Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Attention: The Community will be in read-only mode on 12/14/2017 from 12:00 am pacific to 11:30 am.

During this time you will only be able to see content. Other interactions such as posting, replying to questions, or marking content as helpful will be disabled for few hours.

We apologize for the inconvenience while we perform important updates to the Community.

Silver

one application problem with site2site vpn

hello

we have hub and spoke MPLS network connecting HO to remote sites.

in each site one cisco router (3800 in HO and 1800 in remote) connects the LAN to the MPLS network.

we activated IPsec between these routers.

it was working fine for some period, then one day, one oracle appliation began to hang. all other applications are working fine. we can also ping this server from everywhere.

if we remove crypto map, the oracle application works correctly.

using sniffer we can see that the connection is established correctly, then in data transfer, the client said it is waiting for sequence nbr 1234 (for example) in the server side we can see that the server has sent this seq. but the client did not receive it.

so why HO router fails to send these TCP sequence correctly?

any idea.

thx

4 REPLIES

Re: one application problem with site2site vpn

Have you checked your MTUs? Oracle could be fussy about fragmented packets.

New Member

Re: one application problem with site2site vpn

Hi,

Another idea,

try to deactivate the randomization of Initial Sequence Number for this traffic.

through the static NAT of the Oracle server if it exists or through MPF.

http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00809763ea.shtml

Hope this helps.

Silver

Re: one application problem with site2site vpn

hi collin

i also feel it is related to MTU issue. but i have no idea how to troubleshoot this kind of problems.

should i configure a new MTU and how to find the best value?

thanks

Silver

Re: one application problem with site2site vpn

indeed i found the router needs to fragment the packet but DF is set. so using route map i let DF = 0.

and that's solved the problem

152
Views
3
Helpful
4
Replies
CreatePlease to create content