Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
347
Views
0
Helpful
2
Replies

VPN using PIX501 and PPPOE

mikeh
Level 1
Level 1

‎12-04-2003 11:26 AM - edited ‎02-21-2020 12:54 PM

We are trying to connect a remote site via VPN using a PIX501 (v6.3(3)) over DSL/PPPOE to a VPN3005 at our Data Center. The DSL to the Web is fine and the tunnel to the VPN3005 is established.

We can ping from our servers to the remote site and vice-versa with response times between 70-100ms. We can ping by ip address, or by name so name resolution is working.

However, when we boot a PC at the remote site, anything to do with Windows authentication to our domain servers (at the Data Center) is either very slow, or never happens. Outlook cannot find the Exchange Server, but the PC can ping it. Mapping drives is virtually impossible and browsing is painfully slow (5 minutes or more to authenticate and see the folders).

This all seems to be Microsoft, except.... There is an existing T1 at the remote site which connects to the Data Center via VPN between a 1721/VPN router and a PIX 515 for about a year and is very reliable. Speeds are very good. Bandwidth comparisons to the web at the remote site using either DSL or T1 are nearly identical.

We are disconnecting the 1721 from the LAN at the remote site, and then connecting the 501. The inside of the 501 and the inside of the 1721 are the same IP Address which is also the default gateway for all devices at the remote site. So, from the PC perspective the path to the Data Center is the same default gateway.

We have set the MTU on the PIX 501 as low as 1400, but this does not help. We have configured static DNS and WINS addresses on PCs, but this does not help.

There are NO filters on the VPN3005 related to the VPN connection - AND - we have another 501 connecting to the VPN3005 using the same Base Group and shared key with no problems. That, however, is a cable modem connection in a home office. Other than that, everything else is virtually identical.

We can ping - but applications and authentication goes in the tank. I have been working with TAC and they say our PIX config is good. They have us working the Windows end with DNS and WINS.

Anyone have any other thoughts? We are really scratching our heads on this one....

Labels:
0 Helpful
2 Replies 2

mostiguy
Level 6
Level 6

‎12-04-2003 01:20 PM

Trying lowering the MTU on a client machine - sometimes windows sends out packets with the Dont Fragment bit set, and thus the PIX or something along the path will drop them as they cannot be fragmented.

If outlook cannot find the exchange server, that sounds like WINS/windows name resolution might not be working. How big is this remote site? Do/will you have any servers there?

0 Helpful

mikeh
Level 1
Level 1
In response to mostiguy

‎12-04-2003 01:57 PM

Thanks for your thoughts. I'll look into changing the MTU on the client computers.

The site is small with about 4 client PCs and one member server (W2K). The server is statically configured but does issue DHCP settings to the clients.

Outlook connects fine when we use the T1 instead of DSL. Things like that are what make me believe the MTU-type issue is the culprit and not name resolution. (But I'm not ruling anything out just yet)

Thanks again!

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents