AnyConnect MTU

Document

Mon, 10/06/2014 - 06:38
Oct 6th, 2014
User Badges:


The MTU value for VPN Client or SVC Client, used to connect to the VPN network, was set to 1300 bytes.With AnyConnect Client, the initial value is set to 1406 bytes. While it considers the transfer efficiency, various individual customizations are included to make the Settings more Complex.This Document Describes Basic Settings and Operations of AnyConnect MTU, as well as the major failure Cases Associated with it. This Article IS based on the operation verification of ASA 9.1 (4) and AnyConnect 3.1.05152.Please Note that this unofficial content is merely an explanation of the current implementation, and does not guarantee that it will be the same operation in future.
 

Contents
1. Configure Basic Settings on the AnyConnect MTU
1-1. Settings from DfltGrpPolicy and Custom Group Policy
1-2. Settings Using Radius Attribute

2. AnyConnect MTU Operation Overview
2-1. Calculating the Overhead
2-2. Reflecting AnyConnect MTU to VA
2-3. MTU Discovery Process

3. Case Study
3-1. A Reconnect Occurs Only After One Minute Since Connected to AnyConnect

 

1. Configure basic settings on the AnyConnect MTU

1-1. Settings from DfltGrpPolicy and Custom Group Policy


To access AnyConnect Client from ASDM, go to [Configuration]> [Remote Access VPN]> [Network (Client) Access]> [Group Policies]> [Edit DfltGrpPolicy (System Default)]> [Advanced]> [AnyConnect Client]. 1406 is configured as the initial value of MTU as shown in the below figure. Note that the maximum value configurable is also 1406.

DfltGrpPolicy.png

 

To configure a different MTU value from DfltGrpPolicy to the Custom Group Policy, access AnyConnect Client from ASDM as follows: [Configuration]> [Remote Access VPN]> [Network (Client) Access]> [Group Policies]> [Edit Target Custom Group policy]> [Advanced]> [AnyConnect Client]. Inherit IS checked as the initial state, as shown in the figure Below. This Means That the MTU setting value of DfltGrpPolicy Will BE Inherited.To Apply an Original MTU value to the Custom Group Policy, uncheck the Inherit field and enter the value you want to configure.
 

 

GroupPolicy1.png

 

1-2. Settings Using Radius Attribute


There is a way to configure the MTU value using a radius attribute called WebVPN-SVC-DTLS-MTU (SVC-MTU) .The MTU value assigned by this attribute takes precedence over the MTU value configured at the Group Policy described at 1-1 .This method is useful when you want to apply a different MTU value only for a specific user within the same Group Policy.For example, there is a case where a smaller MTU value (1300) is applied according to the AnyConnect connection environment of the specific user.

Here is a configuration example of adding an attribute using Cisco Secure ACS 5.x, provided that the authentication server for AnyConnect users uses the Radius.


1. Go to [Users and Identity Stores]> [Identity Groups] .Create a new Group to store the AnyConnect users to which you want to apply the MTU value.

2. Go to [Users and Identity Stores]> [Internal Identity Stores]> [Users] .Select target users and click [Edit]. Peg the Group created at step 1 to [Identity Groups].

3. Go to [Policy Elements]> [Authorization and Permissions]> [Network Access]> [Authorization Profiles] and create a Profile.See the figure below for the configuration example of an attribute.

4. Go to [Access Policies]> [Access Service] (used ASA) .Click [Authorization] and create an Authorization Policy.Set the Group created at step 1 as Identity Groups to Conditions. Select the Profile created at step 3 as Authorization Profiles.


acs-svc-mtu.png

In this configuration example, MTU 1300 will be applied only to the users stored in the Group created at step 1.



Note: You can configure MTU per user by selecting [VPN Policy]> [AnyConnect Client] even when you are using a local user database.
 


2. AnyConnect MTU Operation Overview

2-1. Calculating the Overhead (DTLS)


The overhead of DTLS varies by the encryption algorithm and the hashing applicable. The basic value can be computed with the following formula, and with a maximum overhead value of 94 bytes.
 

20 (IP header) + 8 (UDP header) + 13 (DTLS header) + 8/16 (IV DES / AES) + 1 (CDTP) + 1-8 / 16 (Padding DES / AES) + 20 (MAC)

 


2-2. Reflecting to AnyConnect VA

 

When the connection starts using AnyConnect, the MTU value applied to the AnyConnect virtual adapter (VA, hereinafter) will be negotiated between AnyConnect and ASA. Please note that the MTU value configured by DfltGrpPolicy or Custom Group Policy will not be automatically reflected.The MTU value of the physical NIC of the PC will also be considered as the element of determining the MTU.To be specific,

If AnyConnect MTU <MTU of physical NIC - Overhead ,
the AnyConnect MTU Will BE applied to the VA. If AnyConnect MTU> MTU of physical NIC - Overhead , the value of "MTU of physical NIC - Overhead" Will BE applied to the VA.

