site2site vpn

Answered Question
Jul 10th, 2007
User Badges:

dear all,

i configured a site to site vpn on cisco 1811. i can ping remote network and access its resources.

site A =1811

site B = netscreen


I am facing problem when i access any website at remote.

i can login to website and browse it. but when i submit any form on remote webserver site. i am getting time out

after 2-4 minutes.

Before establishing VPN it was working fine.

then i disabled vpn and it is working.

can any one knows about this problem.

Correct Answer by Richard Burts about 9 years 9 months ago

Atif


You could attempt to calculate the amount of extra header which is added by VPN. But this will vary depending on the set of options that you choose in VPN. I have found the information to do this calculation difficult to find with precision. I just started experimenting to find a value where things got better and experimented up and down from this value to find the optimum value. For us it works out to be 1375. I suggest that you start with that and try values larger and smaller to find what works best for you.


HTH


Rick

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Richard Burts Tue, 07/10/2007 - 08:32
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Ammad


The issue sounds like it might be an issue with MTU. Without VPN the traffic is transmitted ok. But when you add VPN you add extra headers to the IP packet and it may make the packet too large and require fragmentation. But if the IP packet has the Do Not Fragment bit turned on (as many do) then the router can not fragment and must discard the packet.


When I configure VPN I frequently configure ip tcp adjust-mss on the LAN interfaces specifying a value small enough to accommodate the extra header without requiring fragmentation. I frequently specify 1375 but in your situation some other larger value might work. You might experiment and see what value is optimum for you.


HTH


Rick

a.shaukat Wed, 07/11/2007 - 22:43
User Badges:

a few of my site to site VPNS especially thos on slow DSL are responding quiet slow..


so u thinki should set the ip tcp adjust-mms too ?? how would one calculate what value to set ???


if im usng cisco 877 (that uses vlans to communicate ) can i set this value to the vlan interface ???


thanks..

Correct Answer
Richard Burts Thu, 07/12/2007 - 09:50
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Atif


You could attempt to calculate the amount of extra header which is added by VPN. But this will vary depending on the set of options that you choose in VPN. I have found the information to do this calculation difficult to find with precision. I just started experimenting to find a value where things got better and experimented up and down from this value to find the optimum value. For us it works out to be 1375. I suggest that you start with that and try values larger and smaller to find what works best for you.


HTH


Rick

a.shaukat Thu, 07/12/2007 - 22:20
User Badges:

Hi Rick..


can you give me a few pointers ??

iv just got to know abt this tcp mss command


im attaching a run config of one of the router (877) we use at the branch size..

it has DSL connection (data circuit only, no internet) of 256Kbps but we are having too much performance issues.. ISP says the Routers DSL config is ok the port might be the problem... thats cause they configured the router themself and i cant seem to trust them :p





Attachment: 
Richard Burts Fri, 07/13/2007 - 08:12
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Atif


I have looked at the config. I see 1 thing that seems odd to me. They have a static default route and a floating static default route which is usually used to back up the primary route:

ip route 0.0.0.0 0.0.0.0 Async1

ip route 0.0.0.0 0.0.0.0 Dialer1 5

But the static default route is to Async1 which is the back up interface and the floating static uses Dialer1 which is the primary interface.


That seems backwards to me. You might ask them about that. But I am not sure that this would cause the problems that you describe.


HTH


Rick

esspr2006 Tue, 07/10/2007 - 08:57
User Badges:

Do you have a Static NAT on port 80 defined for the Web Server?

Actions

This Discussion