Hi,
I'd like your advice about an issue with IPSec and TCP MSS.
I have the following architecture in production
Cisco VPN Client------------------PacketShaper---------------------------------VPN 3000-------------------LAN
TCP MSS 1300 TCP Window Sizing TCP MSS 1280
equals to TCP MSS=1460
The Cisco VPN Client can connect to the VPN 3000 (IPSec VPN Remote-Access connection) and send/receive traffic.
I decided to change the VPN 3000 by a Cisco ASA 5510.
On the Cisco ASA, I entered the same command "sysopt connection tcpmss 1280" but it failed.
We can see the IKE Phase 1 & 2 established (IPSec tunnel OK). But no traffic possible and after 2minutes, a timeout occurs.
So, on the PacketShaped, we decided to disabled the TCP Window Sizing on the PacketShaper. Success.
BUT, why such a difference between a VPN 3000 and ASA with IPSec tunnel ????
Have you ever met something like that ?
I don't want to change the PackerShaper configuratio, because the TCP Window Sizing is for all connections.
On Cisco ASA, I can't find any solution.
Here're my tests:
PacketShaper | VPN 3000 | Result |
TCP Window Sizing enabled TCP MSS = 1460 | Command :
sysopt connection tcpmss 1280 | SUCCESS |
PacketShaper | ASA | Result |
TCP Window Sizing enabled TCP MSS=1460 | no command (so TCP MSS=1380 by default) | FAILED |
TCP Window Size enabled
TCP MSS=1460 | Command :
sysopt connection tcpmss 1280 | FAILED |
TCP Window Size disabled | no command (so TCP MSS=1380 by default) | SUCCESS |
Thanks for any answer.
Herve
