Recently I setup a 1721 running IOS c1700-k9o3sy7-mz.122-15.T5.bin
This router terminated a VPN with another router, a 1721 with the exact same IOS version. This router was initialy connected via a wireless WAN link out eth0. We moved them on to a t1 as the primary interface with the wireless as a backup. We then had to
-setup a loopback device - its ip would terminate the vpn
-make the source packets of the vpn come from the loopback
Doing all this we tested the vpns - they worked. Unplugged to t1 connection and traffic moved over to the wireless. We verified vpn clients could connect. Everything worked ok...
Except when moving large files between hosts behind fa0 over the vpn to hosts at the far end. To prove the vpn worked and routing was in place we could telnet from a host behind fa0 over the vpn to a remote host and login.. Then we'd try a ftp some files over. We could connect to the ftp server BUT once a file transfer was started things would hang.
We opened a Cisco tac case and it turned out that adding
ip tcp adjust-mss 1300
to interface fa0 fixed everything - files transfers worked.
My question why would reduced packet size help? Did the vpn add some packet overhead cauing larger packets to be dropped?
A clue was found here BUT this relates to PPPoE - not vpns..
I'm just looking for an explanation as to why this reduced MTU size worked. I would of never figured this out on my own...
Below is the running-config we used. Remember everything worked(switching between WAN link, vpn connectivity, NAT) except file transfers and when large amounts of data was pushed over the pipe, like MS file/print sharing, emails w/ attachments(few hundred k). The only change was one line to the fa0 interface.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in HA
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationCo...
I am currently unable to specify "crypto keyring" command when configuring VPN connection on my cisco 2901 router.
The following licenses have been activated on my router :