Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
286
Views
0
Helpful
2
Replies

VPN Connection for some hosts not working

stephen.stack
Level 4
Level 4

‎09-08-2008 07:21 AM - edited ‎02-21-2020 03:55 PM

Hi guys,

I hope some one can help me here.

I have a L2L vpn. Mosts hosts on one side of the vpn can telnet http etc... to hosts on the other side. However one hosts in paticular cannot telnet ssh snmp etc.. to the other side. even though it can ping across.

I have checked the ACL and i permits all traffic across the vpn from L2L. I have done a packet capture and i can see the packets hitting the ASA. only ICMp gets through and back.

Any advice to resolve this issue would be great, debugs or similar.

Thanks

Stephen

========================== http://www.rconfig.com A free, open source network device configuration management tool, customizable to your needs! - Always vote on an answer if you found it helpful
Labels:
0 Helpful
2 Replies 2

singhsaju
Level 4
Level 4

‎09-08-2008 09:42 AM

Hi Stephen,

If ping works then it could be a fragmentation issue . Try to adjust TCP MSS value on PIX. For ASA check the following link.

sysopt connection tcp-mss MSS_size_in_bytes

example : sysopt connection tcp-mss 1360

You can also find the exact size for your connection using extended ping utility from your workstation as explained in following link .

For PIX and router( as vpn end devices) use following link

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008081e621.shtml#Issues

For ASA

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a00804c8b9f.shtml

HTH

Saju

Please rate if it helps

0 Helpful

stephen.stack
Level 4
Level 4
In response to singhsaju

‎09-09-2008 01:16 AM

HI Saju,

Thanks for the info. I have tried all MTU settings.

So, before i adjusted anything my Max MTu from one host pinging another was 1418. I entered the commands

sysopt connection tcpmss 1300

and mtu outside 1300

this increased my overall mtu to 1470.

(i think this ia a good thing. not great with mtu stuff).

So, it is still not working. I have two key hosts that need to access services on the other side of the VPN.

They can both access services that the other needs to access, but not the services they need to access themselves. I can still see packets hitting the firewall using packet capture but thats it. I do not see any flows, xlates, connections, ACL matches, or anything.

Please advise.

Regards

Stephen

========================== http://www.rconfig.com A free, open source network device configuration management tool, customizable to your needs! - Always vote on an answer if you found it helpful
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents