Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2106
Views
0
Helpful
5
Replies

ASA5505 8.2(3) has trouble browsing websites - PMTU-D errors

carl-eire
Level 1
Level 1

‎11-30-2010 03:59 AM - edited ‎03-11-2019 12:16 PM

Hi,


This one has been puzzling me a bit.

We have been having continuous MTU issue with suring certain website. Our MTU is set to 1454 on a PPoE connection (which works with a laptop directly connected) and when I try to browse certain website (like www.cisco.com) I get the following errors on the sys log

PMTU-D packet 1420 bytes greater than effective mtu 1050, dest_addr=[WANIP], src_addr=[Random website], prot=tcp

PMTU-D packet 1300 bytes greater than effective mtu 1050....

I know that PMTU relies on ICMP which I have allowed and I have also made sure that the default inspection has ICMP and ICMP Error ticked in ASDM.

I know alot of people have these issues with site2site VPN (my site to site vpns are fine its just external website browsing)

I am at a bit of a loss and any help would really be appreciated.

Cisco also has an article about this but with my version of ASA "exceed-mss allow" seems to be a default setting.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a00804c8b9f.shtml

*attached current config*

Cheers!

Labels:
0 Helpful
5 Replies 5

carl-eire
Level 1
Level 1

‎11-30-2010 04:00 AM

sorry quick update I am running 8.2(3) not (2)

76125-eeconfig.txt.zip
0 Helpful

Kureli Sankar
Cisco Employee
Cisco Employee
In response to carl-eire

‎11-30-2010 05:47 AM

Some layer 3 device in the path has a lower MTU configured. You can try to change the MTU on the firewall and see if this helps. This will increase the nubmer of packets.

conf t

mtu outside 1050

-KS

0 Helpful

carl-eire
Level 1
Level 1
In response to Kureli Sankar

‎11-30-2010 02:59 PM

Thanks for your response.

I tried to drop the MTU down as low as that but still no success. I can still see the PMTU-D errors and I started to get ICMP drops

4    Dec 01 2010    07:55:29                        No matching connection for ICMP error message: icmp src outside:ExternalIP dst inside:WANIP (type 11, code 1) on outside interface.  Original IP payload: udp src WANIP dst ExternalIP

The ASA is directly connected to a ONU for internet access and its using PPoE. The static IP is assigned automatically.

0 Helpful

carl-eire
Level 1
Level 1
In response to carl-eire

‎11-30-2010 03:56 PM

On the ASDM when I go to Firewall -> Advanced -> Fragment I see the below.

Interface: inside
    Size: 200, Chain: 24, Timeout: 5, Reassembly: virtual
    Queue: 0, Assembled: 0, Fail: 1, Overflow: 0
Interface: outside
    Size: 200, Chain: 24, Timeout: 5, Reassembly: virtual
    Queue: 0, Assembled: 282, Fail: 13235, Overflow: 0

Outside and interface are both set to
Size 200
Chain Length 24
Timeout 5

Not sure if that helps.

0 Helpful

Kureli Sankar
Cisco Employee
Cisco Employee
In response to carl-eire

‎11-30-2010 07:05 PM

That sure helps.

You can add the following and see if it helps.

hostname(config)# fragment size 2000 outside
hostname(config)# fragment chain 45 outside

http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/ef.html#wp1934777

refer this link as well. http://www.cisco.com/en/US/tech/tk175/tk15/technologies_tech_note09186a0080093bc7.shtml

Dr. tcp is a great tool to test. 

-KS

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card