cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1886
Views
0
Helpful
2
Replies

extreme packet fragmentation/loss on ASA 5510 remote VPN.

Hi,

Since upgrading to version 8.04 (from 7.0 thru 7.2...) we now have an issue connecting to certain services over our remote access VPN.

The problem manifests as being able to use SSH v1 to connect to hosts over the VPN, but not SSH v2. This is commonly down to MTU size issues. We are also having issues with other services (VMware VI Client, for example).

Working through some diagnostics, the following can be seen:

Using a Windows XP host, and connecting to the VPN using the Cisco VPN Client, 'ping -f -l 152 10.3.8.1' works, but 'ping -f -l 153 10.3.8.1' does not. Local MTU is 1300.

10.3.8.1 is the address of the ASA 5510 management interface, but this problem exists for any hosts on the management network.

This system is currently in test at our local network, so there is very little in between the client and server:

XP Client 192.168.3.175/20 <---> 192.168.1.254/20 ( Linux Firewall ) 82.108.63.253/25 <-----> 82.108.63.176/25 (ASA 5510)

Running 'tcpdump -n -i any host 82.108.63.176 and not port 53' on the Linux firewall shows that the return packets at size 153 are leaving the ASA device, delayed and fragmented, but are not correctly reassembled:

ping -n 1 -f -l 152 10.3.8.1:

11:17:46.224255 IP 192.168.3.175.1105 > 82.108.63.176.10000: . 528:660(132) ack 977 win 65535

11:17:46.224289 IP 82.108.63.253.1105 > 82.108.63.176.10000: . 528:660(132) ack 977 win 65535

11:17:46.225290 IP 82.108.63.176.10000 > 82.108.63.253.1105: . 977:1221(244) ack 660 win 65535

11:17:46.225348 IP 82.108.63.176.10000 > 192.168.3.175.1105: . 977:1221(244) ack 660 win 65535

ping -n 1 -f -l 153 10.3.8.1:

11:21:14.689728 IP 192.168.3.175.1105 > 82.108.63.176.10000: . 2012:2144(132) ack 1801 win 65535

11:21:14.689765 IP 82.108.63.253.1105 > 82.108.63.176.10000: . 2012:2144(132) ack 1801 win 65535

11:21:22.263653 IP 192.168.3.175.1105 > 82.108.63.176.10000: . 2144:2260(116) ack 1801 win 65535

11:21:22.263688 IP 82.108.63.253.1105 > 82.108.63.176.10000: . 2144:2260(116) ack 1801 win 65535

11:21:22.265601 IP 82.108.63.176.10000 > 82.108.63.253.1105: . 1801:1917(116) ack 2260 win 65535

11:21:22.265642 IP 82.108.63.176.10000 > 192.168.3.175.1105: . 1801:1917(116) ack 2260 win 65535

QUESTION: Why are the packets being fragmented at such a low size (152+28 = 180 byte MTU!), and what could be causing this?

2 Replies 2

andrew.prince
Level 10
Level 10

What are your firewall interface MTU's set at?

What is the tcp mss set to in the firewall? default 1380.

REMEMBER the MSS is negotiated between "Client" and "Server" typically the NIC MTU - the IP & TCP headers....=1460

The issue could be with the endpoint devices and NIC configuration - check that also.

HTH>

barrosr
Level 1
Level 1

Hey,

I had the same issue. Try to disable ip compression on your crypto config.

I has solved my problem.

Take a look on this bug:

http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Virtual%20Private%20Networks&topic=General&topicID=.ee6b93a&fromOutline=&CommCmd=MB%3Fcmd%3Ddisplay_location%26location%3D.2cc1af6d

Hope it helps,

Rodrigo

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: