Recently I setup a 1721 running IOS c1700-k9o3sy7-mz.122-15.T5.bin
This router terminated a VPN with another router, a 1721 with the exact same IOS version. This router was initialy connected via a wireless WAN link out eth0. We moved them on to a t1 as the primary interface with the wireless as a backup. We then had to
-setup a loopback device - its ip would terminate the vpn
-make the source packets of the vpn come from the loopback
Doing all this we tested the vpns - they worked. Unplugged to t1 connection and traffic moved over to the wireless. We verified vpn clients could connect. Everything worked ok...
Except when moving large files between hosts behind fa0 over the vpn to hosts at the far end. To prove the vpn worked and routing was in place we could telnet from a host behind fa0 over the vpn to a remote host and login.. Then we'd try a ftp some files over. We could connect to the ftp server BUT once a file transfer was started things would hang.
We opened a Cisco tac case and it turned out that adding
ip tcp adjust-mss 1300
to interface fa0 fixed everything - files transfers worked.
My question why would reduced packet size help? Did the vpn add some packet overhead cauing larger packets to be dropped?
A clue was found here BUT this relates to PPPoE - not vpns..
I'm just looking for an explanation as to why this reduced MTU size worked. I would of never figured this out on my own...
Below is the running-config we used. Remember everything worked(switching between WAN link, vpn connectivity, NAT) except file transfers and when large amounts of data was pushed over the pipe, like MS file/print sharing, emails w/ attachments(few hundred k). The only change was one line to the fa0 interface.
TCP-mss is the Maximum Segment Size, TCP Optionally negotiates with the other party at the time of session initialization. In your case, TCP will not send more than 1300 bytes to the other party in one segment.
I think you can go a little more than 1300. All you are doing is leaving room in the 1500B packet for additional headers to fit in. Usually TCP+IP header overhead consumes 40B, but will increase with the use of Options. In addition, VPN headers need space as well.
Question We run asr9001 with XR 6.1.3, and we have a very long delay to
login w/ SSH 1 or 2 to the device compare to IOS device. After
investigation, the there is 1s delay between the client KEXDH_INIT and
the server (XR) KEXDH_REPLY. After debug ssh serv...
Introduction The purpose of this document is to demonstrate the Open
Shortest Path First (OSPF) behavior when the V-bit (Virtual-link bit) is
present in a non-backbone area. The V-bit is signaled in Type-1 LSA only
if the router is the endpoint of one or ...
Hi, I am seeing quite a few issues with patch install and wanted to
share my experience and workaround to this. Login to admin via CLI, then
access root with the “shell” command Issue “df –h” and you’ll probably
see the following directory full or nearly ...