Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

VPN using PIX501 and PPPOE

We are trying to connect a remote site via VPN using a PIX501 (v6.3(3)) over DSL/PPPOE to a VPN3005 at our Data Center. The DSL to the Web is fine and the tunnel to the VPN3005 is established.

We can ping from our servers to the remote site and vice-versa with response times between 70-100ms. We can ping by ip address, or by name so name resolution is working.

However, when we boot a PC at the remote site, anything to do with Windows authentication to our domain servers (at the Data Center) is either very slow, or never happens. Outlook cannot find the Exchange Server, but the PC can ping it. Mapping drives is virtually impossible and browsing is painfully slow (5 minutes or more to authenticate and see the folders).

This all seems to be Microsoft, except.... There is an existing T1 at the remote site which connects to the Data Center via VPN between a 1721/VPN router and a PIX 515 for about a year and is very reliable. Speeds are very good. Bandwidth comparisons to the web at the remote site using either DSL or T1 are nearly identical.

We are disconnecting the 1721 from the LAN at the remote site, and then connecting the 501. The inside of the 501 and the inside of the 1721 are the same IP Address which is also the default gateway for all devices at the remote site. So, from the PC perspective the path to the Data Center is the same default gateway.

We have set the MTU on the PIX 501 as low as 1400, but this does not help. We have configured static DNS and WINS addresses on PCs, but this does not help.

There are NO filters on the VPN3005 related to the VPN connection - AND - we have another 501 connecting to the VPN3005 using the same Base Group and shared key with no problems. That, however, is a cable modem connection in a home office. Other than that, everything else is virtually identical.

We can ping - but applications and authentication goes in the tank. I have been working with TAC and they say our PIX config is good. They have us working the Windows end with DNS and WINS.

Anyone have any other thoughts? We are really scratching our heads on this one....

2 REPLIES
Silver

Re: VPN using PIX501 and PPPOE

Trying lowering the MTU on a client machine - sometimes windows sends out packets with the Dont Fragment bit set, and thus the PIX or something along the path will drop them as they cannot be fragmented.

If outlook cannot find the exchange server, that sounds like WINS/windows name resolution might not be working. How big is this remote site? Do/will you have any servers there?

New Member

Re: VPN using PIX501 and PPPOE

Thanks for your thoughts. I'll look into changing the MTU on the client computers.

The site is small with about 4 client PCs and one member server (W2K). The server is statically configured but does issue DHCP settings to the clients.

Outlook connects fine when we use the T1 instead of DSL. Things like that are what make me believe the MTU-type issue is the culprit and not name resolution. (But I'm not ruling anything out just yet)

Thanks again!

185
Views
0
Helpful
2
Replies