Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ipsec? Could be a problem?

I have a site to site vpn ipsec tunnel established. I can connect to the server on the other side of the tunnel. When i logon to the domain, logon takes 10 min then times out. I get an error saying that the authenticating server could not establish a secure connection. This is a windows 2000 domain and the clients are windows xp. The first question , can kerberos go through the ipsec tunnel. and if so do i need to make any configurations on my pix. Is there any other configuration that I need to do? This is kind of funny because I can join the domain but not logon to it. I know dns is ok because nslookup says so.

Any thoughts?

Thanks in advance

2 REPLIES
New Member

Re: ipsec? Could be a problem?

This could be a fragmentation problem. Kerberos traffic normally use UDP, and sometimes when logging in with a user that holds a lot of rights in the AD or doing a lot of AD or Exchange replications the packets can get near 1500 bytes.

When adding encryption portions to the packets some times it can have to be fragmented.

As some equipment (some routers...) does not allow for fragmented UDP packets to pass, they will simply drop those packets.

Another scenario would be if the receiving equipment receives the fragmented UDP packet #2 before #1. It would then also drop the packets.

The soloution would be one of the following:

Lower the MTU of the outside interface (1400 or lower)

Change the MTU of the NICS in your DC.

Change Kerberos to use TCP instead of UDP.

Here are some links to check:

Ports that need to be open for AD-replication

http://www.microsoft.com/serviceproviders/columns/config_ipsec_P63623.asp

Some other information:

Q224196 Restricting Active Directory Replication Traffic to a Port

http://support.microsoft.com/support/kb/Articles/q224/1/96.asp

Q233256 How to Enable IPSec Traffic Through a Firewall

http://support.microsoft.com/support/kb/Articles/q233/2/56.asp

Q254728 IPSec Does Not Secure Kerberos Traffic Between DCs

http://support.microsoft.com/support/kb/Articles/q254/7/28.asp

Hope this helps

//Tomas

New Member

Re: ipsec? Could be a problem?

It's difficult to suggest a solution when the problem isn't clear... Try running some debugs on the routers or firewalls in your network. The output from will help determine the problem.

cheers,

robert

82
Views
0
Helpful
2
Replies
CreatePlease login to create content