Setting icmp unreachables limit - ASA
Bookmark this page:
 Yahoo!
 Google
 Windows Live
 del.icio.us
 digg
 Netscape
|
|
||||||||||||||||
|
Posted by Pseto on June 11, 2008, 10:13 am
Please log in for more thread options tried with icmp unreachable rate-limit command, but it seems that this command is not supported on my ASA. The reason I want to change defaults is that I want my ASA generates such messages a little bit faster because I believe that default value causes some problems with specific connections. regards | ||||||||||||||||
|
Posted by Andrey Tarasov on June 11, 2008, 12:48 pm
Please log in for more thread options Do you mind to describe what kind of connections are those? I can think of the only scenario where ICMP unreachables are used - path MTU discovery. And ASA (as PIX) has sysopt command to lower MSS. If I remember correctly it's 1300 by default. Regards, Andrey. | ||||||||||||||||
|
Posted by Pseto on June 12, 2008, 4:00 am
Please log in for more thread options it's Cisco VPN client behind my ASA that needs to connect to the LAN behind
Cisco 851 router with EasyVPN server on it. This 851 router is connected to the Internet with PPPoE. I manage to establish vpn client successfully with tens of other easy vpn servers (not connected with pppoe), but this one. On the other side, I can establish connection with this pppoe vpn server if the client is behind Linksys broadband router with pppoe connection... So, I believe it has to be MTU issue. Since it's about udp connection I don't see how mss would help. Inspecting traffic with wireshark I noticed the following: sending ping (with df set) packets exceeding MTU value of outside ASA interface forces ASA to send unreachables, but it sends maybe one or two unreachable packets per minute. Maybe vpn client connection time out interval is too short, so it don't see unreachables and cannot perform pmtud. | ||||||||||||||||
|
Posted by Pseto on June 13, 2008, 10:33 am
Please log in for more thread options It appears that after all problem lies somewhere in my ISP network. I just
plugged my laptop instead of ASA right behind ISP router and vpn connection still does not work?! ;) regards > How to set up icmp unreachable limit in ASA (Software Version 7.0(6))? I
> tried with icmp unreachable rate-limit command, but it seems that this > command is not supported on my ASA. > The reason I want to change defaults is that I want my ASA generates such > messages a little bit faster because I believe that default value causes > some problems with specific connections. > > regards > | ||||||||||||||||
| Similar Threads | Posted |
| Setting icmp unreachables limit - ASA | June 11, 2008, 10:13 am |
| Setting ip icmp rate-limit | January 17, 2006, 1:39 pm |
| Pings and PIX messages 302020: Built ICMP - 302021: Teardown ICMP Lots of them.... | May 1, 2006, 2:40 pm |
| IP SLA - ICMP | June 5, 2008, 3:55 am |
| icmp weirdness - PIX 501 (does any really mean any??) | September 23, 2005, 10:12 am |
| timestamp ICMP ? | April 16, 2006, 11:45 pm |
| ICMP pinging. | October 3, 2006, 7:22 am |
| PIX 501 - allow icmp out but deny everything else out | November 18, 2006, 1:49 am |
| PIX 6.3.4 - I have question on a VPN setup & ICMP | August 26, 2005, 11:08 am |
| PIX7.x/ASA and icmp redirects | April 19, 2006, 12:30 am |
| ICMP access list | October 9, 2006, 10:55 am |
| Cisco icmp problems | April 13, 2007, 12:32 pm |
| ICMP Redirect Query? | February 24, 2008, 4:44 pm |
| ASA, static, icmp and inspect FTP | August 22, 2008, 5:11 am |
| rate limit | September 26, 2005, 4:33 am |
> tried with icmp unreachable rate-limit command, but it seems that this
> command is not supported on my ASA.
> The reason I want to change defaults is that I want my ASA generates
> such messages a little bit faster because I believe that default value
> causes some problems with specific connections.