Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Site-to-site IPSec VPN

Hi,

We have a unique problem with one of our vpn field office setup. The vpn tunnel seemed to be perfectly working but application, such as http, smtp and others don't work.

Firewall policies between sites are properly configured and do not filter these applications.

The field office has a 128kbps dsl connection to internet whereas HQ has a dual ds3.

For the most part the problem was that the web content would not display on the IE. The web server is pingable and dns is properly resolving. In the case of SMTP, replication does not go through between mail servers located on both sides but again both are pingable to each other.

We are running out of ideas and running out of time resolving the problem. Anything that could help will be much appreciated.

Thanks!

Jonathan

  • Other Security Subjects
2 REPLIES
New Member

Re: Site-to-site IPSec VPN

Hi Jonathan,

This sounds strangely familiar to a problem that I encountered in our development lab. We had two offices in different cities connected via two PIX-501's.

In our case, both sides used DSL connections, but from different providers.

We had problems with various applications, but the one that stuck out was web base apps not working.

We ended up adjusting the MTU size downwards until we hit a sweet spot.

Off the top of my head, there was an article on DSLreports.com, and I believe an article on Cisco that provided background to this issue.

In a nutshell, packets routing across the VPN incur some overhead, and the default MTU-size of 1492 bytes (1500-8bytes for the TCP/IP Header) resulted in fragmented packets. The issue is often encountered in DSL installations.

We used Dr.TCP to adjust the MTU size on the windows boxes, but if you use the Cisco VPN client, it also allows you to adjust the MTU size.

You also need to set the MTU size on your routers.

Hope it helps!

Geoff

Silver

Re: Site-to-site IPSec VPN

On the outgoing interface, just set ip tcp adjust-mss 1350 and see if it helps. It looks like a MTU issue over the VPN.

112
Views
0
Helpful
2
Replies
This widget could not be displayed.