Fixing broken Microsoft RDP connections through a Cisco ASA terminating a site-to-site VPN

By default the Cisco ASA has a TCP MSS size of 1380.  On larger packets coming over a VPN tunnel, it won’t be able to process these.  Microsoft RDP is the most common example although it can also be observed with protocols like FTP.

The quick fix is make this change on the ASA:

sysopt connection tcp-mss 1300

This will cause the packets to be fragmented, and pass successfully over the VPN and through the ASA.

Sources:

 

 

Advertisement