Bizarre VPN woes

craig-lantec · ‎02-03-2004

I have a VPN between two Cisco 1712 routers. The VPN connection, on the surface, appears to be working fine - I can ping devices on both sides, I can telnet to devices on both sides. I have two things that will not work:

1. Terminal Services across the VPN tunnel. When I try to access a terminal server, the session appears to start then just times out. (as opposed to getting a remote device not responding type message) This won't work in either directions.

2. Remote workstations logging into their W2K domain - the PC's just time out trying to log in. The remote PC's logon to a W2K domain on the other side of the tunnel. The DNS server for the remote PC's is the W2K server but DNS name resolution is working fine across the VPN.

I know this is a configuration issue but I'm stumped. I was wondering if anyone has seen anything similar?

Funny thing is I can put in their old Linksys RV082 VPN routers and everything works fine. (Going to the Cisco equipment because they need routers that support QoS for voice traffic. Their voice is working fine across the VPN as well.)

Randall White · ‎02-03-2004

I'm not an expert, so I don't have an exact answer for you, but here's a few things to check:

1. Remember that IPSec is unicast only. Anything that requires broadcast or multicast will break. Try setting up a GRE tunnel and setting the tunnel interface as the gateway for each side. This will also allow you to run a routing protocol between the two routers

2. Make sure you aren't dropping or fragmenting packets. Since IPSec adds an additional header, any max size packet will have to be fragmented. This really kills performance. As a rule of thumb, I generally set MTU at 1450.

3. I you are running anything else on the router, such as NAT, expect slow performance. Check CPU levels, "show proc cpu hist" is a favorite.

Hope this helps, please post your solution as I have run into similar problems.

Randy

There is plenty of stuff on the CCO on how to troubleshoot this.

patrick.cannon · ‎02-03-2004

How did you prioritize the traffic for voice vs. regular network traffic such as Terminal Server?

Are you using ACLs to restrict traffic through the tunnel?

Win2k machines -

Do they have a route to your DC (route print)? Does a DC have the route to them? When you sniff the traffic on either side of the tunnel do you seen both sides of the communication?

It sounds like you have a QOS problem actually.

wsmith@ca.ibm.com · ‎02-15-2004

Looks like a MTU size problem. The hosts at each end use 1500, but the VPN tunnel is only 1400 or so afer all the ipsec/gre headers. Compounded if there are routers/firewalls in the path that don't properly issue/respond to icmp frag needed replies.

Take a look at http://www.cisco.com/en/US/tech/tk827/tk369/technologies_tech_note09186a0080093f1f.shtml

One of my customers had exactly the same issue with W2K domain login.. MTU was the culprit.

craig-lantec · ‎02-16-2004

You would be correct. Three techs at Cisco and 2 weeks later, and the MTU size indeed was the culpret.

wsmith@ca.ibm.com · ‎02-16-2004

What MTU did you settle on.

And what was the topology .. ie IPsec/GRE... Transport or Tunnel mode, .. ppoe etc.??

craig-lantec · ‎02-17-2004

1200 is what they set it at. I didn't play around with the settings any as this was a production environment. DSL connection, not pppoe, IPSec, tunnel mode.

neff2k · ‎04-20-2004

Can you give us more details on exactly what devices you ended up having to change the MTU on?