Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

VPN Traffic Problem

Hello,

i've got a strange Problem. I can establish a Tunnel between an PIX 515e (8.0.3) and an ASA Device 5510 7.0.6 Ping works, HTTP for example throws MSS Exceed on the ASA. PIX and ASA configured to allow mss-exceed via service Policy. The Data Size is always about 1443 Bytes. The sysopt tcpmss value is set t o1380 which should be enough for payload and IPSEC Header. The error Message says MSS Exceed MSS 1260 Data bytes 1443 ... ??? What the Hell can i do the reduce the payload. Changing the MTU size doesn't help.

I discover that the Problem arrives if i do an upgrade to ASA/PIXOS later than 7.0.6 because i have a second l2l tunnel to an Checkpoint device and if i upgrade the asa, this tunnel doesn't wokr for large Packets..

Any help is need...

greetings markus

  • Firewalling
1 REPLY
Silver

Re: VPN Traffic Problem

Check the config for allowing mss-exceed. Following is an example config:

access-list http-list permit ip any any

!

class-map http match

access-list http-list

exit

!

tcp-map tmap

exceed-mss allow

exit

!

policy-map global_policy

class http

set connection advanced-options tmap

!

service-policy global_policy global

Also check for the traffic that is being denied and check if you have configured this for the right traffic.

85
Views
0
Helpful
1
Replies