Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

How to use CSM Variable DEST_UNREACHABLE_MASK

Hello,

We have some VPN customers complaining accessing SAP via the CSM. Direct access to the servers works fine. Based on the situation we think that the CSM is not passing on ICMP Unreachables (RFC 792) from the firewalls to the servers so that MSS can be lowered.

I think the variable DEST_UNREACHABLE_MASK can help solve this issue but I don't know how to use it to allow ICMP Unreachables to the servers.

Thanks,

Murtaza

4 REPLIES
Cisco Employee

Re: How to use CSM Variable DEST_UNREACHABLE_MASK

By default the CSM does allow all unreachable messages.

This is what you should see :

gdufour-cat6k-2#sho mod csm 3 var | i DEST

DEST_UNREACHABLE_MASK 0xffff

If you do not have 0xffff, then it means you changed the default and should reset back to the default.

Regarding your primary issue, I would recommend a sniffer trace of the CSM portchannel and see why the vpn connection fails.

Gilles.

New Member

Re: How to use CSM Variable DEST_UNREACHABLE_MASK

We took a trace and it looks like the CSM is not forwarding the ICMP unreachable to the backend system. I have checked the mask and it looks ok on the device.

-M

Cisco Employee

Re: How to use CSM Variable DEST_UNREACHABLE_MASK

Open a service request with the TAC and if necessary they will esalate it to me.

Send me the case # if you want me to have an early look.

Gilles.

New Member

Re: How to use CSM Variable DEST_UNREACHABLE_MASK

The TAC SR number is 608638139. I have already attached the sniffer trace and sh tech to the case.

-M

131
Views
0
Helpful
4
Replies