Cisco Remote Access VPN dropping certain traffic

- S
- sri.sangameswaran
  
  Contact options for registered users
posted
16 years ago

Mon, Aug 6, 2007 4:49 PM

Hi All,

We have Cisco ASA 5510 in our office. We have configured VPN to allow remote users to dial in into the network.

There is no problem in establishing a VPN connectivity. But users are not able to SSH to some of the linux servers.

For example, I have server A and server B. I am able to SSH to server A not with Server B.

When I have used tcpdump utility on servers, I came to know the server A is receiving all packet from remote access vpn machine with DF bit set. But when I looked into Server B, it receives packets without DF bit set. I am not sure whether this is root cause of the problem.

I appreciate a help on this. If required, I will send my Cisco configuration.

Thanks, Srinivasan

Loading thread data ...

- S
- Scott Perry
  
  Contact options for registered users
Vote on answer
posted
16 years ago

Mon, Aug 6, 2007 9:03 PM

The IP MTU or the TCP MSS must be set lower.

On an ethernet network, the maximum transmittable unit size is about 1500 bytes. Your data has to be able to handle the addition of a TCP header, an IP header, and then an ethernet header which cannot exceed 1500 bytes when working over ethernet.

A VPN connection makes this worse by adding an IPsec header. In some cases, a GRE tunnel header might also be added.

Make the client computers use a lower MTU or set the MTU lower on the interface of the device facing the device with the VPN connection.

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.