extreme packet fragmentation/loss on ASA 5510 remote VPN.

Unanswered Question
Sep 18th, 2008

Hi,

Since upgrading to version 8.04 (from 7.0 thru 7.2...) we now have an issue connecting to certain services over our remote access VPN.

The problem manifests as being able to use SSH v1 to connect to hosts over the VPN, but not SSH v2. This is commonly down to MTU size issues. We are also having issues with other services (VMware VI Client, for example).

Working through some diagnostics, the following can be seen:

Using a Windows XP host, and connecting to the VPN using the Cisco VPN Client, 'ping -f -l 152 10.3.8.1' works, but 'ping -f -l 153 10.3.8.1' does not. Local MTU is 1300.

10.3.8.1 is the address of the ASA 5510 management interface, but this problem exists for any hosts on the management network.

This system is currently in test at our local network, so there is very little in between the client and server:

XP Client 192.168.3.175/20 <---> 192.168.1.254/20 ( Linux Firewall ) 82.108.63.253/25 <-----> 82.108.63.176/25 (ASA 5510)

Running 'tcpdump -n -i any host 82.108.63.176 and not port 53' on the Linux firewall shows that the return packets at size 153 are leaving the ASA device, delayed and fragmented, but are not correctly reassembled:

ping -n 1 -f -l 152 10.3.8.1:

11:17:46.224255 IP 192.168.3.175.1105 > 82.108.63.176.10000: . 528:660(132) ack 977 win 65535

11:17:46.224289 IP 82.108.63.253.1105 > 82.108.63.176.10000: . 528:660(132) ack 977 win 65535

11:17:46.225290 IP 82.108.63.176.10000 > 82.108.63.253.1105: . 977:1221(244) ack 660 win 65535

11:17:46.225348 IP 82.108.63.176.10000 > 192.168.3.175.1105: . 977:1221(244) ack 660 win 65535

ping -n 1 -f -l 153 10.3.8.1:

11:21:14.689728 IP 192.168.3.175.1105 > 82.108.63.176.10000: . 2012:2144(132) ack 1801 win 65535

11:21:14.689765 IP 82.108.63.253.1105 > 82.108.63.176.10000: . 2012:2144(132) ack 1801 win 65535

11:21:22.263653 IP 192.168.3.175.1105 > 82.108.63.176.10000: . 2144:2260(116) ack 1801 win 65535

11:21:22.263688 IP 82.108.63.253.1105 > 82.108.63.176.10000: . 2144:2260(116) ack 1801 win 65535

11:21:22.265601 IP 82.108.63.176.10000 > 82.108.63.253.1105: . 1801:1917(116) ack 2260 win 65535

11:21:22.265642 IP 82.108.63.176.10000 > 192.168.3.175.1105: . 1801:1917(116) ack 2260 win 65535

QUESTION: Why are the packets being fragmented at such a low size (152+28 = 180 byte MTU!), and what could be causing this?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.

Actions

This Discussion