Replacing pix515 with ASA5510 results into MTU problems.

Replacing pix515 with ASA5510 results into MTU problems.

NewsGroups | Search | Tools
 comp.dcom.sys.cisco  Post an article  get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content  add this group's latest topics to your Google content  YahooMyWeb Yahoo!  Google Google  Windows Live Favorites Windows Live  del.icio.us del.icio.us  digg digg  Add to Netscape Netscape
Subject Author Date
Replacing pix515 with ASA5510 results into MTU problems. Sebas 05-10-2006
Posted by Sebas on May 10, 2006, 9:28 am
If you were  Registered and logged in, you could reply and use other advanced thread options
Hi all,

We've replaced our old PIX 515 firewall with a newly bought ASA 5510.

Now some of our customers complain because they can not login on our
website.
We use the Verisign Certificates plugin to authenticate users on our
website.

Everything else is working exept the login procedure.

Now a helpdesk employee of some internet provider told a customer to
lower the MTU, it seemed that using some kind of application (as for
example our verisign plugin) resulted in failing connections.

The customer lowered the MTU and indeed, the problem disappeared.

Now for as far i know, i have the exactly same configuration on our ASA
as we had on our PIX.

I even allowed all ICMP on inside and outside interfaces to allow "ICMP
can't fragment (type 3, code 4)" and Path MTU Discovery.

Still, when users do not lower their MTU, they can not login.

Can anybody help me what config i should check or what debugging i
should monitor ?

Thanks in advance !

Sebastian


Posted by Thorsten Dahm on May 10, 2006, 9:44 am
If you were  Registered and logged in, you could reply and use other advanced thread options
Sebas schrieb:
> Can anybody help me what config i should check or what debugging i
> should monitor ?

perhaps his helps:
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a00804c8b9f.shtml

Regards,
Thorsten

--
Teamwork is essential -- it allows you to blame someone else.

Posted by Sebas on May 15, 2006, 3:46 am
If you were  Registered and logged in, you could reply and use other advanced thread options
Hi !

That seemed to be the work arround !
Now find out why the MSS negotiation fails...

Tnx !


Similar ThreadsPosted
Odd FTP results ??! August 17, 2004, 11:15 am
Why do I get these traceroute results? September 28, 2006, 8:35 am
SSL/TCP Connection termination results in RST June 5, 2008, 3:06 pm
1602R w/ both Watchguard and Netgear results in incomplete MAC address July 20, 2006, 9:34 am
Obtain Mcse,Ccna And Many More Without Exams(Pay After Check Results)100% Passing Gaurantee July 13, 2006, 10:04 am
ASA replacing PIX August 19, 2006, 10:16 pm
Replacing 501 with a 515 February 5, 2007, 7:25 am
Replacing a PIX 515E with a PIX 515 November 5, 2005, 5:44 am
asa5510 July 19, 2005, 12:23 pm
NAT and ASA5510 May 18, 2006, 3:43 pm

other useful resources:
The Federal Communications Commission (FCC)
Telecommunications Industry Association
Electronic and Software Security Products and Services
International Telecommunication Union

Custom CGI Perl and PHP programming by 1-Script.com

Contact Us | Privacy Policy
The site map in XML format XML site map