Remote access VPN not working with Cisco router and iPhone

Recently I had a situation where customer asked me to configure remote access VPN on his old Cisco 871. Configuration was quite simple but I had problem with connecting iPhone to his network.

The solution is quite simple: apparently Apple doesn’t like 3des so I had to configure transformset like this:

crypto ipsec transform-set myset esp-aes 256 esp-sha-hmac

MTU traceroute and value check

check your MTU settings with

user@computer:~$ tracepath -n
1: 0.099ms pmtu 1500
1: 0.425ms
1: 0.405ms
2: 1.345ms
3: 4.111ms
4: 4.327ms
5: 192.967ms
6: 6.561ms asymm 7
7: 4.719ms asymm 10
8: 6.181ms asymm 9
9: 5.390ms asymm 10
10: 4.403ms reached
Resume: pmtu 1500 hops 10 back 54

BGP session flapping

my customer is peering with 2 ISP’s and has configuration with 2 BGP routers mutually connected with iBGP.
routers are reciving full tables from ISP’s and has 4 byte AS (XXXXXX).

recently we noticed that BGP session between customer and ISP2 is constantly flapping each 3 minutes. logs didn’t show anything useful

%BGP-4-MSGDUMP: unsupported or mal-formatted message received from X.X.X.X

I searched cisco forums and tried to isolate problem by inserting hidden command “neighbor X.X.X.X dont-capability-negotiate”.

%BGP-3-NOTIFICATION: received from neighbor X.X.X.X active 2/2 (peer in wrong AS) 2 bytes 5BA0

by reading this article I assumed that ISP is announcing itself with wrong AS.

problem was finally solved by entering command in global configuration mode (and removing dont-capability-negotiate)

ip tcp mss 1440

To learn something more about TCP MSS go here.