11-30-2010 03:59 AM - edited 03-11-2019 12:16 PM
Hi,
This one has been puzzling me a bit.
We have been having continuous MTU issue with suring certain website. Our MTU is set to 1454 on a PPoE connection (which works with a laptop directly connected) and when I try to browse certain website (like www.cisco.com) I get the following errors on the sys log
PMTU-D packet 1420 bytes greater than effective mtu 1050, dest_addr=[WANIP], src_addr=[Random website], prot=tcp
PMTU-D packet 1300 bytes greater than effective mtu 1050....
I know that PMTU relies on ICMP which I have allowed and I have also made sure that the default inspection has ICMP and ICMP Error ticked in ASDM.
I know alot of people have these issues with site2site VPN (my site to site vpns are fine its just external website browsing)
I am at a bit of a loss and any help would really be appreciated.
Cisco also has an article about this but with my version of ASA "exceed-mss allow" seems to be a default setting.
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a00804c8b9f.shtml
*attached current config*
Cheers!
11-30-2010 04:00 AM
11-30-2010 05:47 AM
Some layer 3 device in the path has a lower MTU configured. You can try to change the MTU on the firewall and see if this helps. This will increase the nubmer of packets.
conf t
mtu outside 1050
-KS
11-30-2010 02:59 PM
Thanks for your response.
I tried to drop the MTU down as low as that but still no success. I can still see the PMTU-D errors and I started to get ICMP drops
4 Dec 01 2010 07:55:29 No matching connection for ICMP error message: icmp src outside:ExternalIP dst inside:WANIP (type 11, code 1) on outside interface. Original IP payload: udp src WANIP dst ExternalIP
The ASA is directly connected to a ONU for internet access and its using PPoE. The static IP is assigned automatically.
11-30-2010 03:56 PM
On the ASDM when I go to Firewall -> Advanced -> Fragment I see the below.
Interface: inside
Size: 200, Chain: 24, Timeout: 5, Reassembly: virtual
Queue: 0, Assembled: 0, Fail: 1, Overflow: 0
Interface: outside
Size: 200, Chain: 24, Timeout: 5, Reassembly: virtual
Queue: 0, Assembled: 282, Fail: 13235, Overflow: 0
Outside and interface are both set to
Size 200
Chain Length 24
Timeout 5
Not sure if that helps.
11-30-2010 07:05 PM
That sure helps.
You can add the following and see if it helps.
hostname(config)# fragment size 2000 outside
hostname(config)# fragment chain 45 outside
http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/ef.html#wp1934777
refer this link as well. http://www.cisco.com/en/US/tech/tk175/tk15/technologies_tech_note09186a0080093bc7.shtml
Dr. tcp is a great tool to test.
-KS
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide