Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

MTU size via ASA 5520

 

Hi everyone,

 

We have 3rd PArty Vendor at our site and he is connecting to his company network via our Internet ASA?

IT uses Nortel VPN client to connect to his office network  on port 10001 and 500.

He can connect fine and access all the resources.

 

Issue is with email --Vendors Exchange server was trying to send a large packet (>1400 bytes) to his  laptop, but the packet does not go through.  Then it eventually fails and times out the connection.  We  did a ping test  while user was connected to VPN ---he was able to ping with a 1350 byte packet, but when he tried a ping with a 1450 byte packet they all failed.

 

 

When user is at his home and uses same VPN he can access the emails from the exchange server fine.

On ASA i see that it only shows user is connected on port 10001 and 500.

 

Is there any way that i can increase the maximum MTU for his connection on my Internet ASA?

 

 

16 REPLIES
Hall of Fame Super Silver

Mahesh,We typically try to

Mahesh,

We typically try to have clients set their system MTU lower.

This is so that once their own VPN and any local ASA are finished adding their overhead bits, the left over portion is all theirs to fill up as they need.

Community Member

 Hi Marvin, So you mean to

 

Hi Marvin,

 

So you mean to say that user can lower the MTU size on its PC and what value it should lower it to?

But same user when he is at his home he can connect to his office VPN and he has no issues.

 

Regards

Mahesh

Please apply this command on

Please apply this command on the ASA:

sysopt connection tcpmss 1300

crypto ipsec df-bit clear-df outside

 

Ask user to disconnect and reconnect and try.

Let me know if this helps.

 

Vishnu

 

 

Community Member

 Hi Vishnu,I can do this

 

Hi Vishnu,

I can do this tomorrow as user is gone for the day now.

IF i config  above commands will that cause any issue to existing connections to ASA?

 

Regards

Mahesh

It is not going to cause any

It is not going to cause any issues because these are mainly for the VPN connection. 

 

Community Member

 Hi Vishnu, I ran the

 

Hi Vishnu,

 

I ran the command

sh run all | inc 1380
sysopt connection tcpmss 1380

Seems current MTU max size is 1380.

 

Regards

MAhesh

 

Do not confuse this with MTU.

Do not confuse this with MTU. 

 

Please refer this document to understand the relevance of this command: http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/82444-fragmentation.html

 

Vishnu

Community Member

 Hi Vishnu, I tried above

 

Hi Vishnu,

 

I tried above config and it does not make any difference.

User is able to connect to outlook but unable to download any emails.

So next thing i asked user is to decrease the MTU size on his PC.

IS there anything else i can try?

 

Regards

MAhesh

Community Member

You can also try MSS slamping

You can also try MSS slamping by 'ip tcp adjust-mss 1300' or less on ASA wan interface.

 

Regards,

David

Community Member

 Hi David,here is setupUser

 

Hi David,

here is setup

User PC--ASA1---ASA2-----ASA3-----cloud----------Vendors VPN ASA.

Should i config this command on ASA1?

I can test this on monday.

Regards

MAhesh

Community Member

Hi MAhesh,Right now I went

Hi MAhesh,

Right now I went through the post from the top to the end, I find that lower the PC's MTU is  the best solution to the problem.

As the vendor installed ezVPN on his PC, so the traffic was protected by encryption, MSS slamping has no way to see the clear text of those traffic.

This problem was caused by ASA or other intermediate device block 'ICMP type 3', so the PMTUD between PC and SERVER get failed, all the bigger packets than path MTU will get dropped and client or server did not recognize  this issue as they did not receive ICMP like 'fragment needed  but DF bit set'.

By lowing the PC's MTU, indirectly decease the TCP MSS, so PC will send mail packet by smaller size which is smaller than the path mtu.

Regards,

David

 

Please rate useful post

 

 

 

 

 

 

 

 

 

Community Member

 Hi David,How can i  check

 

Hi David,

How can i  check which device is blocking the ICMP type 3?

Also on monday i will ask user to decrease the MTU size on his PC and see how it goes.

Also when you say path MTU does it mean 1380?

Regards

Mahesh

Community Member

 Hi David, I saw the packet

 

Hi David,

 

I saw the packet capture between user PC and Exchange server

i see lot of TCP retransmissions.

Regards

Mahesh

Community Member

Hi Mahesh,This issue was

Hi Mahesh,

This issue was caused by IP packets size(DF bit set to1) > intimidate router outgoing interface MTU, so TCP will transmit the dropped segments after timeout.

You can ' ping "exchange server ip"  -f -l xxxx'   on PC to get the maximum path mtu size. For example, first try xxxx=1500, no ok, then try 1300, if ok, try 1400...until you get the maximum.

regards,

David

 

Community Member

 Hi David, Thanks for reply

 

Hi David,

 

Thanks for reply back.

Will check  with user tomorrow.

Also i asked user to get the MTU size of exchange server.

Does user PC MTU and Exchange server MTU have to match ?

 

Regards

Mahesh

Community Member

 Hi David,One of  ASA in path

 

Hi David,

One of  ASA in path is non cisco and it has MTU 1500.

Will this cause any issue?

 

Regards

Mahesh
 

1758
Views
0
Helpful
16
Replies
CreatePlease to create content