MSB Client VPN issue

Unanswered Question
Sep 30th, 2009
User Badges:

customer unable to connect to vpn endpoint when going through a MSB.

He changes the gateway on the host to use the ASA as the exit point and has no problems.

The endpoint is reachable from either the MSB or ASA.

Any know issues with MSB and Cisco client VPN.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
5creedus Wed, 09/30/2009 - 14:15
User Badges:

got the solution from another co-worker so sharing:

The "bigmss (MTU) fixup" is used when VPN is not connecting from hosts behind a MSB firewall. Symptoms are:

- no ISAKMP return traffic seen by the client

- the "test" rule allowing ISAKMP inbound increments, indicating the return traffic made it to the firewall outside interface

- no login prompt (popup window)

To resolve do the below in sequence and when complete have the connection tested. The VPN login prompt (popup window) should now be seen. This works with many to one NAT or one to one NAT

1) acl for fixup

access-list tcp_norm line 5 extended permit tcp any any

2) class maps

parameter-map type connection TCPMAP

exceed-mss allow


class-map match-all cmTCPNORM

2 match access-list tcp_norm


3) policy map

policy-map multi-match bigmss

class cmTCPNORM

connection advanced-options TCPMAP



4) apply the policy map to both the external and internal interfaces

interface internal

service-policy input bigmss


interface external

service-policy input bigmss



Ensure you save the policy


This Discussion