Solved: MTU path issue when VPNed in to ASA5510 8.0(4)

bert.baker · ‎08-11-2010

I have a new ASA I just setup for VPN access just like all the other ASA's I have ever setup.

The VPN client connects just fine, gets an IP, is able to ping devices on the corporate network.

I have compared it to other ASA's I have setup that work. I can't see the issue.

3 things:

I am unable to ping the LAN interface of the ASA when VPN'ed in.

When I do a mturoute.exe to an inside IP it shows an MTU of only 196 when I use the Cisco VPN Dialer.

When I use the Shrewsoft VPN client I can set the MTU to 1380. When I do a mturoute.exe to an inside IP it shows 1380.

I am thinking because it doesn't respond to a Ping on the LAN of the ASA that the MTU path discovery doesn't work.

Any help would be appreciated.

Thanks,

Bert

Jitendriya Athavale · ‎08-11-2010

apologies for repeated postings but this is what you need to do

From a Windows device use this: C:\> ping -f -l packet_size_in_bytes destination_IP_address.

The -f option is used to specify that the packet cannot be fragmented. The -l option is used to specify the length of the packet. First try this with a packet size of 1,500. For example, ping -f -l 1500 192.168.100. If fragmentation is required but cannot be performed, you receive a message such as this: Packets need to be fragmented but DF set.

missed -f in my last post

# can you try from your command prompt

ping -f -l 1380

so it sends a ping of 1380 bytes

so you should see something like this if it is not getting through

C:\Documents and Settings\jathaval>ping -f 4.2.2.2 -l 1380

Pinging 4.2.2.2 with 1380 bytes of data:

Packet needs to be fragmented but DF set.
Packet needs to be fragmented but DF set.
Packet needs to be fragmented but DF set.
Packet needs to be fragmented but DF set.

View solution in original post

mulatif · ‎08-11-2010

Hi,

"management-access " should let you ping the inside ASA interface.

Thanks,

Naman

bert.baker · ‎08-11-2010

management-access inside allowed me to ping the Interface but that doesn't solve the MTU issue. The mturoute.exe still shows 196 for going through the ASA.

Thanks,

Bert

Jitendriya Athavale · ‎08-11-2010

# do you have command

management-access inside

# can you try from your command prompt

ping -l 1380

so it sends a ping of 1380 bytes

Jitendriya Athavale · ‎08-11-2010

can u try a ping with mss

# can you try from your command prompt

ping -l 1380

so it sends a ping of 1380 bytes

i think this should pass

Jitendriya Athavale · ‎08-11-2010

apologies for repeated postings but this is what you need to do

From a Windows device use this: C:\> ping -f -l packet_size_in_bytes destination_IP_address.

The -f option is used to specify that the packet cannot be fragmented. The -l option is used to specify the length of the packet. First try this with a packet size of 1,500. For example, ping -f -l 1500 192.168.100. If fragmentation is required but cannot be performed, you receive a message such as this: Packets need to be fragmented but DF set.

missed -f in my last post

# can you try from your command prompt

ping -f -l 1380

so it sends a ping of 1380 bytes

so you should see something like this if it is not getting through

C:\Documents and Settings\jathaval>ping -f 4.2.2.2 -l 1380

Pinging 4.2.2.2 with 1380 bytes of data:

Packet needs to be fragmented but DF set.
Packet needs to be fragmented but DF set.
Packet needs to be fragmented but DF set.
Packet needs to be fragmented but DF set.

bert.baker · ‎08-11-2010

Here are my ping results. First my setmtu.exe is set to 1300.

C:\>ping -f bertman2 -l 1380

Pinging bertman2.somedomain.com [10.18.178.62] with 1380 bytes of data:
Packet needs to be fragmented but DF set.
Packet needs to be fragmented but DF set.
Packet needs to be fragmented but DF set.
Packet needs to be fragmented but DF set.