It is difficult to forge without knowing the secret data.
#MTU FOR VPN CONNECTIONS CODE#
T his will be communicated back from ASA to An圜onnect client so that applications shouldn't cross this value else fragmentation will be triggeredĪ Message Authentication Code is a one-way hash computed from a message and some secret data. Subtracting headers (20-bytes IP header, 8-bytes UDP header, 13-bytes DTLS header, 8- or 16- bytes for encryption, 1-byte Cisco DTLS Tunneling Protocol header, 20-bytes MAC, 1-byte pad), we will get the size of unencrypted payload. Note: ANDing MSS value will complement 0xfff0 is to make sure that MSS value is power of 2 T his will be communicated back from ASA to An圜onnect client so that applications shouldn't cross this value else fragmentation will be triggered Subtracting headers (5-bytes ssl header, 1-byte padding, 8-bytes Cisco SSL Tunneling Protocol (CSTP) header, 20-bytes MAC), we will get the size of unencrypted payload. 40-bytes is 20-bytes IP Header + 20-bytes TCP Header Since TLS is TCP based, the TLS payload size is MTU - 40. Conclusion, Physical NIC MTU is used for VA. Iphdr is 20 bytes, Physical NIC MTU is 1300, configured MTU value for An圜onnect VA is 1420. This can be viewed in ASA using the command debug webvpn anyconnect 1 Two values will be calculated, one for TLS Tunnel and one for DTLS tunnel. Next we need to find out the max value of unencrypted payload. This is to avoid scenarios where the VA has MTU configured more than physical NIC which will trigger fragmentation. Now the actual MTU used by the VA will be selected based on the smaller between physical NIC MTU and VA configured MTU. Group-policy custom_group_policy attributes Later the applications need to make sure that they don't create segments and datagrams larger else they will be fragmented.Īn圜onnect VA gets its MTU value from SSL Server (ASA or IOS. Therefore, we need to know what is the MTU value of the VA and what is the max allowed size of unencrypted traffic to avoid fragmentation. The actual traffic then goes over the physical adapter. This VA will receive unencrypted traffic and emulates Ethernet to forward traffic after encryption. Now the value of unencrypted TCP segment can be more which leads to MTU more than 1500-bytes but this will cause the networking devices to fragment the packet which is bad and should be avoided.Īn圜onnect client builds Virtual Adapter (VA) during installation on the clients machine. The 80-bytes difference are utilized by encryption overhead. With encryption, for Ethernet and MTU of 1500, the unencrypted TCP segment can't be more 1380 (can be different value). This means that the actual size of the unencrypted TCP segment or UDP datagram which holds the application will be reduced because the MTU of the adapter is still same.įor example with Ethernet and MTU of 1500-bytes, the unencrypted TCP segment can't be more than 1460-bytes. During encryption, additional overhead will be added to the packets made by new headers and features.