07-03-2002 01:46 PM - edited 02-21-2020 11:52 AM
I have created new IPSec tunnel between branch to branch (1750 to 1750 router) and tested the FTP file transfer.I am able to logon to the FTP server and able to see the files but i could not PUT or GET the the files.Encryption happening for PING and TELNET.ie encryption not working totally between 1750 routers for FTP PUT &GET.
And there is no problem with FTP server because without ipsec,FTP is working fine and also i tested with other FTP server.
both routers are running ospf.
Also we have tried the ftp between central router 3661 and remote router 1750. Routers running IPsec and routing protocol OSPF and . I was able to do ping, telnet and also able to download file from ftp server located at central location. But I am not able to upload the file from remote router 1750 to central router 3661.
What could be the problem.
07-03-2002 01:46 PM
You are having here some MTU problems.
As the IPSec adds some overhead to the IP packets
the MTU decreases. The router informs the stations sending
1500Bytes packets and DF set via ICMP to decrease
the MTU.
At one end (based on your desription at remote site)
probably the station tries to send packets of 1500 octets size
and ignoes the router ICMP's.
You can control the behavior of DF bit in newer IOS's (12.2.T).
07-04-2002 12:45 PM
I think this is an MTU problem.
do this to be sure.
in the router first clear all the SA's
clear crypto sa
then start debugs for isakmp and ipsec
debug crypto ipsec
debug crypto isakmp
term mon
then generate some traffic to initiate the tunnel and look in the debug how many bytes is adding ipsec (ex: esp-des esp-md5-hmac adds 56bytes) if the path MTU is 1500 , you must reset the MTU.
i hope it helps
07-04-2002 12:47 PM
I think this is an MTU problem.
do this to be sure.
in the router first clear all the SA's
clear crypto sa
then start debugs for isakmp and ipsec
debug crypto ipsec
debug crypto isakmp
term mon
then generate some traffic to initiate the tunnel and look in the debug how many bytes is adding ipsec (ex: esp-des esp-md5-hmac adds 56bytes) if the path MTU is 1500 , you must reset the MTU.
i hope it helps
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: