Small packets are working like ping
TCP 3 way handshake is setting up
However when we move into setting TLS / https connection its failing. This can be the MTU is too big for the MTU on the path. The TCP window will scale up as the connection goes on.
Things to try:
tracert -d x.x.x.x
See what network devices you pass through and check the MTU on those. (if you can)
On the client:
ping –l 1490 -f 8.8.8.8
Reduce 1490 by 20 until you find a working value where the pings respond.
Remember the value when the ping command is working isn't the MTU but ICMP payload. This confuses a lot of people. MTU 1500 == ICMP payload 1472 (20 Bytes for IP and 8 Bytes for ICMP, I think). You can also check the MTU's on the path
PathMTU discovery is not reliable, will investigate MSS clamping, which can be enabled on your firewall / VPN endpoints.
CMD to check the MTU in windows
netsh int ipv4 show subinterface
CMD to set MTU in windows
netsh interface ipv4 set subinterface “Local Area Connection” mtu=1458 store=persistent
ASA should set MTU 1380 by default to account for IPsec tunnels
Palo needs to be configured
https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/113393-asa-troubleshoot-throughput-00.html#anc14
No comments:
Post a Comment