td_miles
asked on
PIX v7 - fragmentation & MTU's
Hi all,
I have a situation where I have upgraded one of our PIX to 7.0.4 (from 6.3.5) and a few things have broken. The layout of the PIX looks like this:
home PIX --VPN-- support PIX ---LAN--- main PIX ---VPN--- store PIX
So there are FOUR PIX firewalls in use:
home PIX - PIX 501 v6.3.5, used to allow the support personel remote access to the corporate LAN and the store PC's.
support PIX - PIX 501 v6.3.5, used to get around the earlier issue with PIX that traffic coming in one VPN tunnel couldn't be routed back out of the same interface to another tunnel.
main PIX - PIX 515E v7.0.4, all of the stores (140 of them) have a VPN tunnel to this PIX.
store PIX - PIC 501 v6.3.1-6.3.5 (varies)
So for a support person to get remote access to a store PC the packets travels across VPN to the main office via an IPSec tunnel between home PIX & support PIX, across the LAN between support PIX & main PIX and then across IPSec tunnel between main PIX and store PIX before finally getting to store PC.
(hope this all makes sense)
The problem I have is that after upgrading the main PIX to 7.0.4 certain things don't work for the support people at home. The most notable being windows file browsing/transfer and PcAnywhere connections lockup after only a few seconds (they connect most of the time). Prior to the upgrade on the main PIX everything was working flawlessly for over 2 years now.
From past experience the problems I am seeing sometimes point to MTU/fragmentation issues.
My question is what does the 7.0.4 code do (or not do) that the 6.3.5 does ?
From the "sho run all" output (7.0.4), the following lines look interesting:
crypto ipsec fragmentation before-encryption outside
crypto ipsec fragmentation before-encryption inside
crypto ipsec df-bit copy-df outside
crypto ipsec df-bit copy-df inside
I've looked in the command reference, but the description is very basic in that it is simply a description and doesn't really explain to much what the commands DO.
Can anyone make any suggestions on what the problem might be. Rverting back to 6.3.5 is NOT an option.
I have logged a case with TAC, but is it just me or does anyone else find them increasingly less useful in that they don't seem to have good product knowledge anymore. Especially with the v7 OS. The problem is clearly related to something that has changed in the upgrade, so I would expect they might be focussing on what has changed, but most of the support people don't really seem to have any knowledge of the v7 OS and it's changes. I'm turning to EE in the hope that I might get a quicker resoution here. Thanks.
I have a situation where I have upgraded one of our PIX to 7.0.4 (from 6.3.5) and a few things have broken. The layout of the PIX looks like this:
home PIX --VPN-- support PIX ---LAN--- main PIX ---VPN--- store PIX
So there are FOUR PIX firewalls in use:
home PIX - PIX 501 v6.3.5, used to allow the support personel remote access to the corporate LAN and the store PC's.
support PIX - PIX 501 v6.3.5, used to get around the earlier issue with PIX that traffic coming in one VPN tunnel couldn't be routed back out of the same interface to another tunnel.
main PIX - PIX 515E v7.0.4, all of the stores (140 of them) have a VPN tunnel to this PIX.
store PIX - PIC 501 v6.3.1-6.3.5 (varies)
So for a support person to get remote access to a store PC the packets travels across VPN to the main office via an IPSec tunnel between home PIX & support PIX, across the LAN between support PIX & main PIX and then across IPSec tunnel between main PIX and store PIX before finally getting to store PC.
(hope this all makes sense)
The problem I have is that after upgrading the main PIX to 7.0.4 certain things don't work for the support people at home. The most notable being windows file browsing/transfer and PcAnywhere connections lockup after only a few seconds (they connect most of the time). Prior to the upgrade on the main PIX everything was working flawlessly for over 2 years now.
From past experience the problems I am seeing sometimes point to MTU/fragmentation issues.
My question is what does the 7.0.4 code do (or not do) that the 6.3.5 does ?
From the "sho run all" output (7.0.4), the following lines look interesting:
crypto ipsec fragmentation before-encryption outside
crypto ipsec fragmentation before-encryption inside
crypto ipsec df-bit copy-df outside
crypto ipsec df-bit copy-df inside
I've looked in the command reference, but the description is very basic in that it is simply a description and doesn't really explain to much what the commands DO.
Can anyone make any suggestions on what the problem might be. Rverting back to 6.3.5 is NOT an option.
I have logged a case with TAC, but is it just me or does anyone else find them increasingly less useful in that they don't seem to have good product knowledge anymore. Especially with the v7 OS. The problem is clearly related to something that has changed in the upgrade, so I would expect they might be focussing on what has changed, but most of the support people don't really seem to have any knowledge of the v7 OS and it's changes. I'm turning to EE in the hope that I might get a quicker resoution here. Thanks.
1300 seems very small for the tunnels.
How are they connected ?
How are they connected ?
ASKER
well, according to Cisco in the command reference:
1380 data + 20 TCP + 20 IP + 24 AH + 24 ESP_CIPHER + 12 ESP_AUTH + 20 IP = 1500 bytes
So 1380 is the deafult that it is set to. I was having issues so 1300 is a nice round number to set it to. 1300 is also the number that the Cisco VPN client sets the MTU to when you install it on a PC.
1380 data + 20 TCP + 20 IP + 24 AH + 24 ESP_CIPHER + 12 ESP_AUTH + 20 IP = 1500 bytes
So 1380 is the deafult that it is set to. I was having issues so 1300 is a nice round number to set it to. 1300 is also the number that the Cisco VPN client sets the MTU to when you install it on a PC.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
sysopt connection tcpmss 1300
will be requesting refund on this question.