I have a client who has a router at a remote site that uses an Ipsec VPN tunnel to access their HQ. I was contacted because out of the blue, they claims that the remote site users were unable to RDP into the terminal server in their HQ.
This sounds like a MTU or a DF-bit problem. I did some ping tests that set the "don't fragment" flag in the packet, I found that the router will not drop packets that are 1378 bytes or smaller.
I did a registry hack to one of the PC's at the remote site and hard-coded the MTU to 1378 bytes, and RDP now works. I of course don't want to do this to all the PC's here. So here's my question: What's the most efficient way to permanently fix this? Should I:
-Enable ICMP so that the Path MTU Discovery mechanism can dynamically set the correct MTU?
-Add the "ip mtu 1378" command to int g3/6? (If I do this, I have to remove the "crypto ipsec fragmentation after-encryption" and "crypto ipsec df-bit clear" commands, correct?)
Well, before I read the responses that were posted here I made some progress. Just to see what would happen, I set the "crypto ipsec fragmentation before-encryption" command on both ends, and RDP started working. This didn't fix all our problems though.
At the same time that RDP stopped working, AD replication stopped working, and sending files from HQ started ending prematurely. They are still not working. Tomorrow, I'm going to try both suggestions posted here and report back.
Hi everyone, I would like to thank you in advance for any help you can provide a newcomer like myself!
Im studying the 100-105 book by Odom and am currently on the topic of Port security. I purchased a used 2960 and I'm trying to follow a...
While deploying a number of 18xx/2802/3802 model access points (APs), which run AP-COS as their operating platform. It can be observed on some occasions that while many of their access points were able to join the fabric WLC withou...
I am going to design and build an LAN network under a tunnel underground with long distance between the switches.
I will have 2 Catalyst switches and 8 Industrial IE3000, and they will be connected with fiber.
For now I am planning on use Layer-2 s...