Having some issues with a vpn between two of my locations. Both edge devices are ASA's, and the tunnel is an IPSEC tunnel. Both MTU's are set to 1500 both on inside and outside. (provider mtu setting request is 1514, and both ASA's will be changed out soon.)
Unfortunately, some exchange/kerberos auth issues are causing me a problem in the remote site. I perform the tests that microsoft recommends using a length of 1472 on packet ping size, and do not fragment flag (1406 is the largest packet I can push across the vpn) . I know part of this is due to the extra overhead that ipsec places on the connection.
I want to refrain from putting the black hole registry workaround on all of the PC's in this remote location.
I've also seen some discussion about manually setting the TCPMSS value down to 1300 on most ASA's. Has anyone else had this resolve an issue?
I'm wondering what else I might be missing.
Any help you can provide would be most appreciated.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
[toc:faq]Introduction:This document describes details on how NAT-T
works.Background:ESP encrypts all critical information, encapsulating
the entire inner TCP/UDP datagram within an ESP header. ESP is an IP
protocol in the same sense that TCP and UDP are I...