[c-nsp] ASA SSLVPN pMTU-too-big messages not being sent

Bernhard Schmidt berni at birkenwald.de
Thu Jun 14 10:18:43 EDT 2012


Hello,

we have several ASA 5540 running 8.4(3) (among) others for SSLVPN
termination of our students. We have a long standing issue where the ASA
does _not_ originate proper ICMP-too-big messages back to the sender
when a packet with DF-bit set addressed towards a VPN client is
received. The packet is just dropped with 

%ASA-6-602101: PMTU-D packet 1300 bytes greater than effective mtu 1206

I'm aware of the df-bit-ignore workaround, but is it really impossible
for the ASA to send a proper ICMP message? TCP connections usually work
fine thanks to MSS being pushed down by the client stack, but everything
involving other protocols just breaks.

I'm not really the ASA guy here, but I glanced over the config and I
could not find any bells ringing.

mtu Public 1500
mtu Private 1500
mtu management 1500
ipv6 icmp permit any Public
ipv6 icmp permit any Private
icmp unreachable rate-limit 100 burst-size 10
icmp permit any Public
icmp permit any Private

Any tips? Did anyone get this working?

Bernhard



More information about the cisco-nsp mailing list