AnyConnect does not work with Verizon DSL; Server Parse Error

Unanswered Question
May 4th, 2009

I have an ASA running 8.0.4(28) providing SSL VPN access to AnyConnect clients running version 2.3.0254. When connecting, authentication works great using RSA tokens. After authentication, the Clean Access Agent (CAA) is invoked by the NAC Clean Access Server (CAS) and it fails because no data can pass through the Verizon DSL tunnel because they set the DSL MTU very low. Unfortuantely, AnyConnect CANNOT handle the lower MTU setting and the user is stuck and receives a Server Parse Error. Irregardless if we are integrating NAC with this solution, other IP traffic larger than the MTU would not pass either because the AnyConnect client CANNOT fragement the traffic. So,unless the MTU setting for AnyConnect in Group Policy is very low (less than 300), traffic will not pass on many Verizon DSL connections. Has anyone else ran into this problem? We do NOT have the same problem when using the IPSec client, because the MTU can be set by the client and it appears that the IPSec client can handle a lower MTU setting along the path by using either an ICMP redirect or path MTU discovery. Is there any possiblility of AnyConnect having similar capabilities as IPSec from the lower layers?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Anonymous (not verified) Fri, 05/08/2009 - 14:26

The MTU parameter is used by both the client and the security appliance to set the maximum size of the packet to be transmitted over the tunnel. If an end user is experiencing a significant amount of lost packets, or if an application such as Microsoft Outlook is not functioning over the tunnel, it might indicate a fragmentation issue. Lowering the MTU for that user or group of users may address the problem.

The client proposes an MTU value that is 94 bytes less than the MTU of the physical adapter used for the SSL and DTLS connection to the security appliance. The security appliance accepts the lesser of the configured MTU or the value proposed by the client. Both the client and the security appliance use the value selected by the security appliance.

For example, if the physical adapter on the PC has been changed to use an MTU of 1300, then the client proposes an MTU of 1206 to the security appliance. If the security appliance is set for a value lower than 1206, both the client and the security appliance use the lower value that was set using the MTU configuration command.


This Discussion