 


The Process of Determining the MTU CAN BE Confirmed by the debug output "debug webvpn AnyConnect 1." Shown Below IS a debug output example WHEN the MTU of physical NIC IS 1500, IS 1406 AnyConnect MTU, with DTLS enabled USING aes128-SHA1.
 

 

Processing CSTP header line: 'X-CSTP-Protocol: Copyright (c) 2004 Cisco Systems, Inc.'

--- Snip ---
Iphdr = 20 Base-mtu = 1500 def-mtu = 1500 conf-mtu = 1406

tcp-mss = 1460

path-mtu = 1460 (mss)

mtu = 1460 (path-mtu) - 0 (opts) - 5 (ssl) - 8 (cstp) = 1447

tls-mtu = 1447 (mtu) - 20 (mac) = 1427

DTLS Block size = 16

mtu = 1500 (base-mtu) - 20 (ip) - 8 (udp) - 13 (dtlshdr) - 16 (dtlsiv) = 1443

mod-mtu = 1443 (mtu) & 0xfff0 (complement) = 1440

dtls-mtu = 1440 (mod-mtu) - 1 (cdtp) - 20 (mac) - 1 (pad) = 1418

computed tls-mtu = 1427 dtls-mtu = 1418 conf-mtu = 1406

override computed tls-mtu = 1427 with conf-mtu = 1406

DTLS enabled for intf = 2 (outside)

override computed dtls-mtu = 1418 with conf-mtu = 1406

tls-mtu = 1406 dtls-mtu = 1406

 

By applying the calculation formula of 2-1, you can see that the AES block size is 16 and the Padding is 3.As a result, the overhead is 82 and the value 1418, computed by subtracting 82 from 1500, is the MTU value .However, please Remember That the maximum value for AnyConnect configurable MTU IS 1406.Since 1418 IS Larger than 1406, it Will BE overridden by 1406, Which IS the MTU value assigned to the AnyConnect Client VA. Shown Below IS the output of the assigned MTU Confirmed by Windows 7. * Local Area Connection 2 IS the AnyConnect VA.

 

cmd.png

 

Here is another example.Shown below is a debug output example when the MTU of physical NIC is 1448, AnyConnect MTU is 1406, with DTLS enabled using aes128-sha1.
 

Processing CSTP header line: 'X-CSTP-Protocol: Copyright (c) 2004 Cisco Systems, Inc.'

--- Snip ---

Iphdr = 20 Base-mtu = 1448 def-mtu = 1500 conf-mtu = 1406

tcp-mss = 1360

path-mtu = 1360 (mss)

mtu = 1360 (path-mtu) - 0 (opts) - 5 (ssl) - 8 (cstp) = 1347

tls-mtu = 1347 (mtu) - 20 (mac) = 1327

DTLS Block size = 16

mtu = 1448 (base-mtu) - 20 (ip) - 8 (udp) - 13 (dtlshdr) - 16 (dtlsiv) = 1391

mod-mtu = 1391 (mtu) & 0xfff0 (complement) = 1376

dtls-mtu = 1376 (mod-mtu) - 1 (cdtp) - 20 (mac) - 1 (pad) = 1354

computed tls-mtu = 1327 dtls-mtu = 1354 conf-mtu = 1406

DTLS enabled for intf = 2 (outside)

tls-mtu = 1327 dtls-mtu = 1354

By applying the calculation formula of 2-1 to this example again, you can see that the AES block size is now 16 and the Padding is 15.1354, which is computed by subtracting the overhead value 94 from the MTU of physical NIC, is the MTU Calculated.Since 1354 IS Smaller than 1406, 1354 IS the MTU assigned to the VA. Shown Below IS the output of the assigned MTU Confirmed by Windows 7. * Local Area Connection 2 IS the AnyConnect VA.

 

cmd2.png

 

The table below contains reference information.This is how the MTU value will be assigned to the AnyConnect VA while decreasing the MTU of physical NIC. The overhead calculation of DTLS turned out as expected.

 

Physical NICAnyConnect
MTU (VA)
Overhead
         1500     1406 (1418) * 194 (82)
         1499     1406 (1418)93 (81)
         1498     1406 (1418)

92 (80)

         1497     1406 (1418)91 (79)
         1496     140294
         1481     140279
         1480     138694
         1465     138679
         1464     137094
         1449     137079
         1448     135494

* 1 The value subtracting the overhead is 1418. However, it is larger than 1406, so the MTU is 1406.
 

