Hello, I have a 831 VPN user that has just changed ISP's from Comcast to Verizon. Her new connection comes up and the VPN connection looks good on our 3005 concentrator. Her 7960 IP Phone works fine but none of her Windows PC's seem to work correctly. The PC's take forever to boot up and once they do, they cannot browse the network and connect to M$ Exchange. IP pings work fine as well as the IP Phone. Nothing on the VPN has changed except now the connection is NAT-T. I have onther 831 users that are working fine with NAT-T.
I did not run the SDM Security function on this router.
It looks like mss and fragmentation problem. You can test it by doing pings with fixed sized packets and with DF bit set. generally using ip tcp mss-adjust on the inside interface on both sides on the tunnel (setting it to about 1380) should help. I also use crypto ipsec df-clear so that the DF bit is removed if any of the hosts attempts to set it.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
[toc:faq]Introduction:This document describes details on how NAT-T
works.Background:ESP encrypts all critical information, encapsulating
the entire inner TCP/UDP datagram within an ESP header. ESP is an IP
protocol in the same sense that TCP and UDP are I...