IPSEC VPN over DSL dropping or stripping packets

davidbuit · ‎02-15-2007

I have an IPSEC between a pix 506 and an ASA5510. The tunnel is over DSL links and there is a problem with traffic not going through correctly. Initially I was trying to get a server remotely to join the domain across the VPN but this was timing out. I adjusted the MTU on the outside interfaces of the firewall to 1360 so that the IPSEC SA would negotiate 1360 MTU and this then enabled the server to join the domain but I am still experiencing problems where traffic appears to be dropping or packets getting stripped. I have tried to implement Exindas between the two sites to accelerate the traffic but initially these couldn't even talk to each other until I modified the MTU as above. The PIX 506 terminate the DSL line using PPPoE and at the remote site there is an 877 that terminates the line and then connects to the ASA.

I have also tried to use DES as apposed to AES but this has not effect.

Any ideas or thought most appreciated!

davidbuit · ‎02-15-2007

Further to this, I have tried to use ip tcp adjust-mss on the VLAN interface on the 877 but as this is after the tunnel it has no effect.

Thanks

Fernando_Meza · ‎02-15-2007

HI ..

In my experience with VPN over ADSL I have found many issues with MTU. Many times I had to decrease the MTU several times until the traffic flow seemed OK and then increase the size to the maximum possible size which still allows the traffic and applications to flow as expected.

davidbuit · ‎02-15-2007

Thanks for your reply. I have experienced that same thing. Unfortunately I can't use tcp adjust-mss or route-map to set the DF bit to 0 on the VLAN interface on the router as the router interface is after the IPSEC tunnel and has no effect.

I will have to keep trying with the MTU however I have a nasty feeling that the traffic will never flow un-hindered.