Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Bizarre VPN woes

I have a VPN between two Cisco 1712 routers. The VPN connection, on the surface, appears to be working fine - I can ping devices on both sides, I can telnet to devices on both sides. I have two things that will not work:

1. Terminal Services across the VPN tunnel. When I try to access a terminal server, the session appears to start then just times out. (as opposed to getting a remote device not responding type message) This won't work in either directions.

2. Remote workstations logging into their W2K domain - the PC's just time out trying to log in. The remote PC's logon to a W2K domain on the other side of the tunnel. The DNS server for the remote PC's is the W2K server but DNS name resolution is working fine across the VPN.

I know this is a configuration issue but I'm stumped. I was wondering if anyone has seen anything similar?

Funny thing is I can put in their old Linksys RV082 VPN routers and everything works fine. (Going to the Cisco equipment because they need routers that support QoS for voice traffic. Their voice is working fine across the VPN as well.)

7 REPLIES
New Member

Re: Bizarre VPN woes

I'm not an expert, so I don't have an exact answer for you, but here's a few things to check:

1. Remember that IPSec is unicast only. Anything that requires broadcast or multicast will break. Try setting up a GRE tunnel and setting the tunnel interface as the gateway for each side. This will also allow you to run a routing protocol between the two routers

2. Make sure you aren't dropping or fragmenting packets. Since IPSec adds an additional header, any max size packet will have to be fragmented. This really kills performance. As a rule of thumb, I generally set MTU at 1450.

3. I you are running anything else on the router, such as NAT, expect slow performance. Check CPU levels, "show proc cpu hist" is a favorite.

Hope this helps, please post your solution as I have run into similar problems.

Randy

There is plenty of stuff on the CCO on how to troubleshoot this.

New Member

Re: Bizarre VPN woes

How did you prioritize the traffic for voice vs. regular network traffic such as Terminal Server?

Are you using ACLs to restrict traffic through the tunnel?

Win2k machines -

Do they have a route to your DC (route print)? Does a DC have the route to them? When you sniff the traffic on either side of the tunnel do you seen both sides of the communication?

It sounds like you have a QOS problem actually.

New Member

Re: Bizarre VPN woes

Looks like a MTU size problem. The hosts at each end use 1500, but the VPN tunnel is only 1400 or so afer all the ipsec/gre headers. Compounded if there are routers/firewalls in the path that don't properly issue/respond to icmp frag needed replies.

Take a look at http://www.cisco.com/en/US/tech/tk827/tk369/technologies_tech_note09186a0080093f1f.shtml

One of my customers had exactly the same issue with W2K domain login.. MTU was the culprit.

New Member

Re: Bizarre VPN woes

You would be correct. Three techs at Cisco and 2 weeks later, and the MTU size indeed was the culpret.

New Member

Re: Bizarre VPN woes

What MTU did you settle on.

And what was the topology .. ie IPsec/GRE... Transport or Tunnel mode, .. ppoe etc.??

New Member

Re: Bizarre VPN woes

1200 is what they set it at. I didn't play around with the settings any as this was a production environment. DSL connection, not pppoe, IPSec, tunnel mode.

New Member

Re: Bizarre VPN woes

Can you give us more details on exactly what devices you ended up having to change the MTU on?

114
Views
0
Helpful
7
Replies