Smart questions
Smart answers
Smart people
INTELLIGENT WORK FORUMS
FOR COMPUTER PROFESSIONALS

Member Login




Remember Me
Forgot Password?
Join Us!

Come Join Us!

Are you a
Computer / IT professional?
Join Tek-Tips now!
  • Talk With Other Members
  • Be Notified Of Responses
    To Your Posts
  • Keyword Search
  • One-Click Access To Your
    Favorite Forums
  • Automated Signatures
    On Your Posts
  • Best Of All, It's Free!

Join Tek-Tips
*Tek-Tips's functionality depends on members receiving e-mail. By joining you are opting in to receive e-mail.

Donate Today!

Do you enjoy these
technical forums?
Donate Today! Click Here

Posting Guidelines

Promoting, selling, recruiting, coursework and thesis posting is forbidden.
Jobs from Indeed

Link To This Forum!

Partner Button
Add Stickiness To Your Site By Linking To This Professionally Managed Technical Forum.
Just copy and paste the
code below into your site.

tpulley (MIS)
30 Apr 08 9:59
I just put an ASA 5505 into a site that previously had a pix 501.  When I did about 1/3 the users couldn't get to resources across the connecting lan 2 lan tunnel.  On some of the desktops I loaded the vpn client which defaults the MTU to 1300.  This so far has resolved this.

This is the second site (they are not related) that had similar issues.

When I ping the server on the other side of the tunnel I cannot send beyond 1272 mtu size

ping -f -l 1273 192.168.1.22 asks for the packet to be fragmented.

Anyone else seen this?   
routerman (TechnicalUser)
30 Apr 08 12:57
There is a command in the ASA that sets the MTU value for TCP sessions, according to my notes it defaults to 1300 bytes. As your using ICMP to test this, I would have expected you should have been able to use a larger packet size in your testing.

the command is, `sysopt connection tcpmss <bytes>'

On the ASA's I've used, this command isnt displayed in the running config, but it does work. You could try `show sysopt'

Perhaps your ASA has had the default value altered? I suppose it could be set to a value that is too high for the VPN process to transmit it without fragmentation, and the clients may be set to dont fragment in the IP header.




  
tpulley (MIS)
30 Apr 08 13:36
I checked it.  When I do the sh run sysopt I get:
sysopt connection tcpmss 1500
sysopt connection tcpmss minimum 0
no sysopt nodnsalias inbound
no sysopt nodnsalias outbound
no sysopt radius ignore-secret
sysopt connection permit-vpn

The mtu size in the config for both inside and outside interfaces are set to 1500.

From what I read the tcpmss max is 1380.  Yet this one says 1500.  Not sure about that.
routerman (TechnicalUser)
30 Apr 08 17:30
Try setting  `sysopt connection tcpmss 1300' that should fix your issue.
It should be set to this as a default value, something must have gone wrong in your ASA's.

The Interface MTU values should be 1500, as they are standard Ethernet interfaces. The sysopt command sets the ASA to `sniff' the TCP handshake, and reduce the value to one that is suitable for an encrypted connection, to take into consideration the increased packet header size.

Reply To This Thread

Posting in the Tek-Tips forums is a member-only feature.

Click Here to join Tek-Tips and talk with other members!

Close Box

Join Tek-Tips® Today!

Join your peers on the Internet's largest technical computer professional community.
It's easy to join and it's free.

Here's Why Members Love Tek-Tips Forums:

Register now while it's still free!

Already a member? Close this window and log in.

Join Us             Close