Solved: Re: site2site vpn

ammadshah · ‎07-10-2007

dear all,

i configured a site to site vpn on cisco 1811. i can ping remote network and access its resources.

site A =1811

site B = netscreen

I am facing problem when i access any website at remote.

i can login to website and browse it. but when i submit any form on remote webserver site. i am getting time out

after 2-4 minutes.

Before establishing VPN it was working fine.

then i disabled vpn and it is working.

can any one knows about this problem.

Richard Burts · ‎07-12-2007

Atif

You could attempt to calculate the amount of extra header which is added by VPN. But this will vary depending on the set of options that you choose in VPN. I have found the information to do this calculation difficult to find with precision. I just started experimenting to find a value where things got better and experimented up and down from this value to find the optimum value. For us it works out to be 1375. I suggest that you start with that and try values larger and smaller to find what works best for you.

HTH

Rick

HTH

Rick

View solution in original post

Richard Burts · ‎07-10-2007

Ammad

The issue sounds like it might be an issue with MTU. Without VPN the traffic is transmitted ok. But when you add VPN you add extra headers to the IP packet and it may make the packet too large and require fragmentation. But if the IP packet has the Do Not Fragment bit turned on (as many do) then the router can not fragment and must discard the packet.

When I configure VPN I frequently configure ip tcp adjust-mss on the LAN interfaces specifying a value small enough to accommodate the extra header without requiring fragmentation. I frequently specify 1375 but in your situation some other larger value might work. You might experiment and see what value is optimum for you.

HTH

Rick

HTH

Rick

ammadshah · ‎07-11-2007

thanks; it works.

a.shaukat · ‎07-11-2007

a few of my site to site VPNS especially thos on slow DSL are responding quiet slow..

so u thinki should set the ip tcp adjust-mms too ?? how would one calculate what value to set ???

if im usng cisco 877 (that uses vlans to communicate ) can i set this value to the vlan interface ???

thanks..

Richard Burts · ‎07-12-2007

Atif

You could attempt to calculate the amount of extra header which is added by VPN. But this will vary depending on the set of options that you choose in VPN. I have found the information to do this calculation difficult to find with precision. I just started experimenting to find a value where things got better and experimented up and down from this value to find the optimum value. For us it works out to be 1375. I suggest that you start with that and try values larger and smaller to find what works best for you.

HTH

Rick

HTH

Rick

a.shaukat · ‎07-12-2007

Hi Rick..

can you give me a few pointers ??

iv just got to know abt this tcp mss command

im attaching a run config of one of the router (877) we use at the branch size..

it has DSL connection (data circuit only, no internet) of 256Kbps but we are having too much performance issues.. ISP says the Routers DSL config is ok the port might be the problem... thats cause they configured the router themself and i cant seem to trust them :p

Richard Burts · ‎07-13-2007

Atif

I have looked at the config. I see 1 thing that seems odd to me. They have a static default route and a floating static default route which is usually used to back up the primary route:

ip route 0.0.0.0 0.0.0.0 Async1

ip route 0.0.0.0 0.0.0.0 Dialer1 5

But the static default route is to Async1 which is the back up interface and the floating static uses Dialer1 which is the primary interface.

That seems backwards to me. You might ask them about that. But I am not sure that this would cause the problems that you describe.

HTH

Rick

HTH

Rick

esspr2006 · ‎07-10-2007

Do you have a Static NAT on port 80 defined for the Web Server?