The MTU of DTLS Will BE applied to VA in the environment USING DTLS. Therefore, this Article Focuses on the DTLS Operations.In Addition, the overhead Calculation of TLS / SSL IS shown in black in the debug output Above. the When you See the debug output described above including the MTU value of TLS, you can see that there are two scenarios: 1. the MTU of DTLS and TLS will be overridden by the setup value of AnyConnect MTU, and then both of them are the same value; 2. DTLS and TLS Have Different MTU values ​​Respectively. Latter In the Scenario, if the connection method WAS switched from DTLS to TLS VPN During Communication, the MTU value of TLS Will BE reassigned to the MTU of VA. THUS, a reconnect with AnyConnect and OCCURS the Communication Will BE affected Momentarily. On the Other hand, WHEN the MTU value of DTLS and TLS IS the same, as shown in the Former Scenario, the MTU Reassignment Will not Occur even in Case of a fallback. Situation In this reconnect a Will not occur.




 

2-3. MTU Discovery Process
 

AnyConnect Client sends out the maximum transferable DPD ping from VA to ASA once DTLS has been established.As a result, in the case of no response received from ASA, AnyConnect Client repeats the operation of executing DPD ping after reducing the MTU size by 32 bytes . the When it RECEIVEs a response from ASA, it Reapplies the size Received at That point as the optimal MTU to VA. This implementation IS Introduced at the Following Links: Optimal MTU (OMTU) Http://Www.Cisco.Com/c/ en / us / td / docs / security / vpn_client / anyconnect / anyconnect31 / administration / guide / anyconnectadmin31 / ac13managemonitortbs.html # pgfId-1058579



 

MTU Automatically Adjusted the When Using DTLS
http://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyc...


If a recalculation of MTU occurs after a failed DPD ping, the following log will be recorded in the AnyConnect DART event log.
 

Description: Function: CCdtpProtocol :: OnTunnelReadComplete

File:. \ CdtpProtocol.cpp

Line: 525

Invoked Function: CTunnelProtocolDpdMgr :: handleDpdResponse

Return Code: -25952245 (0xFE74000B)

Description: TUNNELPROTOCOLDPDMGR_ERROR_INCORRECT_TUNNEL_MTU: The client detected via the DPD mechanism that the current tunnel MTU was incorrect.

Description: Function: CTunnelProtocolDpdMgr :: handleExpiredMtuDPD

File:. \ TunnelProtocolDpdMgr.cpp

Line: 460

Lower padding to 1374 (DTLS / CDTP)

This function IS Implemented with DTLS to TLS only and IS not Applicable to IKEv2.As pointed out in the release Note Above, it IS recommended for IKEv2 to DECREASE the MTU value as needed for the Adjustment. OMTU Note That Works only on the network where the large-size packets are discarded without being fragmented on the path.No adjustment will be made ​​in the network where DPD ping packets are fragmented on the path, and will reach ASA because ASA returns a response.
 

 


3. Case Study

3-1. A Reconnect Occurs Only After One Minute Following Connection to AnyConnect
 

[Phenomenon Overview]

A reconnect occurs only after one minute following connection to AnyConnect.A reconnect will not occur again, but if you connect to AnyConnect again after disconnecting, the same phenomenon persists.Although the AnyConnect status shows Connected during that time, the actual communication is not established until a reconnect occurs.

 

[Cause]

The following article has been released as an example of where this happens frequently.

http://www.cisco.com/en/US/products/ps10884/products_tech_note09186a0080c1fadf.shtml


As described in 2-2, when DTLS is enabled for the current ASA / AnyConnect operations, the MTU will be calculated for both TLS and DTLS.When the parent session has been established by TLS, the MTU calculated by DTLS will be applied to AnyConnect VA on the understanding in that the DTLS connection will be established. However, a reconnect occurs as a result of the MTU of TLS being reset and reapplied to VA during the data communication switchover to TLS after a failed DTLS connection.The TLS switchover time is approximately one minute. During that time, data communication seems to be affected as well.


[Workaround]

Make sure that there is no device, such as a firewall, configured on the path that prevents DTLS from being established (blocks UDP 443), then secure the accessibility of UDP 443.

As a temporary workaround, prepare a Group Policy that does not use DTLS and apply users that are affected to that group. You can also disable DTLS per user if a local user database is used for authenticating the users.

Note that this phenomenon will not occur when the MTU value is the same for TSL and DTLS, because the MTU will not be re-applied to VA during the DTLS / TLS switchover process.

Therefore, another effective workaround would be configuring the settings that the MTU of DTLS and TLS will be overridden by the value of AnyConnect MTU (in other words, set a smaller value for AnyConnect MTU).


A case where no reconnect occurs

override computed tls-mtu = 1427 with conf-mtu = 1406

DTLS enabled for intf = 2 (outside)

override computed dtls-mtu = 1418 with conf-mtu = 1406

tls-mtu = 1406 dtls-mtu = 1406

A case where a reconnect occurs

overide computed tls-mtu = 1327 with conf-mtu = 1300

DTLS enabled for intf = 2 (outside)

overide computed dtls-mtu = 1306 with conf-mtu = 1300

tls-mtu = 1300 dtls-mtu = 1300

Related Information

Original Document: https://supportforums.cisco.com/ja/document/12067766
Author: Shinpei Kono
Posted on January 26, 2014

 

Loading.

Actions

This Document