Friday, January 3, 2020

MTU issues over IPSEC tunnel between ASA and Meraki MX

Happy New Year everyone, hope you are well.

In my last thread, I was able to get some helpful advice from a fellow Redditor to adjust MTU settings on a client MX WAN port to 1452: https://www.reddit.com/r/networking/comments/ehr04l/potential_mtu_issue_between_meraki_mx_and_asa5515/

This this did clear up warnings about fragmentation issues between the MX and the SDWAN Bonder, but the root issues still persist:

Issue: HTTPS and random other TCP traffic sporadically becomes unusable between these sites connected by IPSEC tunnel. Issue is temporarily resolved after bouncing IPSEC VPN, but comes back up after so many hours.

For everyone's convenience, this is the flow of traffic:Client MX > SDWAN Bonded Internet > IPSEC TUNNEL > digitalsquirrel's ASA5515

Current observations:

  • SDWAN Bonder MTU for all WAN and LAN interfaces (1500)
  • SDWAN Bonder Tunnel MTU - 1452
  • Meraki MX WAN port MTU - 1452
  • MTU from client to server of SDWAN tunnel and IPSEC VPN - 1362
  • MTU from client to local switch or MX 1472
  • MTU from server to client 1350
    • server to client starts at 1362 MTU but then drops to 1350 after first test.. same from server to multiple other clients across the same SDWAN and IPSEC tunnel

Misc Other Notes:

  • ASA5515 is in production for other clients with multiple VPN tunnels to the outside interface, so I cannot make wide spread changes.
  • We have another similar client with an MX > SDWAN Bonded Internet > Meraki Dynamic VPN > digitalsquirrel's MX that doesn't experience any of the same issues.


No comments:

Post a Comment