I need some help...
Ok, I have 1 PIX and 1 ASA Firewall, both ver. 8.0.4. Between them I have Site to Site VPN and defined interesting traffic in crypto maps. For now everything is ok,
except when I try to ftp from one perticular server to another. Let me explain this better.
Lets say, Client A has ip address of 192.168.1.1 and server B has the Ip address of 192.168.101.1. I have defined interesting traffic in crypto map for site to site VPN (source: 192.168.1.1 , destination 192.168.1.101.1 , service : IP protect.) . I log in from the ftp client to the ftp server , I can see the tunnel is created and there is flow inside. If I do a list of some folder with a couple of files it ok.But when i try to do a list of some folder with more files(more data for ftp server to send to a client) ,then ftp sesson stucks. I did some pakcet capure and I can see duplicate ack on the side of the ftp client and restansmition attempts of the side of the ftp server, but the data dont get to the ftp client. On the PIX where the ftp server resides I can also see that the packets are leaving the tunnel but on the side of the ASA where the fto client resides I cannot see those pacets. If I remove this ftp trafic from the ftp tunnel everything is ok.
The ASA usually adjusts the MSS "automatically" to 1380 - as the SYN packet goes from "inside" to "outside", it should adjust it from (usually) 1460 down to 1380. If you did a packet capture on the remote end for the SYN, you will probably see the MSS at 1380. The same is true of the return packet - the SYN-ACK - the MSS should also be adjusted down to 1380. You could verify this by capturing the SYN-ACK on the local end. This is done to accommodate the IPSEC header.
To further troubleshoot why the ASA is not adjusting the MSS (if that is the case) or why the upstream IOS device is/isn't dropping the packet, please feel free to open a case with TAC.
If you could, please be sure to mark this thread as "answered".