanks in advance!

 

 

 

1 Accepted Solution

Accepted Solutions

Go to solution
MHM Cisco World
VIP
VIP
In response to Kevin Michael Pratt

‎01-21-2023 11:59 AM

Screenshot (229).png

if you change the TCP MSS with 
sysopt connection tcpmss 1356 <<-
you can see the new value via 
show run all sysopt 

for the need if reload the ASA FW after change the TCP MSS, I run lab as you can see I change the TCP MSS to be 450 and I dont need to reload, the new tcp value was set to 450, automatic.

View solution in original post

0 Helpful
10 Replies 10

Go to solution
MHM Cisco World
VIP
VIP

‎01-17-2023 10:09 AM 

ciscoasa(config)# show crypto ipsec sa
interface: outside2
    Crypto map tag: def, local addr: 10.132.0.17
      local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
      remote ident (addr/mask/prot/port): (172.20.0.21/255.255.255.255/0/0)
      local ident (addr/mask/prot/port): (::/0/0/0)
      remote ident (addr/mask/prot/port): (3000::1/128/0/0)
      current_peer: 172.20.0.21
      dynamic allocated peer ip: 10.135.1.5
      dynamic allocated peer ip(ipv6): 3000::1
      #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
      #pkts decaps: 1145, #pkts decrypt: 1145, #pkts verify: 1145
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 2, #pre-frag failures: 1, #fragments created: 10
      #PMTUs sent: 5, #PMTUs rcvd: 2, #decapstulated frags needing reassembly: 1
      #send errors: 0, #recv errors: 0
      local crypto endpt.: 10.132.0.17, remote crypto endpt.: 172.20.0.21
      path mtu 1500, ipsec overhead 60, media mtu 1500
      current outbound spi: DC15BF68
    inbound esp sas:
      spi: 0x1E8246FC (511854332)
         transform: esp-3des esp-md5-hmac
         in use settings ={L2L, Transport, Manual key, (OSPFv3), }
         slot: 0, conn_id: 3, crypto-map: def
         sa timing: remaining key lifetime (sec): 548
         IV size: 8 bytes
         replay detection support: Y

Go to solution
Kevin Michael Pratt
Level 1
Level 1

‎01-17-2023 10:38 AM

@MHM Cisco World  Thanks very much for  the quick reply!

Could you please elaborate on the below, i looked at an existing connection on an ASA and noticed the following

path mtu 1500, ipsec overhead 74(44), media mtu 1500

Am i reading it correctly that the tunnel is using 74 bytes overhead? What is the meaning of the number in parenthesis - (44)?

Found the below link - https://www.cisco.com/c/en/us/td/docs/security/asa/asa96/configuration/general/asa-96-general-config/interface-mtu.html which states by default ASA is using an MSS value of 1380, and that the necessary configuration to modify the MSS value would be the command  "sysopt connection tcpmss 1356" say if we wanted to change the MSS from 1380 to 1356.  Am i on the correct path?

I am assuming that making the change will cause the tunnels to bounce correct?

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP
In response to Kevin Michael Pratt

‎01-17-2023 10:42 AM

I will run lab and config L2L VPN between two ASA and show the MTU values appear for each case I will test.

Go to solution
Kevin Michael Pratt
Level 1
Level 1
In response to MHM Cisco World

‎01-18-2023 10:44 AM

@MHM Cisco World  I know your busy, curious if any progress was made with the lab for the L2L VPN and the different MSS/MTU scenarios? We are looking to complete implementation of this in the next two weeks and want to ensure that we have the steps correct. Appreciate your help with this.

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP

‎01-18-2023 12:43 PM

in ASA 
show crypto ipsec sa 
give us some info. about the MTU use in IPsec and overhead, 
let start 
show crypto ipsec sa <<- without change the config of ASA OUT interface, so it default equal to media mtu = 1500 


Screenshot (221).png

I change the MTU for ASA OUT interface to be 1450, 
now the path MTU will be 1450 BUT the media MTU still default equal to 1500 (media here is ethernet).


Screenshot (222).png

show crypto ipsec sa <<- also show us overhead, overhead is depend on the transform set you config 
the show crypto ipsec sa also show us what transform set we use in VPN, here in my lab I use 

esp-ase-256 esp-sha-hmac 

Screenshot (223).png

but he we can calculate it, 
the cisco have nice online calculator, you can use it to count the IPsec overhead (note it within range +- 4 bytes) but it very helpful 
IPsec Overhead Calculator (cisco.com)

Go to solution
Kevin Michael Pratt
Level 1
Level 1
In response to MHM Cisco World

‎01-18-2023 02:38 PM

@MHM Cisco World  This is very helpful. Thank you!! I believe the approach will be to make the MSS change from 1380 to 1356 using

"sysopt connection tcpmss 1356"  and then check the status of the l2l tunnels using "show crypto ipsec sa" and associated commands.

Are there any show commands that will show the default MSS is now changed or just check the running config?

Changing the MSS value will not require us to reload the FW correct?

0 Helpful

Go to solution
Kevin Michael Pratt
Level 1
Level 1
In response to Kevin Michael Pratt

‎01-20-2023 10:35 AM

@MHM Cisco World  Any update regarding the following? Again thank you for your research and quick help!

Are there any show commands that will show the default MSS is now changed or just check the running config?

Changing the MSS value will not require us to reload the FW correct?

 

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP
In response to Kevin Michael Pratt

‎01-21-2023 11:59 AM

Screenshot (229).png

if you change the TCP MSS with 
sysopt connection tcpmss 1356 <<-
you can see the new value via 
show run all sysopt 

for the need if reload the ASA FW after change the TCP MSS, I run lab as you can see I change the TCP MSS to be 450 and I dont need to reload, the new tcp value was set to 450, automatic.

0 Helpful

Go to solution
Kevin Michael Pratt
Level 1
Level 1

‎02-01-2023 09:24 AM

@MHM Cisco World  I am sorry that I did not respond sooner to this, Thank  You very much for your diligent work! This is very helpful.

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP
In response to Kevin Michael Pratt

‎02-01-2023 09:25 AM

You are so so welcome 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card