Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

FWSM and Windows 2008 Ldap Packet Loss


We have a problem with  number of Windows 2008 Servers on DMZs communicating across the FWSM to their internal Windows 2003 Domain Controllers.

When adding domain objects (users,groups etc) to the local server security policy, we experience delays or can't resolve the objects on the domain from the 2008 server. Firewall access has been openend fully (all IP) in both directions between the DCs and the Windows 2008 DMZ servers. On closer inspection it appears that some ldap packets are being lost as they pass back through the firewall from the DCs. This results in some packets being re-sent from the DC to the DMZ 2008 server. Every time this happens we see a 2.5 second delay before the packet is re-sent.

Our Windows 2003 DMZ servers do not have the same issue and communicate with the central DCs without a problem.

We're running 3.1(4) code on the FWSM. We've tried increasing the MTU and MSS sizes on the firewall interfaces and currenetly have MTU = 8500, MSS = 1532

Has anyone seen this before? As we're running an old version of code should we go for an upgrade?

Many thanks


Everyone's tags (6)
CreatePlease login to create content