VPN IPSec L2L between IOS and PIX 6.3 - MTU issue?

The side of the remote control (customer) is behind the 6.3 (5) PIX. And the side of the head end (server) is 2911 IOS on 15.0.

The IPSec tunnel rises very well and passes traffic. However, there is a server which are not fully accessible. Note, it is mainly the web traffic.

Client initiates a connection to the http://server:8000. They receive a redirect to go to http://server:8000 / somepage.jspa. Package caps show the customer acknowledges the redirect with a SYN - ACK response, but then the connection just hangs. And no other packets are received in return. I noticed that the redirected page is a .jsp and other pages that work OK are not. I also noticed that some MTU and TCP MSS configurations on the side of the head that are in place for another GRE VPN tunnel with another site. So I got in the way of the fragmentation of packets. The side PIX has all the standard configurations of IPSec as well as default MTU on the interface of the inside and outside.

When the MTU is set manually on the client computer to 1400, the access to the works of http://server:8000 / somepage.jspa very well. So I need to tweak the settings of PIX. I tried to adjust the MTU size on and abroad the interface as well as the parameter "sysopt connection tcp - mss. I don't know what else to do here.

Here is a summary of the MTU settings on the head of line:

End of the head:

int tunnel0 (it's the GRE tunnel)

IP mtu 1420

source of tunnel G0/0

dest X.X.X.X

tunnel path-mtu-discovery

card crypto vpn 1

tunnel GRE Description

blah blah blah

card crypto vpn 2

Description IPSec tunnel

blah blah blah

int g0/0 (external interface)

no ip redirection

no ip unreachable

no ip proxy-arp

Check IP unicast reverse

NAT outside IP

IP virtual-reassembly

vpn crypto card

int g0/1 (this is the interface to the server in question)

no ip redirection

no ip unreachable

no ip proxy-arp

IP nat inside

IP virtual-reassembly

IP tcp adjust-mss 1452

HA, sorry my bad. Read the previous post wrong.

(Note: Yes, the SMS on the tunnel interface should be 40 bytes less than MTU).

Do not twist the MTU, not for TCP problems (not as the first step), it is safer to play with the MSS. MTU may depend on other things (OSPF for example).

Make a sweep of a ping with DF bit set with the size (from 1300 bytes for example). By doing this, you want to check what is the maximum size of the package, which you can test through the IPsec tunnel. Once you have this value consider - subtract 40 and this defined as value MSS of the LAN interface (and adjust the value of PIX if you can).

M.

Tags: Cisco Security

Similar Questions

  • Parachute does not not between iOS and Mac devices... Does anyone have a good solution for it nor a lot of garbage to support

    Parachute does not not between iOS and Mac devices... Does anyone have a good solution for it nor a lot of garbage to support

    You want the solution? Why not tell us what Mac and Apple, mobile devices you have the OS and version?

    Also what troubleshooting steps you took?

    We do not have a crystal ball, and we're not sitting next to you.

  • Orders between IOS and IOS - XE devices?

    Hi all

    Is there a difference in order between IOS and IOS - XE routers?  If Yes, can you please share more details on the same?

    Thank you

    Sunil Kumar

    Hello

    Most of the commands are the same for both IOS and IOS - XE.

    Here's more information:

    http://www.Cisco.com/c/en/us/products/collateral/iOS-NX-OS-software/iOS-...

    HTH

  • Private of IPSec VPN-private network between ASA and router

    Hello community,

    This is first time for me to configure IPSec VPN between ASA and router. I have an ASA 5540 at Headquarters and 877 router to EH Branch

    Headquarters ASA summary.

    Peer IP: 111.111.111.111

    Local network: 10.0.0.0

    Branch

    Peer IP: 123.123.123.123

    LAN: 192.168.1.0/24

    Please can someone help me set up the vpn.

