Am 13.06.2012 02:05, schrieb David Woodhouse: > On Fri, 2012-06-08 at 23:29 +0100, David Woodhouse wrote: >> Does the Cisco client get it "right" in this situation? How? After >> running 'ip route flush cache' can you capture the traffic (host $SERVER >> or icmp or icmp6) and see precisely what it's doing? >> >> I'm imagining some trick with sending a 1500-byte UDP packet to the >> server before making the TCP connection... but that's horrid. > > Any progress on this? I'm almost ready to do a v4.00 release of > OpenConnect with fully functional GnuTLS support (including PKCS#11 and > TPM). I might disable the automatic setting of base-mtu from TCP_INFO > data, since it's not working, and just leave you with the command line > option for it until we work out a better way to detect it. Looking at it at the moment. At first glance the MTU detected by the new scheme always worked for me, both with IPv4 and IPv6 transport both within a 1500 byte network and behind a MTU 1492 ADSL line. So, even if openconnect errorneously always sends X-CSTP-Base-MTU 1500, the connection works way better than before. Probably because it allows the ASA to calculate it on its own. We can give you a test account on our ASA if you'd like to test it, too. Best Regards, Bernhard