We are trying to connect a remote site via VPN using a PIX501 (v6.3(3)) over DSL/PPPOE to a VPN3005 at our Data Center. The DSL to the Web is fine and the tunnel to the VPN3005 is established.
We can ping from our servers to the remote site and vice-versa with response times between 70-100ms. We can ping by ip address, or by name so name resolution is working.
However, when we boot a PC at the remote site, anything to do with Windows authentication to our domain servers (at the Data Center) is either very slow, or never happens. Outlook cannot find the Exchange Server, but the PC can ping it. Mapping drives is virtually impossible and browsing is painfully slow (5 minutes or more to authenticate and see the folders).
This all seems to be Microsoft, except.... There is an existing T1 at the remote site which connects to the Data Center via VPN between a 1721/VPN router and a PIX 515 for about a year and is very reliable. Speeds are very good. Bandwidth comparisons to the web at the remote site using either DSL or T1 are nearly identical.
We are disconnecting the 1721 from the LAN at the remote site, and then connecting the 501. The inside of the 501 and the inside of the 1721 are the same IP Address which is also the default gateway for all devices at the remote site. So, from the PC perspective the path to the Data Center is the same default gateway.
We have set the MTU on the PIX 501 as low as 1400, but this does not help. We have configured static DNS and WINS addresses on PCs, but this does not help.
There are NO filters on the VPN3005 related to the VPN connection - AND - we have another 501 connecting to the VPN3005 using the same Base Group and shared key with no problems. That, however, is a cable modem connection in a home office. Other than that, everything else is virtually identical.
We can ping - but applications and authentication goes in the tank. I have been working with TAC and they say our PIX config is good. They have us working the Windows end with DNS and WINS.
Anyone have any other thoughts? We are really scratching our heads on this one....
Trying lowering the MTU on a client machine - sometimes windows sends out packets with the Dont Fragment bit set, and thus the PIX or something along the path will drop them as they cannot be fragmented.
If outlook cannot find the exchange server, that sounds like WINS/windows name resolution might not be working. How big is this remote site? Do/will you have any servers there?
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...