    Hello

    This guide covers exactly what you need:

    Establishment of ASDM and SDM - http://www.netcraftsmen.net/resources/archived-articles/273.html

    Tunnel VPN - ASA to the router configuration:

    http://www.Cisco.com/en/us/products/ps5855/products_configuration_example09186a0080a9a7a3.shtml#ASDM

    Kind regards

    Jimmy

  • VPN/IPSec-L2L - Question?

    Hello!

    Recently, I was doing some troubleshooting on a connection VPN/IPSec Lan-to-Lan between a Cisco PIX515E and a Linux firewall. My question concerns the configuration and is not the problem itself.

    Traffic interesting (encrypted traffic) defined and configured the LAN of PIX (inside) and the distance public IP? Which means that the Peer IKE and the interesting remote control LAN/IP are the same... and it works!

    Any ideas?

    Thank you

    JP

    As long as you source the package from the local network of Pix to remote public IP, the tunnel will work well and works :-)

    So, if you really look at the fluidity of the traffic, you're sourcing traffic from Pix LAN intended to public IP remote that corresponds to the defined access list. Thus, the pix knows he has encrypt traffic and now seeks the cryptographic endpoint points (pix outside IP public IP remotely) and sends the encrypted packets. So, this configuration works perfectly.

    In fact, Pix will not allow Telnet the external of the pix interface unless the traffic is through an IPSEC Tunnel and it was one of the establishment who gave a telnet access to the external interface of the Pix, it's LAN to the public IP of Pix through an IPSEC Tunnel.

    Kind regards

    Arul

    * Please note all useful messages *.

  • It does not sync between iOS and windows laptop.

    I just downloaded firefox for iOS and logged into my account from firefox. I did the same thing on my windows laptop 10 and synchronized together. No story appeared. It says that I have not all devices connected to this account of Firefox to synchronize. What's wrong?

    Hello
    I understand that for the moment that history is no synchronization between a Device IOS and office. I'm happy to help you.

    First of all, what measures do you take to see this "You have not all devices connected to this account of Firefox", second, in the settings on the PC sync, is checked for synchronization history?

    For troubleshooting, first try to restart the synchronization by going to the gear icon and logout at the bottom of the menu. Erase cache cookies private then re-launch of the app and the connection.

    This aid?

  • IOS - help with VPN IPsec L2L with NAT

    Hello guys

    I tried to get VPN to work for a specific scenario where I do NAT for VPN traffic to avoid the duplication of subnet.

    I found several guides on cisco.com, but all the ones I found does not (or how) overload NAT (for internet traffic), I need for my setup.

    http://www.Cisco.com/en/us/Tech/tk583/TK372/technologies_configuration_example09186a00800b07ed.shtml

    http://www.Cisco.com/en/us/products/ps5855/products_configuration_example09186a0080a0ece4.shtml

    Basically, I need to know how the configuration looks like when make you static NAT in a VPN tunnel as well as provide internet connectivity using NAT in the same router?

    I have attached a drawing that needs to better explain my needs.

    Someone knows a guide that shows how to do this?

    Best regards

    Jesper

    You can use a static policy NAT NAT the traffic:

    access-list 101 permit ip 10.0.0.0 0.0.0.255 10.30.10.0 0.0.0.0.255

    access-list 102 deny ip 10.0.0.0 0.0.0.255 10.30.10.0 0.0.0.0.255

    access-list 102 permit ip 10.0.0.0 0.0.0.255 any

    policy-NAT allowed 10 route map

    corresponds to the IP 101

    internet-NAT allowed 10 route map

    corresponds to the IP 102

    IP nat inside source static network 10.0.0.0 road policy-NAT 10.30.10.0/24-feuille

    IP nat inside source map route internet-NAT interface overloading

    Hope that helps.


  • Tunnel of the phase 2's not going up between Watchguard and PIX 525

    Hi people,

    Can you please help me to know where is the problem liying, currently I am trying to establish a VPN tunnel between the PIX firewall and Watchguard, all settings of the two devices are the same, but tunnel Phase two is not coming.

