IPSEC VPN traffic between 1721 and 1711 limited to pinging

stmauldin · ‎01-16-2006

I have tried various MTU and tcp mss settings, adding/taking away the 'crypto ipsec df-bit clear', etc, etc ... but always get the same results - can only ping between the two sites. Both sites have dsl connections. At a minimum, I would like for active directory traffic to pass between the sites, and to be able to use Remote Desktop. At present the Path MTU is only showing 234. The VPN appears to otherwise be working properly. The configs (attached) are primarily SDM generated so any suggestions on improving them would be greatly appreciated.

Thanks!

spremkumar · ‎01-16-2006

Hi

Can you change the mtu to 1452 instead of the current mtu size and check ?

If that doesnt work try with 1452 and nothing specifying the tcp mss size.

regds

stmauldin · ‎01-16-2006

Hi, and thanks for reply.

No noticeable difference when I used an mtu of 1452 and tcp mss of 1412, or when I used mtu of 1452 and no specified tcp mss.

The 'show crypto ipsec sa' still shows the path mtu to be 234, which makes me think my configuration is skewed in one way or another.

Another note is that when I ping an IP at the remote site using -f -l 1452, it returns Request timed out. The largest packet that will ping without timing out is 148 bytes...

Any other suggestions?

Thanks

stmauldin · ‎01-16-2006

Hi, again...

In doing some more troubleshooting, I have found that I can NOT ping from the routers (i.e. in a telnet session) to the remote sites, but yet when I ping the remote sites from a workstation, it works. The cause of this is probably at the root of the problem.

Hopefully this gives someone an idea of why it's not working.

Any suggestions would be greatly appreciated.

Thanks

jskochan · ‎01-16-2006

I had the same problem once before on a 1721 to 3015. All I had to do is set the MTU size to 1000 and every thing started to work just fine. Don't really know what you use to set the MTU sizes but I use the utility that comes with the Cisco VPN Client works well.

Let me know if it helps

Jeff

stmauldin · ‎01-16-2006

Thanks, but configuring each of the dialer0 s with an mtu of 1000 didn't appear to change anything.

I find it interesting that even when they are configured with a 1000 mtu and 960 tcp mss, I can still successfully ping the 1721 from a remote workstation (command prompt) with... 1424 bytes... if I remove the 'crypto ipsec df-bit clear' I get 'Request timed out.' until I get down to 148 bytes.

And from the other end, I can successfully ping the 1711 from a remote workstation... with 1472 bytes (why would it be higher?)... however when I remove the 'crypto ipsec df-bit clear' I still get 'Request timed out.' until I get down to 148 bytes.

Regardless of the mtu settings, I still can't ping the peer router from a telnet session - pinging the peer router from a remote workstation still works.

Is there anything in the configs that I have overlooked that might possibly be causing the problem?

Thanks for looking.

rgds

spremkumar · ‎01-17-2006

hi

Did u try an extended ping from the telnet session using source as ur ethernet(lan) ip and the remote end lan ip as the destination ?

regds

stmauldin · ‎01-17-2006

Hi, thanks for catching that. No, I was overlooking the source IP. Pinging from the router is successful.

So now I'm back to the original problem, I can ping all hosts from either side of the site-to-site vpn, but active directory, remote desktop, etc does not work, and lowering the mtu and tcp mss, has no apparent affect.

Sould I be concerned about the path MTU being at 234 bytes?

What I don't understand is how can I get a 1472 byte "do not fragment" packet over the vpn when the media mtu is set at 1000 bytes and the path mtu is supposedly at 234 bytes?

I appreciate everyone's input.