Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Certificate, dropped IKE packet, 3005 MTU oddity, any workaround?

Greetings,

We have a situation where our 3005 concentrator fragments the packet containing its certificate during IKE Phase 1. This happens regardless of whether it's UDP IKE or tunnelled over TCP port 10000. The packet is fragmented using the MTU of the 3005's public interface *regardless of the MTU of the Cisco client*. Many hotel broadband connections drop the second fragment of this packet, causing negotiation failure and the dreaded "Remote peer not responding". The remote networks are beyond our control, and the Cisco IPSec fragmentation workarounds do not apply to IKE. Is there another workaround available?

The 3005 is running v3.6.7 and this occurs with Cisco clients up to and including 3.6.3(B). I can demonstrate with a packet trace if you're curious. I've tested with various concentrator and client MTUs and fragmentation before encapsulation and the behavior is always the same.

1 REPLY
New Member

Re: Certificate, dropped IKE packet, 3005 MTU oddity, any workar

Cisco bug CSCdz30124 addresses the "IKE pre-fragmentation" issue. No workaround is given, but the assumption is that smaller certificates (ones that don't need to be fragmented) should work.

139
Views
0
Helpful
1
Replies
CreatePlease login to create content