Application Issue with Site-2-Site VPN

Unanswered Question
Oct 31st, 2008
User Badges:

Hello folks -

I built a site-2-site VPN between two Cisco routers, namely R1 and R2. R1 is a 3845 and so is R2. R1 is directly connected to a DSL modem, and R2 is sitting behind a firewall. I have opened ports UDP 4500, ESP and port 500 on the firewall to let the VPN traffic through.

When interesting traffic is sent across the tunnel, the tunnel comes up and pings from either end work fine. However, none of the applications (Outlook, SAP etc.) connect to the servers. The servers are also in a subnet behind the firewall (same firewall as R2).

After doing some reading, everything points towards an MTU issue. However, I am not sure where to change the MTU. On the workstations or the routers?

If you guys can think of other troubleshooting steps, that would be great.

Thanks for the help.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
pkaretnikov Fri, 10/31/2008 - 09:07
User Badges:

The MTU would need to be set on the tunnel or the packets will need to be fragmented.

To verify that it is truly a problem send pings that are larger than the standard.

From the router you can do this with "ping"


Protocol [ip]:

Target IP address:

Repeat count [5]:

Datagram size [100]: 1500

Timeout in seconds [2]:

Extended commands [n]:

Sweep range of sizes [n]:

Type escape sequence to abort.

Sending 5, 1500-byte ICMP Echos to, timeout is 2 seconds:


Success rate is 0 percent (0/5)


Try various sizes to verify what size packets are being allowed.

ksarin123_2 Fri, 10/31/2008 - 09:25
User Badges:

When I issue the command below, I get successful pings.

ping size 1500 source

ping size 2000 source

So does not like it's an MTU issue. Anything else you can think of?

Istvan_Rabai Sun, 11/02/2008 - 21:47
User Badges:
  • Gold, 750 points or more

Hi Kunal,

What comes to my mind is that Outlook and SAP applications are located in subnets that may not be included in the definition of the interesting traffic for the site-to-site VPN.

Please check this.

You know, the ACL defining the interesting traffic should include the source and destination subnets of all desired traffic.

On the other side of the tunnel, the ACL should be symmetrical to the the ACL on this side.



ksarin123_2 Mon, 11/03/2008 - 06:47
User Badges:

Hi Istvan -

The subnets for Exchange and SAP servers are defined in the crypto ACL. I can ping the Exhange and SAP servers over the VPN tunnel, however the applications can't connect to them. Since I can ping the servers, I know it's not a routing or a NAT issues. It doesn't appear to be an MTU issue as well.

Not sure what else could it be. Any other ideas?

Istvan_Rabai Mon, 11/03/2008 - 11:12
User Badges:
  • Gold, 750 points or more

Hi Kunal,

In this case I would do a packet capture on the application side and on the server side as well.

This would help figuring out where the packets (either requests or replies) are throttled so the applications do not receive any response.

Then you would be able to narrow the selections to a few items for further investigation.



j.bourque Tue, 11/04/2008 - 14:10
User Badges:

just a idea but are the applications trying to connect using IP or DNS?


This Discussion