Application Issue with Site-2-Site VPN

Unanswered Question
Oct 31st, 2008

Hello folks -


I built a site-2-site VPN between two Cisco routers, namely R1 and R2. R1 is a 3845 and so is R2. R1 is directly connected to a DSL modem, and R2 is sitting behind a firewall. I have opened ports UDP 4500, ESP and port 500 on the firewall to let the VPN traffic through.


When interesting traffic is sent across the tunnel, the tunnel comes up and pings from either end work fine. However, none of the applications (Outlook, SAP etc.) connect to the servers. The servers are also in a subnet behind the firewall (same firewall as R2).


After doing some reading, everything points towards an MTU issue. However, I am not sure where to change the MTU. On the workstations or the routers?


If you guys can think of other troubleshooting steps, that would be great.


Thanks for the help.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
pkaretnikov Fri, 10/31/2008 - 09:07

The MTU would need to be set on the tunnel or the packets will need to be fragmented.


To verify that it is truly a problem send pings that are larger than the standard.


From the router you can do this with "ping"

R1#ping

Protocol [ip]:

Target IP address: 1.1.1.1

Repeat count [5]:

Datagram size [100]: 1500

Timeout in seconds [2]:

Extended commands [n]:

Sweep range of sizes [n]:

Type escape sequence to abort.

Sending 5, 1500-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:

.....

Success rate is 0 percent (0/5)

R1#


Try various sizes to verify what size packets are being allowed.

ksarin123_2 Fri, 10/31/2008 - 09:25

When I issue the command below, I get successful pings.


ping 192.168.254.40 size 1500 source 192.168.80.1

ping 192.168.254.40 size 2000 source 192.168.80.1


So does not like it's an MTU issue. Anything else you can think of?


Istvan_Rabai Sun, 11/02/2008 - 21:47

Hi Kunal,


What comes to my mind is that Outlook and SAP applications are located in subnets that may not be included in the definition of the interesting traffic for the site-to-site VPN.


Please check this.


You know, the ACL defining the interesting traffic should include the source and destination subnets of all desired traffic.

On the other side of the tunnel, the ACL should be symmetrical to the the ACL on this side.


Thanks:

Istvan

ksarin123_2 Mon, 11/03/2008 - 06:47

Hi Istvan -


The subnets for Exchange and SAP servers are defined in the crypto ACL. I can ping the Exhange and SAP servers over the VPN tunnel, however the applications can't connect to them. Since I can ping the servers, I know it's not a routing or a NAT issues. It doesn't appear to be an MTU issue as well.


Not sure what else could it be. Any other ideas?

Istvan_Rabai Mon, 11/03/2008 - 11:12

Hi Kunal,


In this case I would do a packet capture on the application side and on the server side as well.


This would help figuring out where the packets (either requests or replies) are throttled so the applications do not receive any response.


Then you would be able to narrow the selections to a few items for further investigation.


Cheers:

Istvan


j.bourque Tue, 11/04/2008 - 14:10

just a idea but are the applications trying to connect using IP or DNS?

Actions

This Discussion