Could this cause the VPN issue I described?

Not if all PC's were configured identical.

My guess is that some of them have a fixed MTU or the MTU on your VPN is too small.

The latter is something that your ISP should know more about.

It can do no harm to configure tcp-mss on the router as described in the URL.

Leo

Leo thanks for your help here. I'm not sure it can be the ISP as my Cisco 837s and 1841 work fine. I don't remember setting this on the others. Interesting thing is though, I do have access lists working with denying stuff, I will post the config when I get home.

I take from the example I would have add a ip TCP adjust-mss to the global config?

Fragmentation occurs when a datagram is larger than the link can transport. This can severly affect the performance of a connection.

Considering the log messages you guys received, I did not initially thought it likely that this was acl-related. The fact that two PC's are working may be pointing in this direction though.

After giving it a second thought, my hunch is that you could have two issues at the same time:

1: An incorrectly set MTU that is causing the fragment-messages.

2: A bad acl that is blocking all hosts but two.

Let us know how it develops!

Leo

Hello,

Interestingly enough I can't see that I have set the mtu (ip tcp adjust-mss) on any config. Is this bad? Would this be set on the ATM 0 or Dialer 1, or not?

On one of the pages of your link it says a problem could be having:

access-list 101 permit icmp any any unreachable

access-list 101 permit icmp any any time-exceeded

access-list 101 deny icmp any any

access-list 101 permit ip any any

Look at my 877 config and at the top of my "ip access-list extended inbound_acl"

I'm very new to this could this be anything to do with it?

Thanks

This seems like a fairly complicated acl indeed for someone who is new to this.;-) Just for a test, try the following:

conf t

interface Vlan1

no ip inspect outbound in

interface Dialer1

no ip access-group inbound_acl in

end

Then try again. At least you will know whether the cause is in your acl or not.

Leo

He he, a guy who left did a lot of this.

Without the access lists will this allow everthing or the opposite though the tunnel?

Do you think I should add an mtu setting too?

Can't wait to try this, will do it when I get to work.

Update:

I did what you asked:

conf t

interface Vlan1

no ip inspect outbound in

interface Dialer1

no ip access-group inbound_acl in

end

And still get the same issues. Even stranger I put 3 laptops into the hub that comes off (FE0/0) the Cisco 837, the 2 that worked yesterday still do, if I put a third in then that does work and that's any laptop ot pc.

I notice that one of the 2 that had worked had problems connecting when I put the 3 one in too, when I tok the 3rd one off it was ok.

I added tried the 1841 and 837 routers again and they are fine and use the same config almost.

Not sure what debug commands I could run?

Looks like the 3rd laptop can access the internet via the VPN though.

Hi,

It seems that the number of datagrams being reassembled at one time has reached its maximum limit.

1. Try increasing the maximum number of datagrams that it can reassembled at one time by this command;

ip virtual-reassembly max-reassemblies

2. Check also your laptops, maybe one of them is infected with Virus and sending DDOS.

Regards,

Dandy

What interface do I put that on Dandy, and it says 1-1024?

I have tried so many different laptops.

Hi,

In the 877 interfaces;

- Interface connecting to LAN of your laptops

- Interface connecting to remote VPN device

Check this link about VFR http://www.cisco.com/univercd/cc/td/doc/product/software/ios123/123newft/123t/123t_8/gt_vfrag.htm

Regards,

Dandy

I'll add it to ATM 0, dialer 1 and VLAN 1.

I'll try ip virtual-reassembly max-reassemblies 64 max-fragments 16 timeout 5

Just tried the 1841, all is good on the same ADSL line and very similar config.

I turned the debug ip virtual-reassembly on see file attached, hope it helps. I will go through the doc now.

172.19.15.12 is having issues it shows up in the attachment.

This might help:

Router-877#sh ip virtual-reassembly

ATM0:

Virtual Fragment Reassembly (VFR) is ENABLED...

Concurrent reassemblies (max-reassemblies): 16

Fragments per reassembly (max-fragments): 32

Reassembly timeout (timeout): 3 seconds

Drop fragments: OFF

Current reassembly count:0

Current fragment count:0

Total reassembly count:0

Total reassembly timeout count:0

Vlan1:

Virtual Fragment Reassembly (VFR) is ENABLED...

Concurrent reassemblies (max-reassemblies): 16

Fragments per reassembly (max-fragments): 32

Reassembly timeout (timeout): 3 seconds

Drop fragments: OFF

Current reassembly count:0

Current fragment count:0

Total reassembly count:3

Total reassembly timeout count:0

Dialer1:

Virtual Fragment Reassembly (VFR) is ENABLED...

Concurrent reassemblies (max-reassemblies): 16

Fragments per reassembly (max-fragments): 32

Reassembly timeout (timeout): 3 seconds

Drop fragments: OFF

Current reassembly count:0

Current fragment count:0

Total reassembly count:4

Total reassembly timeout count:0