Cisco Remote Access VPN dropping certain traffic

Discussion in 'Cisco' started by sri.sangameswaran, Aug 6, 2007.

  1. Hi All,

    We have Cisco ASA 5510 in our office. We have configured VPN to allow
    remote users to dial in into the network.

    There is no problem in establishing a VPN connectivity. But users are
    not able to SSH to some of the linux servers.

    For example, I have server A and server B. I am able to SSH to server
    A not with Server B.

    When I have used tcpdump utility on servers, I came to know the server
    A is receiving all packet from remote access vpn machine with DF bit
    set. But when I looked into Server B, it receives packets without DF
    bit set. I am not sure whether this is root cause of the problem.

    I appreciate a help on this. If required, I will send my Cisco

    sri.sangameswaran, Aug 6, 2007
    1. Advertisements

  2. sri.sangameswaran

    Scott Perry Guest

    The IP MTU or the TCP MSS must be set lower.

    On an ethernet network, the maximum transmittable unit size is about 1500
    bytes. Your data has to be able to handle the addition of a TCP header, an
    IP header, and then an ethernet header which cannot exceed 1500 bytes when
    working over ethernet.

    A VPN connection makes this worse by adding an IPsec header. In some cases,
    a GRE tunnel header might also be added.

    Make the client computers use a lower MTU or set the MTU lower on the
    interface of the device facing the device with the VPN connection.


    Scott Perry
    Indianapolis, Indiana
    Scott Perry, Aug 6, 2007
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.