10-29-2013 11:48 AM - edited 03-11-2019 07:57 PM
Hi All,
I am facing slow connectivity issues when connected to remote access vpn.
Able to do RDP to the server intially it works fine once i excute some queries or commands it freezes.
speed is also good.when pinged to far end peer ip from windows machine displays packets needs to fragemented but df set
shall i change tcp-mss value.If i do does it have any reverse affect on other traffic.
11-04-2013 01:50 AM
I would suggest trying to change the mss to something lik 1400
ip tcp adjust-mss 1400
11-05-2013 12:32 AM
Thanks,Thus it have reverse impact on other traffic.
11-05-2013 12:34 AM
What impact does the reverse traffic experience?
11-06-2013 12:42 AM
Hi
With current mss seetings(1480) it work fine when there is no tarrfic load on the network.
During the peak working hours users starts facing slowness problem.
Currently i have priotized traffic with max bandwith.
11-06-2013 10:56 AM
Have you tried lowering the MTU? lower it to 1200
11-06-2013 07:22 PM
Currently it is set to 1500 ,I will check and let u know.
Thanks for your guidance
11-07-2013 09:24 AM
No luck,Is there any other parameters need to be check.
11-07-2013 10:06 AM
Hi,
Below are my inputs.
1. usres can easily connect to remote access SSL VPN and do RDP to Virtual machine.
Note: On My end we have asa firewall and far end it is Juniper firewall.
2 Once they connect to Virtual machine they start excuting there works after every 10 to 15 min suddenlly there machine gets freezed neither they can move the mouse .after one minute it become normal.
Note- This issues oocurs for the all users simultaneous connected to that machine at SAME time.
3 Changed mss and mtu value , even shutdown the ips sensor still no luck.
11-07-2013 12:37 PM
Hello Prashant,
U told us this is a remote access SSL VPN.
Does the SSL VPN terminates on the ASA or the Juniper box?
Is the Juniper just a pass-through device??
Rate all of the helpful posts!!!
Regards,
Jcarvaja
Follow me on http://laguiadelnetworking.com
11-07-2013 07:49 PM
Hi,
SSl vpn terminates on Juniper.On our side it is ASA.
11-07-2013 08:00 PM
So,
The ASA is just a passthrough device?
I mean a firewall in the path That's it right?
My recommendation is to determine what's the biggest packet you can send through the FW and the Junos box to determine who is the one with the MTU having the problem (Also on the local and remote networks)
Run pings from client machines with different sizes and the DF set and determine the PMTU.
Rate all of the helpful posts!!!
Regards,
Jcarvaja
Follow me on http://laguiadelnetworking.com
11-07-2013 08:21 PM
Hi
Thanks,
Ya the firewall is in the path.Ping is blocked from far end client machine.Allowed from my side.
Is there any other way to detemine it.
Another thing to add i have changed to 1200 .But issue didnot resolve infact other vpn got afecting with slowness issue.
11-07-2013 08:27 PM
I see,
Okey, Cisco recommended value is 1380 when dealing with Traffic that will be encapsulated over differente headers such as IPsec, GRE, etc.
In our case is regular TCP (Just that goes encrypted) but no overhead.
Now, all TCP traffic is by default set with the DF value flag so it will not get fragmented.
The other way would be clearing the DF value before the traffic reaches the ASA.
Read the following blog so you can understand what I am talking about and why PMTU is needed here
http://www.networkworld.com/community/blog/mtu-size-issues
Changing the MTU will be needed buddy but instead of making it lower it needs to be higher,
Again the best way to approach this would be PMTU but we make sure the application understands the ICMP "Message too big"
Rate all of the helpful posts!!!
Regards,
Jcarvaja
Follow me on http://laguiadelnetworking.com
11-07-2013 08:42 PM
So MTU has to be changed for inside and as well as Outside interface.
Currently it is 1500
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: