Replacing pix515 with ASA5510 results into MTU problems.

Hi all,

We've replaced our old PIX 515 firewall with a newly bought ASA 5510.

Now some of our customers complain because they can not login on our website. We use the Verisign Certificates plugin to authenticate users on our website.

Everything else is working exept the login procedure.

Now a helpdesk employee of some internet provider told a customer to lower the MTU, it seemed that using some kind of application (as for example our verisign plugin) resulted in failing connections.

The customer lowered the MTU and indeed, the problem disappeared.

Now for as far i know, i have the exactly same configuration on our ASA as we had on our PIX.

I even allowed all ICMP on inside and outside interfaces to allow "ICMP can't fragment (type 3, code 4)" and Path MTU Discovery.

Still, when users do not lower their MTU, they can not login.

Can anybody help me what config i should check or what debugging i should monitor ?

Thanks in advance !


Reply to
Loading thread data ...

Sebas schrieb:

perhaps his helps:

formatting link
Regards, Thorsten

Reply to
Thorsten Dahm

Hi !

That seemed to be the work arround ! Now find out why the MSS negotiation fails...

Tnx !

Reply to
Sebas Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.