asked on

Cisco ASA 5505 with constant PMTU-D issues

Hi All,

We have a Cisco ASA 5505 running on the outside interface a MTU of 1454 which worked when connection a laptop directly to the connection. The connection is a 100mb fiber with PPoE authentication. We are also running two site to site VPNs.

When users browse to certain websites they wont come up and you can see the ASA constantly coming up with PMTU-D issues when users browse this sites. (one example been experts-exchange).

I have added icmp error to the inspect policy and tried to allow icmp inbound but we still cant browse these websites.

Any ideas?

ASA Version 8.2(3) 
!
no names
name *** ***
name *** ***
!
interface Ethernet0/0
 description TO-OUTSIDE
 switchport access vlan 2
 speed 100
 duplex full
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.121.1 255.255.255.0 
!
interface Vlan2
 nameif outside
 security-level 0
 pppoe client vpdn group *ppoe*
 ip address pppoe setroute 
!
ftp mode passive
dns server-group DefaultDNS
 domain-name ***
object-group icmp-type ICMP
 icmp-object echo-reply
 icmp-object source-quench
 icmp-object unreachable
 icmp-object time-exceeded
object-group network ***
 network-object *** 255.255.255.0
 network-object *** 255.255.255.0
object-group network PRODUCTION-NETWORK
 network-object 192.168.226.0 255.255.255.0
object-group network DR-NETWORK
 network-object 10.70.92.0 255.255.255.0
object-group network LOCAL-NETWORK
 network-object 192.168.121.0 255.255.255.0
access-list outside_access_in extended permit ip object-group *** any 
access-list outside_access_in extended permit icmp any any object-group ICMP 
access-list outside_access_in extended permit icmp any any unreachable 
access-list vpn2prod extended permit ip object-group LOCAL-NETWORK object-group PRODUCTION-NETWORK 
access-list vpn2dr extended permit ip object-group LOCAL-NETWORK object-group DR-NETWORK 
access-list nonat extended permit ip object-group LOCAL-NETWORK object-group PRODUCTION-NETWORK 
access-list nonat extended permit ip object-group LOCAL-NETWORK object-group DR-NETWORK 
access-list tcp-traffic extended permit tcp any any 
access-list test extended permit ip host 192.168.121.1 host 192.168.226.241 
access-list test extended permit ip host 192.168.226.241 host 192.168.121.1 
access-list test1 extended permit ip host 192.168.121.15 host 192.168.226.42 
access-list test1 extended permit ip host 192.168.226.42 host 192.168.121.15 
!
tcp-map allow-probes
  tcp-options range 76 77 allow
!
pager lines 24
logging enable
logging timestamp
logging standby
logging buffered warnings
logging trap informational
logging asdm informational
logging queue 1000
logging device-id hostname
logging host outside ***
logging class auth buffered informational console informational monitor informational trap informational 
logging class webvpn buffered informational console informational monitor informational trap informational 
logging class svc buffered informational console informational monitor informational trap informational 
logging class ssl buffered informational console informational monitor informational trap informational 
no logging message 305012
no logging message 305011
no logging message 302015
no logging message 302014
no logging message 302013
no logging message 302016
no logging message 302021
no logging message 302020
mtu inside 1500
mtu outside 1454
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit *** 255.255.255.0 outside
icmp permit *** 255.255.255.0 outside
icmp permit host *** outside
icmp permit host *** outside
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 192.168.121.0 255.255.255.0
access-group outside_access_in in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http *** 255.255.255.0 outside
http *** 255.255.255.0 outside
http 192.168.121.0 255.255.255.0 inside
snmp-server host outside *** community *****
snmp-server host outside *** community *****
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto ipsec df-bit clear-df outside
crypto map *** 10 match address vpn2prod
crypto map *** 10 set peer ***
crypto map *** 10 set transform-set ESP-3DES-SHA
crypto map *** 20 match address vpn2dr
crypto map *** 20 set peer ***
crypto map *** 20 set transform-set ESP-3DES-SHA
crypto map *** interface outside
crypto isakmp identity address 
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 11
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 86400
crypto isakmp policy 65535
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
telnet 172.16.11.0 255.255.255.0 inside
telnet 192.168.226.0 255.255.255.0 inside
telnet 192.168.121.0 255.255.255.0 inside
telnet timeout 5
ssh *** 255.255.255.0 outside
ssh *** 255.255.255.0 outside
ssh timeout 5
console timeout 0
management-access inside
*ppoe dialer info ommited*
dhcpd dns 192.168.226.42 10.70.92.11
dhcpd domain ***
!
dhcpd address 192.168.121.10-192.168.121.31 inside
dhcpd enable inside
!
priority-queue outside
  tx-ring-limit 256
threat-detection basic-threat
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
webvpn
group-policy Site2Site internal
group-policy Site2Site attributes
 vpn-idle-timeout none
tunnel-group ***type ipsec-l2l
tunnel-group ***general-attributes
 default-group-policy Site2Site
tunnel-group ***ipsec-attributes
 pre-shared-key *****
tunnel-group ***type ipsec-l2l
tunnel-group ***general-attributes
 default-group-policy Site2Site
tunnel-group ***ipsec-attributes
 pre-shared-key *****
!
class-map VOICE
 match dscp ef 
class-map tcp-traffic
 match access-list tcp-traffic
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect ip-options 
  inspect netbios 
  inspect rsh 
  inspect rtsp 
  inspect skinny  
  inspect sqlnet 
  inspect sunrpc 
  inspect tftp 
  inspect sip  
  inspect xdmcp 
  inspect icmp 
  inspect icmp error 
 class tcp-traffic
  set connection advanced-options allow-probes
policy-map VOICEPOLICY
 class VOICE
  priority
!
service-policy global_policy global
service-policy VOICEPOLICY interface outside
prompt hostname context

