Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations MikeeOK on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

ASA 5505 and MTU issues

Status
Not open for further replies.
tpulley

tpulley

MIS
May 2, 2001
204
US
I just put an ASA 5505 into a site that previously had a pix 501. When I did about 1/3 the users couldn't get to resources across the connecting lan 2 lan tunnel. On some of the desktops I loaded the vpn client which defaults the MTU to 1300. This so far has resolved this.

This is the second site (they are not related) that had similar issues.

When I ping the server on the other side of the tunnel I cannot send beyond 1272 mtu size

ping -f -l 1273 192.168.1.22 asks for the packet to be fragmented.

Anyone else seen this?
 
Sort by date Sort by votes
There is a command in the ASA that sets the MTU value for TCP sessions, according to my notes it defaults to 1300 bytes. As your using ICMP to test this, I would have expected you should have been able to use a larger packet size in your testing.

the command is, `sysopt connection tcpmss <bytes>'

On the ASA's I've used, this command isnt displayed in the running config, but it does work. You could try `show sysopt'

Perhaps your ASA has had the default value altered? I suppose it could be set to a value that is too high for the VPN process to transmit it without fragmentation, and the clients may be set to dont fragment in the IP header.




 
Upvote 0 Downvote
I checked it. When I do the sh run sysopt I get:
sysopt connection tcpmss 1500
sysopt connection tcpmss minimum 0
no sysopt nodnsalias inbound
no sysopt nodnsalias outbound
no sysopt radius ignore-secret
sysopt connection permit-vpn

The mtu size in the config for both inside and outside interfaces are set to 1500.

From what I read the tcpmss max is 1380. Yet this one says 1500. Not sure about that.
 
Upvote 0 Downvote
Try setting `sysopt connection tcpmss 1300' that should fix your issue.
It should be set to this as a default value, something must have gone wrong in your ASA's.

The Interface MTU values should be 1500, as they are standard Ethernet interfaces. The sysopt command sets the ASA to `sniff' the TCP handshake, and reduce the value to one that is suitable for an encrypted connection, to take into consideration the increased packet header size.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Sameer258
  • Locked
  • Question
Need Help to Find ip and mac address with email who one open my email
Replies
0
Views
1K
Sameer258
Sameer258
AllenH12
  • Locked
  • Question
Bandwidth in Cisco ASA 5505
Replies
2
Views
541
AllenH12
AllenH12
intel233
  • Locked
  • Question
Cisco ASA - VPN Question
Replies
6
Views
922
intel233
intel233
gkreg
  • Locked
  • Question
asa 5500-x url filtering
Replies
0
Views
619
gkreg
gkreg
intel233
  • Locked
  • Question
Cisco ASA 5510 -Static NAT Help
Replies
8
Views
1K
intel233
intel233

Part and Inventory Search

Sponsor

Back
Top