    Here is the fix:

    crypto_isakmp_process_block:src:212.37.17.43, dest:212.118.128.233 spt:500 dpt:500

    Exchange OAK_MM

    ISAKMP (0): processing KE payload. Message ID = 0

    ISAKMP (0): processing NONCE payload. Message ID = 0

    ISAKMP (0:0): payload detected NAT - D

    ISAKMP (0:0): NAT does not match hash MINE

    received hash: b3 8f bb 0 93 3 b 65 e8 35 54 6 c4 cc 59 6f 6f

    My nat hash: dd 9 70 35 58 40 ac da 3 b 5 b 1 b 4 c 87 d2 11 fc

    ISAKMP (0:0): payload detected NAT - D

    ISAKMP (0:0): NAT does not match THE hash

    received hash: ba 72 c5 e 5 b fb 88 f0 1e ba c9 c6 c1 cc 8A f7

    its nat hash: c 4 c 89 a5 66 dd 80 76 48 3f f0 56 ed b0 a5 c1

    ISAKMP (0:0): built HIS NAT - D

    ISAKMP (0:0): built MINE NAT - D

    to return to the State is IKMP_NO_ERROR

    crypto_isakmp_process_block:src:212.37.17.43, dest:212.118.128.233 spt:4500 dpt:4500

    Exchange OAK_MM

    ISAKMP (0): processing ID payload. Message ID = 0

    ISAKMP (0): HASH payload processing. Message ID = 0

    ISAKMP (0): SA has been authenticated.

    ISAKMP: Created a struct 212.37.17.43, peer port 37905 peer

    ISAKMP: Lock struct UDP_ENC crypto_ikmp_udp_enc_ike_init 0x3cbb634, 1

    ISAKMP (0): ID payload

    next payload: 8

    type: 2

    Protocol: 17

    Port: 0

    Length: 23

    ISAKMP (0): the total payload length: 27

    to return to the State is IKMP_NO_ERROR

    ISAKMP (0): send to notify INITIAL_CONTACT

    ISAKMP (0): sending message 24578 NOTIFY 1 protocol

    Peer VPN: ISAKMP: approved new addition: ip:212.37.17.43/4500 Total VPN peer: 16

    Peer VPN: ISAKMP: ip:212.37.17.43/4500 Ref cnt is incremented to peers: 1 Total VPN peer: 16

    crypto_isakmp_process_block:src:212.37.17.43, dest:212.118.128.233 spt:4500 dpt:4500

    ISAKMP (0): processing NOTIFY payload Protocol 24578 1

    SPI 0, message ID = 3168983470

    ISAKMP (0): treatment notify INITIAL_CONTACT

    to return to the State is IKMP_NO_ERR_NO_TRANS

    crypto_isakmp_process_block:src:212.37.17.43, dest:212.118.128.233 spt:4500 dpt:4500

    Exchange OAK_QM

    oakley_process_quick_mode:

    OAK_QM_IDLE

    ISAKMP (0): treatment ITS payload. Message ID = 484086886

    ISAKMP: Check IPSec proposal 1

    ISAKMP: turn 1, ESP_3DES

    ISAKMP: attributes of transformation:

    ISAKMP: Life Type SA in seconds

    ISAKMP: Lifetime of HIS (basic) of 28800

    ISAKMP: Type of life HIS enKo

    ISAKMP: Lifetime of HIS (basic) 32000

    ISAKMP: program is 61433

    ISAKMP: authenticator is HMAC-MD5

    ISAKMP (0): atts are not acceptable. Next payload is 0

    ISAKMP (0): Security Association is not acceptable!

