Eirejp
asked on
Cisco ASA 5505 with constant PMTU-D issues
Hi All,
We have a Cisco ASA 5505 running on the outside interface a MTU of 1454 which worked when connection a laptop directly to the connection. The connection is a 100mb fiber with PPoE authentication. We are also running two site to site VPNs.
When users browse to certain websites they wont come up and you can see the ASA constantly coming up with PMTU-D issues when users browse this sites. (one example been experts-exchange).
I have added icmp error to the inspect policy and tried to allow icmp inbound but we still cant browse these websites.
Any ideas?
We have a Cisco ASA 5505 running on the outside interface a MTU of 1454 which worked when connection a laptop directly to the connection. The connection is a 100mb fiber with PPoE authentication. We are also running two site to site VPNs.
When users browse to certain websites they wont come up and you can see the ASA constantly coming up with PMTU-D issues when users browse this sites. (one example been experts-exchange).
I have added icmp error to the inspect policy and tried to allow icmp inbound but we still cant browse these websites.
Any ideas?
ASA Version 8.2(3)
!
no names
name *** ***
name *** ***
!
interface Ethernet0/0
description TO-OUTSIDE
switchport access vlan 2
speed 100
duplex full
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.121.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
pppoe client vpdn group *ppoe*
ip address pppoe setroute
!
ftp mode passive
dns server-group DefaultDNS
domain-name ***
object-group icmp-type ICMP
icmp-object echo-reply
icmp-object source-quench
icmp-object unreachable
icmp-object time-exceeded
object-group network ***
network-object *** 255.255.255.0
network-object *** 255.255.255.0
object-group network PRODUCTION-NETWORK
network-object 192.168.226.0 255.255.255.0
object-group network DR-NETWORK
network-object 10.70.92.0 255.255.255.0
object-group network LOCAL-NETWORK
network-object 192.168.121.0 255.255.255.0
access-list outside_access_in extended permit ip object-group *** any
access-list outside_access_in extended permit icmp any any object-group ICMP
access-list outside_access_in extended permit icmp any any unreachable
access-list vpn2prod extended permit ip object-group LOCAL-NETWORK object-group PRODUCTION-NETWORK
access-list vpn2dr extended permit ip object-group LOCAL-NETWORK object-group DR-NETWORK
access-list nonat extended permit ip object-group LOCAL-NETWORK object-group PRODUCTION-NETWORK
access-list nonat extended permit ip object-group LOCAL-NETWORK object-group DR-NETWORK
access-list tcp-traffic extended permit tcp any any
access-list test extended permit ip host 192.168.121.1 host 192.168.226.241
access-list test extended permit ip host 192.168.226.241 host 192.168.121.1
access-list test1 extended permit ip host 192.168.121.15 host 192.168.226.42
access-list test1 extended permit ip host 192.168.226.42 host 192.168.121.15
!
tcp-map allow-probes
tcp-options range 76 77 allow
!
pager lines 24
logging enable
logging timestamp
logging standby
logging buffered warnings
logging trap informational
logging asdm informational
logging queue 1000
logging device-id hostname
logging host outside ***
logging class auth buffered informational console informational monitor informational trap informational
logging class webvpn buffered informational console informational monitor informational trap informational
logging class svc buffered informational console informational monitor informational trap informational
logging class ssl buffered informational console informational monitor informational trap informational
no logging message 305012
no logging message 305011
no logging message 302015
no logging message 302014
no logging message 302013
no logging message 302016
no logging message 302021
no logging message 302020
mtu inside 1500
mtu outside 1454
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit *** 255.255.255.0 outside
icmp permit *** 255.255.255.0 outside
icmp permit host *** outside
icmp permit host *** outside
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 192.168.121.0 255.255.255.0
access-group outside_access_in in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http *** 255.255.255.0 outside
http *** 255.255.255.0 outside
http 192.168.121.0 255.255.255.0 inside
snmp-server host outside *** community *****
snmp-server host outside *** community *****
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto ipsec df-bit clear-df outside
crypto map *** 10 match address vpn2prod
crypto map *** 10 set peer ***
crypto map *** 10 set transform-set ESP-3DES-SHA
crypto map *** 20 match address vpn2dr
crypto map *** 20 set peer ***
crypto map *** 20 set transform-set ESP-3DES-SHA
crypto map *** interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 11
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet 172.16.11.0 255.255.255.0 inside
telnet 192.168.226.0 255.255.255.0 inside
telnet 192.168.121.0 255.255.255.0 inside
telnet timeout 5
ssh *** 255.255.255.0 outside
ssh *** 255.255.255.0 outside
ssh timeout 5
console timeout 0
management-access inside
*ppoe dialer info ommited*
dhcpd dns 192.168.226.42 10.70.92.11
dhcpd domain ***
!
dhcpd address 192.168.121.10-192.168.121.31 inside
dhcpd enable inside
!
