I'm having problems with dropped connections to protected servers through an ASA5510 with V7.2.1 code and Cisco VPN client 4.7. When I try to connect to a protected server through the VPN using VNC it usually disconnects the VNC app and other times gives me incomplete screen refreshes and then freezes. Terminal services to the same servers works fine.
This also happens when I telnet to an internal switch and do a show tech on the switch. Sometimes the output from the switch completely stops and other times it shows unreadable characters. Once this happens I can disconnect from the telnet session and immediately telnet to it again.
It seems to have to do with the size of the packets and maybe it's the MTU size issue, but I've done this before through a PIX running 6.3 without a problem without changing the MTU sizes. Also, the ASA has a pre-fragmentation setting which seems to allow the ASA to rewrite the DF bit in a packet to allow the packets to be fragmented before sending it through the VPN tunnel even if the end device sets the packets DF bit. The ASA connects to a high speed (5M+5M) metro internet connection, which is different from other sites I connect to. I'm not sure if that's related or not.
Since no one has responded yet I decided to post an update....
I've been troubleshooting this issue and I think I found the source of the problem. The default inspection rules were still in place on all interfaces. The default settings are applied to all interfaces. I tried to apply them to the outside interface only, but this didn't fix the problem. As soon as I removed the class-map from all interfaces, everything works great.
I guess I need to read up on these inpection rules.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...