How to use CSM Variable DEST_UNREACHABLE_MASK

Unanswered Question
May 14th, 2008
User Badges:

Hello,


We have some VPN customers complaining accessing SAP via the CSM. Direct access to the servers works fine. Based on the situation we think that the CSM is not passing on ICMP Unreachables (RFC 792) from the firewalls to the servers so that MSS can be lowered.


I think the variable DEST_UNREACHABLE_MASK can help solve this issue but I don't know how to use it to allow ICMP Unreachables to the servers.


Thanks,

Murtaza

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Gilles Dufour Thu, 05/15/2008 - 04:42
User Badges:
  • Cisco Employee,

By default the CSM does allow all unreachable messages.


This is what you should see :

gdufour-cat6k-2#sho mod csm 3 var | i DEST

DEST_UNREACHABLE_MASK 0xffff


If you do not have 0xffff, then it means you changed the default and should reset back to the default.


Regarding your primary issue, I would recommend a sniffer trace of the CSM portchannel and see why the vpn connection fails.


Gilles.


hussainmo Wed, 05/21/2008 - 07:05
User Badges:

We took a trace and it looks like the CSM is not forwarding the ICMP unreachable to the backend system. I have checked the mask and it looks ok on the device.


-M

Gilles Dufour Thu, 05/22/2008 - 00:30
User Badges:
  • Cisco Employee,

Open a service request with the TAC and if necessary they will esalate it to me.

Send me the case # if you want me to have an early look.


Gilles.

hussainmo Thu, 05/22/2008 - 00:34
User Badges:

The TAC SR number is 608638139. I have already attached the sniffer trace and sh tech to the case.


-M

Actions

This Discussion