CISCO ASA – %ASA-6-722036 Transmitting large packet 1418 (threshold 1347)

Problem:

On ASA syslog you seen the Anyconnect warning message

%ASA-6-722036: Group <ac_users_group> User <vpn> IP <> Transmitting large packet 1418 (threshold 1347)

Solution:

!
sysopt conn tcpmss 1460
!
group-policy DfltGrpPolicy attributes 
webvpn
anyconnect mtu 1300
anyconnect ssl df-bit-ignore enable
!

In order to eliminate this visible transition of DTLS > TLS,  the administrator can configure a separate tunnel group for TLS only access for users that have trouble with the establishment of the DTLS tunnel (such as due to firewall restrictions).

1. The best option is to set the AnyConnect MTU value to be lower than the TLS MTU, which is then negotiated.

group-policy ac_users_group attributes
webvpn
anyconnect mtu 1300

This makes TLS and DTLS MTU values equal. Reconnections are not seen in this case.

2. The second option is to allow fragmentation.

group-policy ac_users_group attributes
webvpn
anyconnect ssl df-bit-ignore enable

With fragmentation, large packets (whose size exceeds the MTU value) can be fragmented and sent through the TLS tunnel.

3. The third option is to set the Maximum Segment Size (MSS) to 1460 as follows:

sysopt conn tcpmss 1460

In this case, the TLS MTU will be 1427 (RC4/SHA1) which is larger than the DTLS MTU 1418 (AES/SHA1/LZS). This should resolve the issue with TCP from the ASA to the AnyConnect client (thanks to MSS), but large UDP traffic from the ASA to the AnyConnect client might suffer from this as it will be dropped by the AnyConnect client due to the lower AnyConnect client MTU 1418. If sysopt conn tcpmss is modified, it might affect other features such as LAN-to-LAN (L2L) IPSec VPN tunnels.

Reference:

https://community.cisco.com/t5/vpn/anyconnect-issue/td-p/2708533