Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

problem with remote access vpn

Hi All,

I am facing slow connectivity issues when connected to remote access vpn.

Able to do RDP to the server intially it works fine once i excute some queries or commands  it freezes.

speed is also good.when pinged to far end peer ip from windows machine displays packets needs to fragemented but df set

shall i change tcp-mss value.If i do does it have any reverse affect on other traffic.

30 REPLIES
VIP Green

problem with remote access vpn

I would suggest trying to change the mss to something lik 1400

ip tcp adjust-mss 1400

--

Please remember to rate and select a correct answer
New Member

problem with remote access vpn

Thanks,Thus it have reverse impact on other traffic.

VIP Green

problem with remote access vpn

What impact does the reverse traffic experience?

--

Please remember to rate and select a correct answer
New Member

problem with remote access vpn

Hi

With current mss seetings(1480)  it work fine when there is no tarrfic load on the network.

During the peak working hours users starts facing slowness problem.

Currently i have priotized traffic with max bandwith.

VIP Green

problem with remote access vpn

Have you tried lowering the MTU? lower it to 1200

--

Please remember to rate and select a correct answer
New Member

problem with remote access vpn

Currently it is set to 1500 ,I will check and let u know.

Thanks for your guidance

New Member

problem with remote access vpn

No luck,Is there any other parameters need to be check.

New Member

problem with remote access vpn

Hi,

Below are my inputs.

1.   usres can easily connect to remote access SSL VPN and do RDP to Virtual machine.

Note:   On My end we have asa firewall and far end it is Juniper firewall.

2  Once they connect to Virtual machine  they start excuting there works after every  10 to 15  min suddenlly there machine gets freezed neither they can move the mouse .after one minute it become normal.

Note- This issues oocurs  for the  all users simultaneous  connected to that machine at SAME time.

3  Changed mss and mtu value  , even shutdown the ips sensor still no luck.

problem with remote access vpn

Hello Prashant,

U told us this is a remote access SSL VPN.

Does the SSL VPN terminates on the ASA or the Juniper box?

Is the Juniper just a pass-through device??

Rate all of the helpful posts!!!

Regards,

Jcarvaja

Follow me on http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
New Member

problem with remote access vpn

Hi,

SSl vpn terminates on Juniper.On our side it is ASA.

problem with remote access vpn

So,

The ASA is just a passthrough device?

I mean a firewall in the path That's it right?

My recommendation is to determine what's the biggest packet you can send through the FW and the Junos box to determine who is the one with the MTU having the problem (Also on the local and remote networks)

Run pings from client machines with different sizes and the DF set and determine the PMTU.

Rate all of the helpful posts!!!

Regards,

Jcarvaja

Follow me on http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
New Member

problem with remote access vpn

Hi

Thanks,

Ya the firewall is in the path.Ping is blocked from far end client machine.Allowed from  my side.

Is there any other way to detemine it.

Another thing to add i have changed to 1200 .But issue didnot resolve infact other vpn got afecting with slowness issue.

Re: problem with remote access vpn

I see,

Okey, Cisco recommended value is 1380 when dealing with Traffic that will be encapsulated over differente headers such as IPsec, GRE, etc.

In our case is regular TCP (Just that goes encrypted) but no overhead.

Now, all TCP traffic is by default set with the DF value flag so it will not get fragmented.

The other way would be clearing the DF value before the traffic reaches the ASA.

Read the following blog so you can understand what I am talking about and why PMTU is needed here

http://www.networkworld.com/community/blog/mtu-size-issues

Changing the MTU will be needed buddy but instead of making it lower it needs to be higher,

Again the best way to approach this would be PMTU but we make sure the application understands the ICMP "Message too big"

Rate all of the helpful posts!!!

Regards,

Jcarvaja

Follow me on http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
New Member

problem with remote access vpn

So MTU has to be changed for inside and as well as Outside interface.

Currently it is 1500

problem with remote access vpn

That's exactly my point.

Unless you find out what's the size of the packet being sent you will not know which is the size and also it will need to be done on all of the devices across the path.

Not something scalable man Path MTU is our way to go

Rate all of the helpful posts!!!

Regards,

Jcarvaja

Follow me on http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
New Member

problem with remote access vpn

Thanks

Let u know once i do the changes.

New Member

problem with remote access vpn

Hi Jullio,

Just to add my findings.

I have 10 Mbps linlks which is directly connected to PC.Doesnot involve any firewall stuff.

But still w e are facing same problem on that too.

On My network some times it works absoulety fine with default MTU  seetings on firewall. Really confused.

Is it any thing related to que Size seetings on firewall.

problem with remote access vpn

Hello Prashant,

U lost me man!

I mean,

Know you have a PC directly connected to which other device???

and what you need to check is the MTU of the devices in the path not the access-rate they have.

Rate all of the helpful posts!!!

Regards,

Jcarvaja

Follow me on http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
New Member

problem with remote access vpn

Hi,

This connection goes directly from PC to MUX .

MUX to ISP side.

So need to check the seeting on MUX and as well as ISP side.

Another thing i want to know there are 10 site to site VPN om my side.

Chaning the MTU seetings can affect the other VPN trafic?

problem with remote access vpn

Hello,

We do not need to make any changes yet.

First lets make sure that all of the sites have 1500 as the MTU size on their interfaces.

If this is the case then run wireshark on your PC cause it might be a mal funcionating network card...

Rate all of the helpful posts!!!

Regards,

Jcarvaja

Follow me on http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
New Member

problem with remote access vpn

Thanks,

As of now all my inerface have 1500 MTU .

You mean to say even malfunction network card may also cause this issue.

problem with remote access vpn

If only happens with ur PC yes....

So u already check the MTU settings for the PC to the MUX to the ISP side ?

You will need to check the Junos Side network in order to make sure  their side is properly configured.

Note: Without the ASA the issues still hapen right?

Rate all of the helpful posts!!!

Regards,

Jcarvaja

Follow me on http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
New Member

problem with remote access vpn

Ya without ASA still happens.

so we need to confirm the MTU settings on juno side network.

But strange thing some time even the performance is good on my side with firewall in path.

Even isp has cleared that there is no latency on there side.

problem with remote access vpn

Hello Prashant,

Yeah, does not makes much sense but remember that we are dealing with what it seems to be "Fragmentation issues".

Let me know what u find from the other side. OK?

Rate all of the helpful posts!!!

Regards,

Jcarvaja

Follow me on http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
New Member

problem with remote access vpn

Thanks for your valuable suggestions  and time.

Will trouble you once   i receive the update from other side.

problem with remote access vpn

Sure buddy,

My pleasure to help

Rate all of the helpful posts!!!

Regards,

Jcarvaja

Follow me on http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
New Member

problem with remote access vpn

Hi Julio,

Far end guys are very reluctant to provide teh info regarding MTU value.

Yesterday I did run the ping command when user remoet machine was completely freezed for 15 min

ping -l 1500 19x.x.x.x -f

I got the message packets needs to be fragemented.but DF set

when i changed the value to 1460 i got the ping response.

currently my mss value is set 1480.

shall i change it to 1460 and check it

problem with remote access vpn

Hello,

TCP header plus IP header are 40 bytes sooooooo you need to set it to the default of 1460.

Then let me know

Rate all of the helpful posts!!!

Regards,

Jcarvaja

Follow me on http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
New Member

problem with remote access vpn

Value set on firewall is

sysopt connection tcpmss 1480

I do have packet shaper device which is placed above firewall mss value is set to 1380.

611
Views
5
Helpful
30
Replies
CreatePlease to create content