Monday, December 30, 2019

Potential MTU issue between Meraki MX and ASA5515

We have a client with a Meraki MX utilizing SDWAN (bonding two internet circuits) connecting to our ASA5515 via IPSEC tunnel.

After deploying SDWAN at the client site, we have started to see sporadic issues with HTTPS and other TCP traffic across the tunnel. PCAPS show a successful TCP handshake and so far the only issues I can see are the occasional TCP retransmission and a MTU fragmentation rarely. These issues are only remedied temporarily by bouncing the VPN from the Meraki side. When performing a TCP dump from the SDWAN bonder at the client site, I am seeing sporadic MTU errors:

14:29:26.018413 IP SDWANBONDER > CLIENTMX: ICMP (ASA5515) unreachable - need to frag (mtu 1452), length 556

I've done some pings across the tunnel from a client device to a server hosted behind the ASA5515 and found that the MTU of next hop is 1374. After finding this MTU, I configured the MTU of the SDWAN bonder interfaces to 1346 but started noticing other progressive network issues, so I have since reverted these changes.

Does anyone have any suggestions for how I can approach this problem? I have not experienced it when doing MX to MX VPN with SDWAN, only MX to ASA so far.



No comments:

Post a Comment