    ISAKMP (0): 14 NOTIFY message protocol sending 0

    to return to the State is IKMP_ERR_NO_RETRANS

    crypto_isakmp_process_block:src:212.37.17.43, dest:212.118.128.233 spt:4500 dpt:4500

    ISAKMP: phase 2 package is a duplicate of a previous package

    ISAKMP: last reply reference

    ISAKMP (0:0): sending of NAT - T vendor ID - rev 2 & 3

    crypto_isakmp_process_block:src:212.37.17.43, dest:212.118.128.233 spt:4500 dpt:4500

    ISAKMP: phase 2 package is a duplicate of a previous package

    ISAKMP: last reply reference

    crypto_isakmp_process_block:src:213.210.211.82, dest:212.118.128.233 spt:500 dpt:500

    ISAKMP (0): processing NOTIFY payload Protocol 36136 1

    SPI 0, message ID = 287560609

    ISAMKP (0): DPD_R_U_THERE received from the peer 213.210.211.82

    ISAKMP (0): sending message 36137 NOTIFY 1 protocol

    to return to the State is IKMP_NO_ERR_NO_TRANSdebug

    ISAKMP (0): retransmission of the phase 1 (0)...

    Thank you

    Ismail

    Hello

    The debug version, it seems that the parameters are not same on devices:

    ISAKMP (0): atts are not acceptable. Next payload is 0

    Please check the settings of the Phase 2 and also make sure that you have PFS disabled Watchguard.

    * Please rate if helped.

    -Kanishka

  • Pass the trunk between catalyst and PIX

    Hello

    Yesterday I had very good response on the forum how to create the VLAN on PIX, I created the subinterfaces and VLAN which their responsibilities. I configured the IP addresses as well. Did the same on the switch of Cat - created SVI and assined their IP add back. Cat shows switch port trunking is correctly but I can't ping from PIX to the switch and vice versa. Help, please.

    RVR

    Is it possible for you to view the configuration of the PIX? At least the configuration of the interface?

    And configuration of the trunk on the switch interface?

    Concerning

    Farrukh

  • synchronization of the problems of media between iOS and Adobe Premiere

    I have tried sync, a test of Adobe video Adobe Premiere today iOS app project. Just added a few clips and sent to the first. How ever in trying to open the XML file in the creative files folder I just get the:

    "The project could not be loaded, it may be damaged or contain obsolete items.

    tried several times. I also put my Adobe project at 30 frames per second as the source media

    no luck

    Anyone who can guide me?

    TNX

    Hi Max,.

    This problem has been resolved, no need to return to 8.1.

    Best,

    Bronwyn

    Community Manager for Adobe Premiere Clip

  • ASA 5510 L2L VPN static gateway of azure and branches and

    Hello

    I am trying to configure an ASA to operate as a hub between two site-to-site VPN, at our office and the other on Azure.

    i.e.

    Office <-- internet="" --="">ASA <-- internet="" --="">Azure

    On the two sites I can establish a VPN for the hosts of the ASA and access on our data center network, but I can't seem to get the connectivity from end to end of Azure at our office or vice versa.

    Any ideas on what I can try as I have been hitting my head against a wall with this one.

    Hello

    If traffic also came from the blue to office network so it would seem that there is a problem with configuring VPN L2L between ASA and Azure, very probably on the Côte d'Azur.

    -Jouni

  • I get the error message on debugging ipsec-l2l tunnel

    Hello

    Can someone help me understand the debug message?
    I get the error message on debugging ipsec-l2l tunnel

    I tried to configure an ASA5520 with an ipsec-l2l to ios router 1721

    = 1721 router =.

    Cisco 1721 (flash: c1700-k9o3sy7 - mz.123 - 2.XC2.bin)
    80.89.47.102 outside
    inside 10.100.110.1 255.255.255.0

    Debug crypto ipsec
    Debug crypto ISAKMP

    -config-
    crypto ISAKMP policy 1
    BA 3des
    md5 hash
    preshared authentication
    Group 2
    0 1234567890 128.39.189.10 crypto isakmp key address
    !
    !
    Crypto ipsec transform-set esp-3des pix-series
    !
    ASA 10 ipsec-isakmp crypto map
    defined by peer 128.39.189.10
    transform-set pix - Set
    match address 101
    !
    !
    interface FastEthernet0

    Outside-interface description

    IP 80.89.47.102 255.255.255.252

    NAT outside IP

    card crypto asa

    !

    interface Vlan10
    Inside description
    IP 10.100.110.1 255.255.255.0
    IP nat inside

    !

