TCP encapsulated VPN via FiOS/Actiontec being dropped
We are experiencing a weird issue with many of our users (including myself) who have Verizon FiOS. For years, we've been using VPN3030's for VPN. We give our users 3 VPN profiles in their client- a native IPSec, a TCP encapsulated, and a UDP encapsulated (with NAT-T). TCP seemed to be the best bet in most places, and is our default. A few months ago, we migrated to an ASA to replace the 3030's. We didn't change the profiles- just point the DNS hostnames to the new IP address. Since we've moved to the ASA's, many users have been experiencing TCP VPN drops after 30 seconds. It works fine when first connecting, but after 30 seconds, the tunnel stops forwarding traffic altogether. UDP works fine. It turns out this issue is ONLY affecting users on Verizon FiOS with the Actiontec router. It seems to stop forwarding any packets. Normally, I would just tell the users to use UDP. However, because this issue only started when they connect to the ASA, I need to explain why the Actiontec has an issue with the ASA.
I've done the basic checks- clients are configured with an MTU of 1300, the are negotiating the same types of SA's for the tunnel, and as far as I can see, configurations of the ASA are as close as can be to the 3030. (MTU, fragmentation handling, etc).
Re: TCP encapsulated VPN via FiOS/Actiontec being dropped
It may be due to exceeding of MSS. Implement a workaround now that you know that the PIX/ASA Security Appliance drops the packets that exceed the MSS value advertised by the client. Keep in mind that you might not want to allow these packets to reach the client because of a potential buffer overrun on the client. If you choose to allow these packets through the PIX/ASA Security Appliance, proceed with this workaround procedure. A new feature in the 7.0 release called the Modular Policy Framework (MPF) is used to allow these packets through the PIX Security Appliance.
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...