VPN3000 and Don't Fragmet bit set in 1500 bytes packets
I have a problem resolving the following situation: there is a W2K application server (WEB site) on the internal network. A VPN remote user connects to the VPN3030 concentrator and goes to WEB site. WEB site replys with the 1500 byte packets (MTU) and since it is Windows, sets up DF bit. These packets are to big for the VPN3030 to put them into the IPSec tunnel (IPSec has about 60 bytes of overhead), it cannot fragment them because of DF, it cannot clear the DF bit (IOS routers can do it now), it does not send ICMP unreacheble towards WEB server to trigger MTU discovery process on it.
W2K has a feature called "black hole" detection for the situations exactly like this where W2K monitors TCP retransmission to realize that 1500 bytes is to big but this feature does not work. So the only option left is to disable MTU Discovery in the registry of the WEB Server which clears the DF bit and sets MTU to 576 bytes. It works for one to ten servers but there is a lot more ?
Did anyone have the same problem with VPN3000 (SW 3.5.2) and how it could be fixed.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in HA
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationCo...
I am currently unable to specify "crypto keyring" command when configuring VPN connection on my cisco 2901 router.
The following licenses have been activated on my router :