Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

IPSec VPN Remote-Access and TCP MSS issue

Hi,

I'd like your advice about an issue with IPSec and TCP MSS.

I have the following architecture in production

Cisco VPN Client------------------PacketShaper---------------------------------VPN 3000-------------------LAN

TCP MSS 1300                   TCP Window Sizing                              TCP MSS 1280

                                         equals to TCP MSS=1460

                                      
The Cisco VPN Client can connect to the VPN 3000 (IPSec VPN Remote-Access connection) and send/receive traffic.

I decided to change the VPN 3000 by a Cisco ASA 5510.

On the Cisco ASA, I entered the same command "sysopt connection tcpmss 1280" but it failed.

We can see the IKE Phase 1 & 2 established (IPSec tunnel OK). But no traffic possible and after 2minutes, a timeout occurs.

So, on the PacketShaped, we decided to disabled the TCP Window Sizing on the PacketShaper. Success.

BUT, why such a difference between a VPN 3000 and ASA with IPSec tunnel ????

Have you ever met something like that ?

I don't want to change the PackerShaper configuratio, because the TCP Window Sizing is for all connections.
On Cisco ASA, I can't find any solution.

Here're my tests:

PacketShaper

VPN 3000

Result

TCP Window Sizing enabled

TCP MSS = 1460

Command :
sysopt   connection tcpmss 1280

SUCCESS

PacketShaper

ASA

Result

TCP Window Sizing enabled

TCP MSS=1460

no command (so TCP MSS=1380 by default)

FAILED

TCP Window Size enabled
TCP MSS=1460

Command :
sysopt connection tcpmss 1280

FAILED

TCP Window Size disabled

no command (so TCP MSS=1380 by default)

SUCCESS

Thanks for any answer.

Herve

3 REPLIES
New Member

Re: IPSec VPN Remote-Access and TCP MSS issue

Hi Leon,

We experience exactly the same issue here when replacing a VPN 3000 with an ASA 5540.

Did you eventually find a solution?

Regards,

Sven

Cisco Employee

Re: IPSec VPN Remote-Access and TCP MSS issue

Hello,


What kind of VPN are you using?  The VPN client connection by default is either ESP protocol 50 or UDP encapsulated ESP on port 4500, so a MSS adjustments on encrypted packets (that aren't even TCP) won't have an effect.

Are you using IPSEC over TCP?

--Jason

New Member

Re: IPSec VPN Remote-Access and TCP MSS issue

Hi Jason,

Yes indeed, we are using IPSEC over TCP port 443, forgot to mention that.

Regards,

Sven

2108
Views
0
Helpful
3
Replies
CreatePlease to create content