Open in new window

Les Moore

You might find something useful in this Cisco article. Sounds like the problem you describe
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a00804c8b9f.shtml

Eirejp

ASKER

Thanks lrmoore,

I am not an experts at ASA but this does help but its more specific for certain websites that you can collect a list of and build a acl based on those websites. Collecting a list of IPs across the internet would be a lot of work.

Do you know of more of a global method to fix this?

Les Moore

Just create an acl with any any instead.

pixfirewall(config)#access-list http-list2 permit tcp any any
pixfirewall(config)#
pixfirewall#configure terminal
pixfirewall(config)#
pixfirewall(config)#class-map http-map1
pixfirewall(config-cmap)#match access-list http-list2
pixfirewall(config-cmap)#exit
pixfirewall(config)#tcp-map mss-map
pixfirewall(config-tcp-map)#exceed-mss allow
pixfirewall(config-tcp-map)#exit
pixfirewall(config)#policy-map http-map1
pixfirewall(config-pmap)#class http-map1
pixfirewall(config-pmap-c)#set connection advanced-options mss-map
pixfirewall(config-pmap-c)#exit
pixfirewall(config-pmap)#exit
pixfirewall(config)#service-policy http-map1 interface outside
pixfirewall#

Eirejp

ASKER

If I look in the GUI I can see it says that Exceed MSS is already set to Allow so unfortunately this doesn't solve the problem.

Eirejp

ASKER

Sorry this was supposed to be posted before my last post.

I applied the configuration without error but one command did not show up in the show run as if it was already the default.
"exceed-mss allow"

So it looks like it applied a empty policy to the external interface. I tried a couple of times but the tcp-map tcp-mss-map comes up blank.

I am still see these sorts of errors in the logs.

PMTU-D packet 1420 bytes greater than effective mtu 1050, dest_addr=[WAN IP], src_addr=[Random web site], prot=tcp

Open in new window

Eirejp

ASKER

On the ASDM when I go to Firewall -> Advanced -> Fragment I see the below.

Interface: inside
Size: 200, Chain: 24, Timeout: 5, Reassembly: virtual
Queue: 0, Assembled: 0, Fail: 1, Overflow: 0
Interface: outside
Size: 200, Chain: 24, Timeout: 5, Reassembly: virtual
Queue: 0, Assembled: 282, Fail: 13235, Overflow: 0

Outside and interface are both set to
Size 200
Chain Length 24
Timeout 5

Not sure if that helps.

ASKER CERTIFIED SOLUTION

Eirejp

membership

This solution is only available to members.

To access this solution, you must be a member of Experts Exchange.

Start Free Trial

Eirejp

ASKER

Although I believe lmoore advice would have worked with other people experience similar problems this was a issues with the ASA it self.