11-03-2003 09:30 AM - edited 03-02-2019 11:26 AM
Recently I setup a 1721 running IOS c1700-k9o3sy7-mz.122-15.T5.bin
This router terminated a VPN with another router, a 1721 with the exact same IOS version. This router was initialy connected via a wireless WAN link out eth0. We moved them on to a t1 as the primary interface with the wireless as a backup. We then had to
-setup a loopback device - its ip would terminate the vpn
-make the source packets of the vpn come from the loopback
-setup static routes w/ higher administrative distances
Doing all this we tested the vpns - they worked. Unplugged to t1 connection and traffic moved over to the wireless. We verified vpn clients could connect. Everything worked ok...
Except when moving large files between hosts behind fa0 over the vpn to hosts at the far end. To prove the vpn worked and routing was in place we could telnet from a host behind fa0 over the vpn to a remote host and login.. Then we'd try a ftp some files over. We could connect to the ftp server BUT once a file transfer was started things would hang.
We opened a Cisco tac case and it turned out that adding
ip tcp adjust-mss 1300
to interface fa0 fixed everything - files transfers worked.
My question why would reduced packet size help? Did the vpn add some packet overhead cauing larger packets to be dropped?
A clue was found here BUT this relates to PPPoE - not vpns..
I'm just looking for an explanation as to why this reduced MTU size worked. I would of never figured this out on my own...
Below is the running-config we used. Remember everything worked(switching between WAN link, vpn connectivity, NAT) except file transfers and when large amounts of data was pushed over the pipe, like MS file/print sharing, emails w/ attachments(few hundred k). The only change was one line to the fa0 interface.
version 12.2
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname HPARFD
!
logging queue-limit 100
logging buffered 8192 debugging
enable secret 5 <removed>
enable password 7 <removed>
!
username abc password <removed>
clock timezone CST -6
clock summer-time CDT recurring
aaa new-model
!
!
aaa authentication login userauthen local
aaa authorization network groupauthor local
aaa session-id common
ip subnet-zero
!
!
no ip domain lookup
ip domain name blahblah.net
ip name-server <dns ip>
ip name-server <dns ip>
!
ip audit notify log
ip audit po max-events 100
ip ssh time-out 60
!
!
!
!
crypto isakmp policy 1
hash md5
authentication pre-share
!
crypto isakmp policy 2
hash md5
authentication pre-share
!
crypto isakmp policy 3
encr 3des
authentication pre-share
group 2
!
crypto isakmp policy 10
hash md5
authentication pre-share
crypto isakmp key test3030 address <remoteip> no-xauth
crypto isakmp key test3131 address 0.0.0.0 0.0.0.0
crypto isakmp client configuration address-pool local ourpool
!
crypto isakmp client configuration group whatever
key <removed>
pool ourpool
acl 101
!
!
crypto ipsec transform-set rptset esp-des esp-md5-hmac
crypto ipsec transform-set trans2 esp-des esp-md5-hmac
crypto ipsec transform-set v35clientset esp-3des esp-md5-hmac
!
crypto dynamic-map dynmap 10
set transform-set v35clientset
crypto dynamic-map dynmap 20
set transform-set trans2
!
!
crypto map rtp local-address Loopback0
crypto map rtp isakmp authorization list groupauthor
crypto map rtp client configuration address initiate
crypto map rtp client configuration address respond
crypto map rtp 1 ipsec-isakmp
set peer <peer ip>
set transform-set rptset
match address 115
crypto map rtp 50 ipsec-isakmp dynamic dynmap
!
!
!
!
interface Loopback0
description Loopback address is NOT dependent on either physical interface
ip address <removed> 255.255.255.255
no ip proxy-arp
ip nat outside
no ip split-horizon
!
interface Ethernet0
description secondary WAN link - wireless
ip address <removed> 255.255.255.252
no ip proxy-arp
ip nat outside
no ip split-horizon
half-duplex
crypto map rtp
!
interface FastEthernet0
description connected to EthernetLAN
ip address <private ip> 255.255.255.0
no ip proxy-arp
ip tcp adjust-mss 1300
^^^^^^^^^^^^^^^^^^^^^^ Cisco tac added work around
ip nat inside
speed auto
!
interface Serial0
description primary WAN link - t1
ip address <private ip> 255.255.255.252
no ip proxy-arp
ip nat outside
random-detect
crypto map rtp
!
router rip
version 2
passive-interface Loopback0
passive-interface Serial0
passive-interface Ethernet0
network <private ip>
no auto-summary
!
ip local pool ourpool <private ip range>
ip nat inside source route-map nonat interface Loopback0 overload
ip classless
ip route 0.0.0.0 0.0.0.0 Serial0 <removed>
ip route 0.0.0.0 0.0.0.0 Ethernet0 <removed 200
ip route <private ip> 255.255.255.0 Serial0 <removed>
ip route <private ip> 255.255.255.0 Ethernet0 <removed> 200
ip route <private ip> 255.255.255.0 Serial0 <removed>
ip route <private ip> 255.255.255.0 Ethernet0 <removed> 200
ip route <private ip> 255.255.255.0 Serial0 <remoted>
ip route <private ip> 255.255.255.0 Ethernet0 <remove> 200
no ip http server
no ip http secure-server
!
!
!
ip access-list extended remote_access
permit tcp any any eq 22
permit tcp <private ip> 0.0.0.255 any eq telnet
deny tcp any any eq telnet
permit ip any any
!
access-list 1 permit <private> 0.0.0.255
access-list 100 permit ip host <removedd> 192.168.0.0 0.0.0.255
access-list 100 permit ip host <removed> 192.168.0.0 0.0.0.255
access-list 100 permit ip host <removed> 192.168.0.0 0.0.0.255
access-list 101 permit ip <removed> 0.0.0.255 10.2.1.0 0.0.0.255
access-list 101 permit ip 192.168.0.0 0.0.255.255 10.2.1.0 0.0.0.255
access-list 199 permit tcp any any established
access-list 199 permit udp any any
access-list 199 permit esp any any
access-list 199 permit ip 192.168.0.0 0.0.0.255 <removed> 0.0.0.255
!
route-map nonat permit 10
match ip address 110
!
snmp-server enable traps tty
radius-server authorization permit missing Service-Type
alias exec sv show version
alias exec sr show running-config
alias exec ss show startup-config
alias exec con conf t
alias exec top show proc
alias exec br show ip inter brief
!
line con 0
exec-timeout 0 0
password 7 <removed>
line aux 0
line vty 0 4
exec-timeout 0 0
password 7 <removed>
logging synchronous
transport input pad udptn telnet rlogin ssh
!
ntp clock-period 17180059
ntp server <removed>
end
11-04-2003 04:09 AM
TCP-mss is the Maximum Segment Size, TCP Optionally negotiates with the other party at the time of session initialization. In your case, TCP will not send more than 1300 bytes to the other party in one segment.
I think you can go a little more than 1300. All you are doing is leaving room in the 1500B packet for additional headers to fit in. Usually TCP+IP header overhead consumes 40B, but will increase with the use of Options. In addition, VPN headers need space as well.
Hope this helps.
11-04-2003 04:18 AM
The average overhead for an IPSec Tunnel Mode VPN is approx 51 - 58 bytes:
ESP overhead (with authentication) : 31 ~ 38 bytes (including padding)
New IP Header : 20 Bytes
11-04-2003 08:42 AM
An answer was posted in another forum - the vpn security. Here in a url that basically explains everything in detail.
http://www.cisco.com/en/US/tech/tk827/tk369/technologies_tech_note09186a0080093f1f.shtml
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide