Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
405
Views
0
Helpful
1
Replies

ISA client connectivity problem over IPSEC L2L VPN

jorjes1984
Level 1
Level 1

‎11-09-2009 04:37 AM - edited ‎03-11-2019 09:37 AM

HI,

I am facing a problem in Site to Site VPN.

There is only an IPSEC VPN between 2 sites where all LAN to LAN traffic (TCP and UDP) is included in the CRYPTO ACL.

Also note that there is a GRE Tunnel between the 2 sites, on which the Crypto map is applied.

All kind of communication is working successfully between the 2 sites except for the ISA Client connectivity.

There is a special Application over the internet that needs users to connect to the ISA server using the ISA client at the user side. When applying the CRYPTO MAP Over the GRE TUnnel, the ISA client is unable to Connect

When removing the Crypto MAP, the Isa Client is able to connect successfully

I tried to change the Transform Set and Phase 1 settings, but still same problem

Has anyone had a similar problem?

Regards,

Labels:
0 Helpful
1 Reply 1

Ivan Martinon
Level 7
Level 7

‎12-02-2009 10:28 AM

This seems like an mtu issue, having GRE/IPSec adds overhead to the packet and by removing the ipsec part you only leave the GRE header, my advise would be to decrease your mtu on the tunnel interfaces to be around 1400 bytes or to use tcp mss enforcing on the internal interface to be around 1300, the last one useful only if the transaction goes over TCP of course.

internal interface

      ip tcp adjust-mss 1300

tunel interface

ip mtu 1400

Try either one, or make sure you enable the router to clear the df bit to allow fragmentation.

Ivan

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card