    !

    IP nat inside source overload map route interface FastEthernet0 sheep

    !

    access-list 101 permit ip 10.100.110.0 0.0.0.255 10.100.4.0 0.0.3.255

    !

    access-list 110 deny ip 10.100.110.0 0.0.0.255 10.100.4.0 0.0.3.255
    access-list 110 permit ip 10.100.110.0 0.0.0.255 any
    !
    sheep allowed 10 route map
    corresponds to the IP 110
    !

    = Config ASA =.

    Cisco 5520 ASA Version 8.2 (1)
    128.39.189.10 outside
    inside 10.100.4.255 255.255.252.0

    Debug crypto ipsec
    Debug crypto ISAKMP

    -Config-
    !
    Allow Access-list extended sheep 255.255.252.0 IP 10.100.4.0 10.100.110.0 255.255.255.0
    !
    access extensive list ip 10.100.4.0 outside110 allow 255.255.252.0 10.100.110.0 255.255.255.0
    !

    Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac
    Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
    86400 seconds, duration of life crypto ipsec security association
    Crypto ipsec kilobytes of life - safety 4608000 association
    card crypto outside_map 11 match address outside110
    peer set card crypto outside_map 11 80.89.47.102
    card crypto outside_map 11 game of transformation-ESP-3DES-MD5
    outside_map interface card crypto outside
    crypto ISAKMP allow outside
    crypto ISAKMP policy 10
    preshared authentication
    3des encryption
    md5 hash
    Group 2
    life 86400

    !

    attributes of Group Policy DfltGrpPolicy
    VPN-idle-timeout no
    Protocol-tunnel-VPN IPSec

    !

    tunnel-group 80.89.47.102 type ipsec-l2l
    IPSec-attributes tunnel-group 80.89.47.102
    pre-shared key 1234567890

    Concerning
    Tor

    You have a transformation defined on the SAA named ESP-3DES-MD5? Your crypto card refers to that but I don't see it listed in the config you have posted. I don't have much experience with routers, but is MD5 hashing algoritm (and why it is not)?

    James

  • iOS and cisco rv082

    Is there a way to create a VPN IPSec tunnel between my cisco rv082 and my iOS designs the reason is very simple, that I do not have access to enough pptp connections 5 is a low offer when you use for 10 + mobile connections

    Can´t Apple mobile devices connect IPsec implementation in Cisco Small Business routers :-(

  • Cisco's VPN IPSec help please

    Hi all

    I have 3 sites, the main site has a cisco firewall mikrotik router.

    There is a vpn ipsec existing between the cisco router and another router cisco on the site of the 2nd and it works well.

    Now, I've added an another vpn between a 3rd site and main site. The router on the 3rd site is a mikrotik firewall.

    I had the vpn on the main site and the 3rd site where the mikrotik firewall is and it worked well.

    then for some reason, the vpn with the 3rd site has failed and I could not get it working again.

    When looking for answers, I see that the vpn for the 3rd site States the following:

    #pkts program: 46, #pkts encrypt: 46, #pkts digest: 46
    #pkts decaps: 0, #pkts decrypt: 0, #pkts check: 0

    It seems that no traffic is coming back to the cisco

    I also found the following output below to diagnose the problem.

    It seems that there is communication, but if I read this right, it looks like the cisco established a new number but the other end is not the new number

    new node-1868419487

    node-1868419487 error suppression FALSE "Information (in) condition 1" pattern

    Any help would be appreciated.

