Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1381
Views
0
Helpful
1
Replies

AnyConnect does not work with Verizon DSL; Server Parse Error

hillegas
Level 1
Level 1

‎05-04-2009 05:13 AM - edited ‎02-21-2020 04:13 PM

I have an ASA running 8.0.4(28) providing SSL VPN access to AnyConnect clients running version 2.3.0254. When connecting, authentication works great using RSA tokens. After authentication, the Clean Access Agent (CAA) is invoked by the NAC Clean Access Server (CAS) and it fails because no data can pass through the Verizon DSL tunnel because they set the DSL MTU very low. Unfortuantely, AnyConnect CANNOT handle the lower MTU setting and the user is stuck and receives a Server Parse Error. Irregardless if we are integrating NAC with this solution, other IP traffic larger than the MTU would not pass either because the AnyConnect client CANNOT fragement the traffic. So,unless the MTU setting for AnyConnect in Group Policy is very low (less than 300), traffic will not pass on many Verizon DSL connections. Has anyone else ran into this problem? We do NOT have the same problem when using the IPSec client, because the MTU can be set by the client and it appears that the IPSec client can handle a lower MTU setting along the path by using either an ICMP redirect or path MTU discovery. Is there any possiblility of AnyConnect having similar capabilities as IPSec from the lower layers?

Labels:
0 Helpful
1 Reply 1

Not applicable

‎05-08-2009 02:26 PM

The MTU parameter is used by both the client and the security appliance to set the maximum size of the packet to be transmitted over the tunnel. If an end user is experiencing a significant amount of lost packets, or if an application such as Microsoft Outlook is not functioning over the tunnel, it might indicate a fragmentation issue. Lowering the MTU for that user or group of users may address the problem.

The client proposes an MTU value that is 94 bytes less than the MTU of the physical adapter used for the SSL and DTLS connection to the security appliance. The security appliance accepts the lesser of the configured MTU or the value proposed by the client. Both the client and the security appliance use the value selected by the security appliance.

For example, if the physical adapter on the PC has been changed to use an MTU of 1300, then the client proposes an MTU of 1206 to the security appliance. If the security appliance is set for a value lower than 1206, both the client and the security appliance use the lower value that was set using the MTU configuration command.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents