I have an ASA running 8.0.4(28) providing SSL VPN access to AnyConnect clients running version 2.3.0254. When connecting, authentication works great using RSA tokens. After authentication, the Clean Access Agent (CAA) is invoked by the NAC Clean Access Server (CAS) and it fails because no data can pass through the Verizon DSL tunnel because they set the DSL MTU very low. Unfortuantely, AnyConnect CANNOT handle the lower MTU setting and the user is stuck and receives a Server Parse Error. Irregardless if we are integrating NAC with this solution, other IP traffic larger than the MTU would not pass either because the AnyConnect client CANNOT fragement the traffic. So,unless the MTU setting for AnyConnect in Group Policy is very low (less than 300), traffic will not pass on many Verizon DSL connections. Has anyone else ran into this problem? We do NOT have the same problem when using the IPSec client, because the MTU can be set by the client and it appears that the IPSec client can handle a lower MTU setting along the path by using either an ICMP redirect or path MTU discovery. Is there any possiblility of AnyConnect having similar capabilities as IPSec from the lower layers?
I have this problem too.