priority-queue outside
tx-ring-limit 256
threat-detection basic-threat
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
webvpn
group-policy Site2Site internal
group-policy Site2Site attributes
vpn-idle-timeout none
tunnel-group ***type ipsec-l2l
tunnel-group ***general-attributes
default-group-policy Site2Site
tunnel-group ***ipsec-attributes
pre-shared-key *****
tunnel-group ***type ipsec-l2l
tunnel-group ***general-attributes
default-group-policy Site2Site
tunnel-group ***ipsec-attributes
pre-shared-key *****
!
class-map VOICE
match dscp ef
class-map tcp-traffic
match access-list tcp-traffic
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect icmp
inspect icmp error
class tcp-traffic
set connection advanced-options allow-probes
policy-map VOICEPOLICY
class VOICE
priority
!
service-policy global_policy global
service-policy VOICEPOLICY interface outside
prompt hostname context
ASKER
Thanks lrmoore,
I am not an experts at ASA but this does help but its more specific for certain websites that you can collect a list of and build a acl based on those websites. Collecting a list of IPs across the internet would be a lot of work.
Do you know of more of a global method to fix this?
I am not an experts at ASA but this does help but its more specific for certain websites that you can collect a list of and build a acl based on those websites. Collecting a list of IPs across the internet would be a lot of work.
Do you know of more of a global method to fix this?
Just create an acl with any any instead.
pixfirewall(config)#access -list http-list2 permit tcp any any
pixfirewall(config)#
pixfirewall#configure terminal
pixfirewall(config)#
pixfirewall(config)#class- map http-map1
pixfirewall(config-cmap)#m atch access-list http-list2
pixfirewall(config-cmap)#e xit
pixfirewall(config)#tcp-ma p mss-map
pixfirewall(config-tcp-map )#exceed-m ss allow
pixfirewall(config-tcp-map )#exit
pixfirewall(config)#policy -map http-map1
pixfirewall(config-pmap)#c lass http-map1
pixfirewall(config-pmap-c) #set connection advanced-options mss-map
pixfirewall(config-pmap-c) #exit
pixfirewall(config-pmap)#e xit
pixfirewall(config)#servic e-policy http-map1 interface outside
pixfirewall#
pixfirewall(config)#access
pixfirewall(config)#
pixfirewall#configure terminal
pixfirewall(config)#
pixfirewall(config)#class-
pixfirewall(config-cmap)#m
pixfirewall(config-cmap)#e
pixfirewall(config)#tcp-ma
pixfirewall(config-tcp-map
pixfirewall(config-tcp-map
pixfirewall(config)#policy
pixfirewall(config-pmap)#c
pixfirewall(config-pmap-c)
pixfirewall(config-pmap-c)
pixfirewall(config-pmap)#e
pixfirewall(config)#servic
pixfirewall#
ASKER
If I look in the GUI I can see it says that Exceed MSS is already set to Allow so unfortunately this doesn't solve the problem.
ASKER
Sorry this was supposed to be posted before my last post.
I applied the configuration without error but one command did not show up in the show run as if it was already the default.
"exceed-mss allow"
So it looks like it applied a empty policy to the external interface. I tried a couple of times but the tcp-map tcp-mss-map comes up blank.
I am still see these sorts of errors in the logs.
I applied the configuration without error but one command did not show up in the show run as if it was already the default.
"exceed-mss allow"
So it looks like it applied a empty policy to the external interface. I tried a couple of times but the tcp-map tcp-mss-map comes up blank.
I am still see these sorts of errors in the logs.
PMTU-D packet 1420 bytes greater than effective mtu 1050, dest_addr=[WAN IP], src_addr=[Random web site], prot=tcp
ASKER
On the ASDM when I go to Firewall -> Advanced -> Fragment I see the below.
Interface: inside
Size: 200, Chain: 24, Timeout: 5, Reassembly: virtual
Queue: 0, Assembled: 0, Fail: 1, Overflow: 0
Interface: outside
Size: 200, Chain: 24, Timeout: 5, Reassembly: virtual
Queue: 0, Assembled: 282, Fail: 13235, Overflow: 0
Outside and interface are both set to
Size 200
Chain Length 24
Timeout 5
Not sure if that helps.
Interface: inside
Size: 200, Chain: 24, Timeout: 5, Reassembly: virtual
Queue: 0, Assembled: 0, Fail: 1, Overflow: 0
Interface: outside
Size: 200, Chain: 24, Timeout: 5, Reassembly: virtual
Queue: 0, Assembled: 282, Fail: 13235, Overflow: 0
Outside and interface are both set to
Size 200
Chain Length 24
Timeout 5
Not sure if that helps.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Although I believe lmoore advice would have worked with other people experience similar problems this was a issues with the ASA it self.
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a00804c8b9f.shtml