I am having a very strange DMVPN connection problem.
I'm in the initial stages of moving from an IPSEC Site-to-Site vpn to a full DMVPN cloud. I currently have only one spoke converted from Site-to-Site to DMVPN.
Site to Hub connection looks like this
1841 -> Internet -> 2821 -> Core switch
From the spoke I can reach most resources off the core switch. However I'm unable to open internet browser connections to internal resources. Previously this site had been a Site-to-Site vpn using the same addressing and connecting through the same equipment. As a Site-to-Site vpn I can connect to all the proper internal network resources, as I can at all the other Site-to-Site vpn locations.
AS soon as I moved to DMVPN I started having connection problems to certain resources.
Once packets from the spoke reach the internal network is their any difference in their content between a DMVPN and a Site-to-Site vpn?
Increase your ping packet size until it begins to timeout.
I have had good luck with setting my MTU at 1500 on my tunnels and then use ip tcp-adjust mss 1300.
For us RDP is sluggish and disconnects often it is usually a good sign that there is an MTU issue. Although this usually goes hand in hand with mail queues backing up or Outlook clients having trouble connecting over the VPN.
I realize the settings I gave you aren't what is recommended in the document. I got those settings from TAC and they work for me. I haven't had a chance to play around with them to try different combinations as it typically breaks things.
The df-bit clear would remove the 'do not fragement' flag from the packet, enabling the router to fragment these packets into smaller sizes so they can get under the max MTU size. You shouldn't need the df-bit clear with the ip tcp adjust-mss command in place.
Transport mode may also help you here. It will reduce header overhead on the packets that are traversing your tunnel.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :