Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Search instead for
Did you mean:
The Microsoft Windows Active Directory replication fails across the VPN tunnel on the PIX/ASA firewall
During this issue, Site-to-Site VPN, which includes file copies, pinging, and the Remote Desktop Protocol (RDP), works on the PIX/ASA firewall. But, the Microsoft Windows Active Directory replication fails.
This issue potentially correlates to the TCP segment size.
Note: 1200 bytes works well as the value in most cases.
Both the host and the server can set the maximum segment size when they first establish a connection. If either maximum exceeds the value specified by the sysopt connection tcpmss command, the security appliance overrides the maximum and inserts the specified value. If either maximum is less than the value specified by the sysopt connection tcpmss minimum command, the security appliance overrides the maximum and inserts the minimum value. The minimum value is actually the smallest maximum allowed. For example, if you set a maximum size of 1200 bytes and a minimum size of 400 bytes, when a host requests a maximum size of 1300 bytes, the security appliance alters the packet to request 1200 bytes, the maximum. If another host requests a maximum value of 300 bytes, the security appliance alters the packet to request 400 bytes, the minimum.
The default of 1380 bytes allows room for header information so that the total packet size does not exceed 1500 bytes, which is the default Maximum Transmission Unit (MTU) for the Ethernet. Refer to this calculation:
1380 data + 20 TCP + 20 IP + 24 AH + 24 ESP_CIPHER + 12 ESP_AUTH + 20 IP = 1500 bytes
If the host or server does not request a maximum segment size, the security appliance assumes that the Request for Comments (RFC) 793 default value of 536 bytes is in effect.
If the maximum size is set to be greater than 1380, the packets can fragment. This behavior depends upon the MTU size, which is 1500 bytes by default. Large numbers of fragments can impact the performance of the security appliance when it uses the Frag Guard feature. Set the minimum size so that the TCP server does not send many small TCP data packets to the client and impact the performance of the server and the network.
Note: The default maximum value is 1380 bytes. The minimum feature is disabled by default, which means that it is set to zero.