    * 02:49:51.911 Jul 22: ISAKMP: (2060): purge the node-1140469772

    * 02:49:59.723 Jul 22: ISAKMP: DPD received message KMI.

    * 02:49:59.723 Jul 22: ISAKMP: node set 1053074288 to QM_IDLE

    * 02:49:59.723 Jul 22: ISAKMP: (2060): Protocol for sending INFORMER DPD/R_U_THERE 1

    SPI 2273844328, message ID = 1053074288

    * 02:49:59.723 Jul 22: ISAKMP: (2060): seq. no 0x645EC368

    * 02:49:59.723 Jul 22: ISAKMP: (2060): my_port of x.x.x.127 package sending 5

    peer_port 00 500 (R) QM_IDLE

    * 02:49:59.723 Jul 22: ISAKMP: (2060): sending a packet IPv4 IKE.

    * 02:49:59.723 Jul 22: ISAKMP: (2060): purge the node 1053074288

    * 02:49:59.767 Jul 22: ISAKMP (2060): packet received dport x.x.x.127

    500 sport Global 500 (R) QM_IDLE

    * 02:49:59.767 Jul 22: ISAKMP: node set-1868419487 to QM_IDLE

    * 02:49:59.771 Jul 22: ISAKMP: (2060): HASH payload processing. Message ID = 24265

    47809

    * 02:49:59.771 Jul 22: ISAKMP: (2060): treatment of the NOTIFY DPD/R_U_THERE_ACK protoco

    l 1

    0, message ID SPI = 2426547809, a = 0x8705F854

    * 02:49:59.771 Jul 22: ISAKMP: (2060): DPO/R_U_THERE_ACK received from the peer 125,23

    6.211.127, sequence 0x645EC368

    * 02:49:59.771 Jul 22: ISAKMP: (2060): node-1868419487 FALSE reason for deletion error

    "Information (in) condition 1"

    * 02:49:59.771 Jul 22: ISAKMP: (2060): entry = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY

    * 02:49:59.771 Jul 22: ISAKMP: (2060): former State = new State IKE_P1_COMPLETE = IKE

    _P1_COMPLETE

    * 02:50:01.111 Jul 22: ISAKMP: (2060): purge the node-1201068805

    Comparing encrypt of 46 to 47436 counters, it seems that router is ecncrypting the traffic, but we do not get any interesting traffic on the remote side.

    Most likely, you might want to check on the remote site, if you see counters increment in parallel decryption and encryption of the counters are incrementing or not.

    On the router IOS, if are incrementing counters encrypt, and confirm that you have not any tunnel existing before the router can be seen same proxy IDs, which is already negotiated with other peer.

    Finally, please make sure that the ESP, 50 protocol traffic is not blocked in transit.
    I hope this helps.

    Kind regards
    Dinesh Moudgil

    PS Please rate helpful messages.

  • QNS vpn IPsec

    Hello

    I have 2 questions about vpn IPsec

    I have an asa, vpn ipsec (l2l) running on a remote site with 192.168.0.0/24 network

    1 > I can ping 192.168.0.1 but not 192.168.0.111. I had observed "Recv errors" whenever I have ping to 192.168.0.111.

    I had observed recevied errors of "crypto ipsec to show his" exit; but not because the tunnel to reconnect (after timeout) and w/o any changes made to the configuration.

    What could be the cause and how can I fix just in case where the returned errors? I can't find much info on "recv errors."

    2 > I understand there are 2 acl required for a vpn ipsec typical; 1 for no NAT, 1 correspondence address card crypto

    can I implement an acl to allow tcp 3389 only from the remote network on my local network on the asa?

    Thank you

    cash

    Salvation of cash,

    There is not a lot we can do here in what concerns this isuse.

    You can talk to your service provider and see if they do not modify the packets somehow.

    Also ask them to check for any problem on the circuit.

    See you soon,.

    Nash.

Maybe you are looking for