Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
616
Views
0
Helpful
1
Replies

8.3 L2TP/NAT-T MTU issues, anyone?

b.julin
Level 3
Level 3

‎07-26-2010 08:19 PM

Trying to work the last kinks out of 8.3 L2TP, I discovered that sometime between 7.2 series

and 8.3, the ASA became unable to ride over an intermediate link with a low MTU.  Where

we see this is on certain cable providers (read: Comcast) who set an MTU of 576 via

their DHCP server, which the household NAT router may honor, or may be broken and

not honor.  If it does honor it, you get problems.

Here's the setup:

<ASA Eth0/3.1 MTU1500>(Internet)<MTU???<Comcast cable router>MTU 576><MTU 576<Linux NAT>MTU1500><MTU1500 <IPSEC client>

This works reliably on another ASA is running 7.2(3).  On my test unit running 8.3(1.6) the connection will drop any packets larger than 498 bytes original unencrypted length (header included) and this behavior happens with both Strongswan and native Windows clients.

If you ignore the cable provider's MTU, and set it to 1500 on the Linux NAT, then 8.3(1.6) is all happy again.

I've already tried playing with tcpmss to no avail.

Can anyone think of any other knobs to twist to see if there's a different default in 8.3?  Anyone seen a bug ID for this?

(Full disclosure, the 8.3(1.6) box's crypto interface is a dot1q subinterface, while the 7.2(3) box is untagged, but I doubt that's the issue.)

Labels:
0 Helpful
1 Reply 1

b.julin
Level 3
Level 3

‎07-27-2010 06:58 AM

Nevermind.  Turned out to be an uppity packet shaper was in the path to the 8.3(1.6) box and I didn't realize it.

0 Helpful
Customers Also Viewed These Support Documents