Cisco ASA MTU vs TCP MSS

ciscocisco-asaipsecmtuvpn

I am trying to set jumbo MTU for Cisco ASA 5585 and I did following:

asa1/pri/act(config)# mtu inside 9000

INFO: Jumbo frames should be enabled to receive packets more than 1500 MTU
      Use 'jumbo-frame reservation' command to turn on jumbo frame

INFO: TCP MSS may need to be adjusted using 'sysopt connections tcpmss'
      command to pass large TCP segments

Now it is saying you may need to set sysopt connections tcpmss. I have noticed in my old Cisco ASA firewall it has the following setting because when we setup VPN IPsec with AWS they said do following recommended setting:

sysopt connection tcpmss 1379

Question is if I set sysopt connection tcpmss 9000 is it going to break anything in relation to the IPsec tunnel?

Best Answer

TCP MSS is just used to notify a sender of the max TCP segment size the receiver can accept. It does not include the TCP or IP headers. So if you set it to the same size as your MTU, by the time you add the relevant headers you can end up with a frame size larger than your MTU. At a minimum, you are creating a scenario where fragmentation has to occur in order to transmit the frame across the link or in the case of a TCP packet with a "Do Not Fragment" bit set, the frame won't be transmitted at all.

Related Solutions

Nat – ASA 5510 NAT stops working

Looking through the "fixed" bugs (8.2.5 Interim Release Notes):

CSCti62667 Connections stay open w/ 'sysopt connection timewait' & NetFlow
CSCtl06156 NAT Xlate idle timer doesn't reset with Conn.
CSCtr94429 ASA: Local-host and all conns are torn down when client hits conn limit

You've confirmed the system is not "Restricted(R)" -- unlimited interfaces and users. That's the most common reason for the failure mode you've described. (It stops allowing new connections.) Threat-detection could also result in new connections being dropped. Neither of these should cause traffic to stop for existing xlates.

clear xlate needs a follow up clear conn all to completely clear everything. If it's not clearing them, then there's something else wrong. (or they're being recreated instantly.)

Cisco documents the 5510 as supporting up to 50k (130k for a secplus license) concurrent connections. I'd be very surprised if you've hit that wall. (show conn count and look at the "most used". %ASA-5-321001 would be logged if you did.)

Beyond that, if it's not logging any reason(s) for dropping/refusing connections, I'm at a loss where else to look.

Vpn – DMVPN EIGRP Config Error – No EIGRP Hello packets sent out interface

I dont have any experience with multi-hub DMVPN, but it seems like you need to provide mapping from the tunnel address for the NHS's to their NBMA/external addresses under your tunnel interface at the spokes:

! on each spoke
int Tunnel1601
ip nhrp map 172.18.1.2 <NBMA Address for hub1>
ip nhrp map 172.18.1.3 <NBMA Address for hub2>
! probably also need to send multicast somewhere for EIGRP to form neighbors
ip nhrp map multicast <NBMA Address for hub1>
ip nhpp map multicast <NBMA Address for hub2>

I would not bother troubleshooting EIGRP until you get the DMVPN up and can ping between the tunnel IPs.

Best Answer

Related Solutions

Nat – ASA 5510 NAT stops working

Vpn – DMVPN EIGRP Config Error – No EIGRP Hello packets sent out interface

Related Topic