ASA5540 mysterious issue

Unanswered Question
Jan 27th, 2009

Problem Details: Hi,

I've recently migrated from PIX to ASA5540 Version 8.0(3)6.

On the new ASA we've setup L2L tunnels and

Remote access and everything seems to be working fine. However, we have a radiologist

group who are using VPN remote access via the new ASA and have been reporting some slow

down and intermittent time out issue while they are reading the studies. When it happens

the VPN is still connected, after a minute or so they tare able to ready the images again.

This happens with a bunch of doctors who are connected to the ASA via different ISPs.

Sometime they notice, after 30 minutes of not reading any studies they try to refresh the page and they see nothing listed.

After a minute or so the studies are displays again. Yet they are still connected

Prior to the new ASA we

Were using PIX along with the VPN 3000 appliance, they were configured to access the

System, this old PIX and the VPN appliance is still in place, when they connect through

the old PIX/VPN 3000 none of these behaviors are seen. The VPN group name is

We checked configuration multiple times and nothing seems to suggest a

configuration issue. Any idea ? You're help is highly appreciated.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
eddie.mitchell@... Thu, 01/29/2009 - 09:37

It sounds like an issue with the VPN idle timeout (default is 30 minutes). Do you currently have a custom value defined in the affected user group?

ssumrein Thu, 01/29/2009 - 10:56

Thanks for getting back to me. I did change the The idle time out value to not to expire a few weeks ago,unfortyantly that didn't do it. However, I did capture some traffic and sent it to Cisco TAC for futhher evaluation, they came back telling me that there is a TCP connection that negotiates an MSS of 1460, which is pretty close to 1500 the maximum segment size. To reslove this I need to add some extra-bytes to the header due to the IPSec encryption, the packet might exceed the 1500 byte size and fragmentation could occur.

I added the following commands. So far so good. I still need to have some more users test it for at least another week to get more consistent results.

"Crypto ipsec df-bit clear outside"

"sysopt connection tcpmss 1280"

Thanks again.

Actions

This Discussion