We have 3rd PArty Vendor at our site and he is connecting to his company network via our Internet ASA?
IT uses Nortel VPN client to connect to his office network on port 10001 and 500.
He can connect fine and access all the resources.
Issue is with email --Vendors Exchange server was trying to send a large packet (>1400 bytes) to his laptop, but the packet does not go through. Then it eventually fails and times out the connection. We did a ping test while user was connected to VPN ---he was able to ping with a 1350 byte packet, but when he tried a ping with a 1450 byte packet they all failed.
When user is at his home and uses same VPN he can access the emails from the exchange server fine.
On ASA i see that it only shows user is connected on port 10001 and 500.
Is there any way that i can increase the maximum MTU for his connection on my Internet ASA?
We typically try to have clients set their system MTU lower.
This is so that once their own VPN and any local ASA are finished adding their overhead bits, the left over portion is all theirs to fill up as they need.
So you mean to say that user can lower the MTU size on its PC and what value it should lower it to?
But same user when he is at his home he can connect to his office VPN and he has no issues.
Please apply this command on the ASA:
sysopt connection tcpmss 1300
crypto ipsec df-bit clear-df outside
Ask user to disconnect and reconnect and try.
Let me know if this helps.
I can do this tomorrow as user is gone for the day now.
IF i config above commands will that cause any issue to existing connections to ASA?
Do not confuse this with MTU.
Please refer this document to understand the relevance of this command: http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/82444-fragmentation.html
I tried above config and it does not make any difference.
User is able to connect to outlook but unable to download any emails.
So next thing i asked user is to decrease the MTU size on his PC.
IS there anything else i can try?
here is setup
User PC--ASA1---ASA2-----ASA3-----cloud----------Vendors VPN ASA.
Should i config this command on ASA1?
I can test this on monday.
Right now I went through the post from the top to the end, I find that lower the PC's MTU is the best solution to the problem.
As the vendor installed ezVPN on his PC, so the traffic was protected by encryption, MSS slamping has no way to see the clear text of those traffic.
This problem was caused by ASA or other intermediate device block 'ICMP type 3', so the PMTUD between PC and SERVER get failed, all the bigger packets than path MTU will get dropped and client or server did not recognize this issue as they did not receive ICMP like 'fragment needed but DF bit set'.
By lowing the PC's MTU, indirectly decease the TCP MSS, so PC will send mail packet by smaller size which is smaller than the path mtu.
Please rate useful post
How can i check which device is blocking the ICMP type 3?
Also on monday i will ask user to decrease the MTU size on his PC and see how it goes.
Also when you say path MTU does it mean 1380?
This issue was caused by IP packets size(DF bit set to1) > intimidate router outgoing interface MTU, so TCP will transmit the dropped segments after timeout.
You can ' ping "exchange server ip" -f -l xxxx' on PC to get the maximum path mtu size. For example, first try xxxx=1500, no ok, then try 1300, if ok, try 1400...until you get the maximum.
Thanks for reply back.
Will check with user tomorrow.
Also i asked user to get the MTU size of exchange server.
Does user PC MTU and Exchange server MTU have to match ?