04-17-2010 02:22 AM - edited 02-21-2020 04:36 PM
Hi,
I'd like your advice about an issue with IPSec and TCP MSS.
I have the following architecture in production
Cisco VPN Client------------------PacketShaper---------------------------------VPN 3000-------------------LAN
TCP MSS 1300 TCP Window Sizing TCP MSS 1280
equals to TCP MSS=1460
The Cisco VPN Client can connect to the VPN 3000 (IPSec VPN Remote-Access connection) and send/receive traffic.
I decided to change the VPN 3000 by a Cisco ASA 5510.
On the Cisco ASA, I entered the same command "sysopt connection tcpmss 1280" but it failed.
We can see the IKE Phase 1 & 2 established (IPSec tunnel OK). But no traffic possible and after 2minutes, a timeout occurs.
So, on the PacketShaped, we decided to disabled the TCP Window Sizing on the PacketShaper. Success.
BUT, why such a difference between a VPN 3000 and ASA with IPSec tunnel ????
Have you ever met something like that ?
I don't want to change the PackerShaper configuratio, because the TCP Window Sizing is for all connections.
On Cisco ASA, I can't find any solution.
Here're my tests:
PacketShaper | VPN 3000 | Result |
TCP Window Sizing enabled TCP MSS = 1460 | Command : | SUCCESS |
PacketShaper | ASA | Result |
TCP Window Sizing enabled TCP MSS=1460 | no command (so TCP MSS=1380 by default) | FAILED |
TCP Window Size enabled | Command : | FAILED |
TCP Window Size disabled | no command (so TCP MSS=1380 by default) | SUCCESS |
Thanks for any answer.
Herve
07-12-2010 01:50 AM
Hi Leon,
We experience exactly the same issue here when replacing a VPN 3000 with an ASA 5540.
Did you eventually find a solution?
Regards,
Sven
07-12-2010 06:53 AM
Hello,
What kind of VPN are you using? The VPN client connection by default is either ESP protocol 50 or UDP encapsulated ESP on port 4500, so a MSS adjustments on encrypted packets (that aren't even TCP) won't have an effect.
Are you using IPSEC over TCP?
--Jason
07-13-2010 12:28 AM
Hi Jason,
Yes indeed, we are using IPSEC over TCP port 443, forgot to mention that.
Regards,
Sven
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide