I have a VPN between two Cisco 1712 routers. The VPN connection, on the surface, appears to be working fine - I can ping devices on both sides, I can telnet to devices on both sides. I have two things that will not work:
1. Terminal Services across the VPN tunnel. When I try to access a terminal server, the session appears to start then just times out. (as opposed to getting a remote device not responding type message) This won't work in either directions.
2. Remote workstations logging into their W2K domain - the PC's just time out trying to log in. The remote PC's logon to a W2K domain on the other side of the tunnel. The DNS server for the remote PC's is the W2K server but DNS name resolution is working fine across the VPN.
I know this is a configuration issue but I'm stumped. I was wondering if anyone has seen anything similar?
Funny thing is I can put in their old Linksys RV082 VPN routers and everything works fine. (Going to the Cisco equipment because they need routers that support QoS for voice traffic. Their voice is working fine across the VPN as well.)
I'm not an expert, so I don't have an exact answer for you, but here's a few things to check:
1. Remember that IPSec is unicast only. Anything that requires broadcast or multicast will break. Try setting up a GRE tunnel and setting the tunnel interface as the gateway for each side. This will also allow you to run a routing protocol between the two routers
2. Make sure you aren't dropping or fragmenting packets. Since IPSec adds an additional header, any max size packet will have to be fragmented. This really kills performance. As a rule of thumb, I generally set MTU at 1450.
3. I you are running anything else on the router, such as NAT, expect slow performance. Check CPU levels, "show proc cpu hist" is a favorite.
Hope this helps, please post your solution as I have run into similar problems.
There is plenty of stuff on the CCO on how to troubleshoot this.
Looks like a MTU size problem. The hosts at each end use 1500, but the VPN tunnel is only 1400 or so afer all the ipsec/gre headers. Compounded if there are routers/firewalls in the path that don't properly issue/respond to icmp frag needed replies.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...