ISA client connectivity problem over IPSEC L2L VPN
I am facing a problem in Site to Site VPN.
There is only an IPSEC VPN between 2 sites where all LAN to LAN traffic (TCP and UDP) is included in the CRYPTO ACL.
Also note that there is a GRE Tunnel between the 2 sites, on which the Crypto map is applied.
All kind of communication is working successfully between the 2 sites except for the ISA Client connectivity.
There is a special Application over the internet that needs users to connect to the ISA server using the ISA client at the user side. When applying the CRYPTO MAP Over the GRE TUnnel, the ISA client is unable to Connect
When removing the Crypto MAP, the Isa Client is able to connect successfully
I tried to change the Transform Set and Phase 1 settings, but still same problem
Re: ISA client connectivity problem over IPSEC L2L VPN
This seems like an mtu issue, having GRE/IPSec adds overhead to the packet and by removing the ipsec part you only leave the GRE header, my advise would be to decrease your mtu on the tunnel interfaces to be around 1400 bytes or to use tcp mss enforcing on the internal interface to be around 1300, the last one useful only if the transaction goes over TCP of course.
ip tcp adjust-mss 1300
ip mtu 1400
Try either one, or make sure you enable the router to clear the df bit to allow fragmentation.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :