Lan to Lan VPN issues

dpatkins · ‎10-05-2006

Good morning,

We are using a Cisco 3002 Hardware client over Time Warner going to a Cisco 3060 VPN concentrator. We can ping, traceroute and even connect to other shares, however, we have issues joining the domain. Also, we can gain access to outside the domain web page, but we cannot "web" into our local servers. Here is our fix for this: Install the Cisco VPN client. You do not have to VPN in to the network, but there is something within the client that kicks the NIC or awakens NetBIOS or somehting along those lines. Does anybody have any idea what would be causing this?

Thanks

Dwane

mheusinger · ‎10-05-2006

Hi,

the Cisco VPN client does reduce the NIC MTU to 1300 bytes and thus avoids MTU related issues in conjunction with IPSec VPNs.

The symptoms described can be explained by clients/server sending IP packets with DF bit set. The additional IPSec headers might just lead to IP packet sizes larger than MTU and as no fragmentation is allowed, those packets are dropped, resulting in connectivity issues.

You could also use freeware tools like DrTCP (-> Google) to lower the MTU on the client PCs. It does modify the right MS registry settings and is easy to use.

Hope this helps! Please rate all posts.

Regards, Martin

dpatkins · ‎10-06-2006

Martin,

Thank you for your input. I was hoping I explained this better. Cisco 3002 hardware client connected to a Cisco VPN 3060. Personnel behind the hardware cleint receive their DHCP address and can do most layer 3 activities, ping and what not to our base network. However, when desktop support goes to join the domain, they are unable to. Also, the personnel cannot connect to web pages inside our network. Outside is just fine. WHen the Cisco VPN client is installed. Installed and not initiated, both of these process start working. I am thinking it may be a Wins issue, but I am not in these Remote locations at this point and would like to take with me an idea. Now, the MTU idea is a good one, but why would outside connectivity work and not on the local domain? This is weird and seems to happen on the Road Runner connections we have and not our DSL lan to lan lines.

Thank you all.

Dwane

dominic.caron · ‎10-06-2006

Hi

I must agree with mheusinger, this looks like a MTU issue. Try sending ping and add the option -l (size). Are you doing split tunneling? this might explain the outside connectivity. For the windows domain...looks like the good old

dpatkins · ‎10-06-2006

No split tunnelling. It goes user -> VPN 3002 Hardware Client->TW Road Runner network ->Cisco VPN 3060. No split tunneling at all. These folks have to traverse our network to get outside. Weird. And we are trying not to have to load the Cisco VPN cleint 4.0.4 on the desktops located on the network behind the 3002. This is weird and it doens't do this with SBC DSL. Only with our TIme Warner connections.

Dwane

dpatkins · ‎10-06-2006

Also, can you explain the "old kerboeros over UDP" problem?

dennis · ‎01-22-2007

Hope you have figured this out by now but if not here is my 2 cents worth. I think this is a MTU issue also. When you install the VPN client the MTU of the interfcaes are set from the default to 1350. This is most likely what is happening to fix the problem by only installing the client. You can test this by simply changing the MTU on a system manually (you can copy the SetMTU utility from a systemn with the client installed).

dpatkins · ‎01-23-2007

Thank you. This was resolved when I upgraded to 4.7.2J on both the concentrator and the hardware client.

Thank you