Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
278
Views
0
Helpful
5
Replies

NetBIOS doesnt work in a site-to-site VPN

daphnesrl
Level 1
Level 1

‎12-12-2005 12:32 PM - edited ‎02-21-2020 02:09 PM

Hi, i have implemented a site-to-site VPN with 871 routers in each site. I have the tunnel UP and i can ping any host in each LAN, but i can´t copy files from my server W2003 in one LAN to my WS in the other LAN. When accesing to a remote file, the network connection hungs up.

Here are configs:

ROUTER A

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

crypto isakmp key XXXXXXX address 192.168.3.3

!

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

!

crypto map CRYPTO_MAP_X 1 ipsec-isakmp

description

set peer 192.168.3.3

set transform-set ESP-3DES-SHA

match address 100

interface Vlan1

ip address 172.10.10.9 255.255.255.0

interface Vlan2

ip address 192.168.3.4 255.255.255.0

crypto map CRYPTO_MAP_X

access-list 100 permit ip 172.10.10.0 0.0.0.255 172.10.12.0 0.0.0.255

ROUTER B

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

crypto isakmp key XXXXXXX address 192.168.3.4

!

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

!

crypto map CRYPTO_MAP_X 1 ipsec-isakmp

description

set peer 192.168.3.4

set transform-set ESP-3DES-SHA

match address 100

interface Vlan1

ip address 172.10.12.9 255.255.255.0

interface Vlan2

ip address 192.168.3.3 255.255.255.0

crypto map CRYPTO_MAP_X

access-list 100 permit ip 172.10.12.0 0.0.0.255 172.10.10.0 0.0.0.255

Can anyone help me??

Labels:
0 Helpful
5 Replies 5

aacole
Level 5
Level 5

‎12-13-2005 01:08 PM

Can you ping from the server to the WS across the tunnel?

What OS have you got running on the WS?

Andy

0 Helpful

Richard Burts
Hall of Fame
Hall of Fame
In response to aacole

‎12-14-2005 01:38 PM

From the statement in the original post that he can ping any host I do not believe that it is a basic IP connectivity issue. I suspect that the extra headers that IPSec adds are producing oversize packets. Ping with a smaller packet works ok but a file transfer which probably uses max size frames may have a problem.

I suggest that you add this command to the interface where users are connected:

ip tcp adjust-mss 1370

This will force the end stations to negotiate smaller max size frames and may resolve the problem. Try it and let us know how it works.

HTH

Rick

HTH

Rick
0 Helpful

daphnesrl
Level 1
Level 1
In response to Richard Burts

‎12-20-2005 10:37 AM

Rick, i thik u are right. I solved the problem using mtu 1440 on the interface where users are connected, but i was forced to reconfigure all host in my LAN.

Im gona try your solution. Then i let u know.

Thank´s!!!!!!

Willy

0 Helpful

daphnesrl
Level 1
Level 1
In response to Richard Burts

‎12-20-2005 11:43 AM

Rick, the command ip tcp adjust-mss 1370 solved the issue. Now i can reach my W2000 server resources behind the tunnel whithout any problem.

Thank u very much!!!!!!!!

0 Helpful

Richard Burts
Hall of Fame
Hall of Fame
In response to daphnesrl

‎12-21-2005 09:26 AM

Guillermo

I am glad that we were able to solve your problem.

Thanks for posting to the forum indicating what the solution was. It makes the forum more useful when people do post indicating that there was a solution and what the solution was.

HTH

Rick

HTH

Rick
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents