I have a site to site vpn ipsec tunnel established. I can connect to the server on the other side of the tunnel. When i logon to the domain, logon takes 10 min then times out. I get an error saying that the authenticating server could not establish a secure connection. This is a windows 2000 domain and the clients are windows xp. The first question , can kerberos go through the ipsec tunnel. and if so do i need to make any configurations on my pix. Is there any other configuration that I need to do? This is kind of funny because I can join the domain but not logon to it. I know dns is ok because nslookup says so.
This could be a fragmentation problem. Kerberos traffic normally use UDP, and sometimes when logging in with a user that holds a lot of rights in the AD or doing a lot of AD or Exchange replications the packets can get near 1500 bytes.
When adding encryption portions to the packets some times it can have to be fragmented.
As some equipment (some routers...) does not allow for fragmented UDP packets to pass, they will simply drop those packets.
Another scenario would be if the receiving equipment receives the fragmented UDP packet #2 before #1. It would then also drop the packets.
The soloution would be one of the following:
Lower the MTU of the outside interface (1400 or lower)
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :