ISA client connectivity problem over IPSEC L2L VPN

Unanswered Question
Nov 9th, 2009


I am facing a problem in Site to Site VPN.

There is only an IPSEC VPN between 2 sites where all LAN to LAN traffic (TCP and UDP) is included in the CRYPTO ACL.

Also note that there is a GRE Tunnel between the 2 sites, on which the Crypto map is applied.

All kind of communication is working successfully between the 2 sites except for the ISA Client connectivity.

There is a special Application over the internet that needs users to connect to the ISA server using the ISA client at the user side. When applying the CRYPTO MAP Over the GRE TUnnel, the ISA client is unable to Connect

When removing the Crypto MAP, the Isa Client is able to connect successfully

I tried to change the Transform Set and Phase 1 settings, but still same problem

Has anyone had a similar problem?


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Ivan Martinon Wed, 12/02/2009 - 10:28

This seems like an mtu issue, having GRE/IPSec adds overhead to the packet and by removing the ipsec part you only leave the GRE header, my advise would be to decrease your mtu on the tunnel interfaces to be around 1400 bytes or to use tcp mss enforcing on the internal interface to be around 1300, the last one useful only if the transaction goes over TCP of course.

internal interface

      ip tcp adjust-mss 1300

tunel interface

ip mtu 1400

Try either one, or make sure you enable the router to clear the df bit to allow fragmentation.



This Discussion