Re: Crazy VPN Troubles

sirmystic · ‎10-28-2010

I have a client with 3 locations, each set up with a Cisco RVS4000. The routers connect fine and everyone can get to the internet. I have a VPN tunnel created between all 3 sites.

If I try to ping any address on any device at any location, I get a successfull reply. I can be at any location and ping any device successfully. So it appears the VPN's are connected properly. (If I look at the router, they also say the tunnels are up)

Here's where the problem is....

If I am at Location A, I can browse PC's and anything I want at location B. Same with Vice Versa, if Im standing at location B, I can browse to Location A. If I go to Location C, although I can still ping devices in other locations, if I try to browse PC's or if I try to access any web management tool, it times out and does not work. This is whether I am trying to access the Router Web Management tool or a phone system web management tool. If I am at either Location A or B, I can not browse to the web management tools at Location C.

A few details and things we've tried.

An RDP session to or from Location C works fine through the VPN.

A Test VPN directly to Cisco prduced the same results, but confirmed RDP works.

I have tried a new router in Location C

I then took the old router from location C and confirmed if moved to location B, it acts perfectly, just like the original at location B

I have done firmware upgrades

I have contacted the ISP, not much help.

They asked if I can test the throughput of the VPN tunnel to see if all ports are being forwarded. Any idea how to do this? It seems like a good test, but don't know of a utility to test it.

Praveena Shanubhogue · ‎10-29-2010

Hi Brian,

Since the ping is successful from any location to any location, tunnel must be up and fine on all 3 (A,B,C) routers. So it is neither firmware nor hardware issue, at least that's the way it looks like to me. I think there is MTU, MSS issue.

if you ping from Location C to say, Location B with Don't-Fragment Bit set, and length set to 1460 (keep decrementing by 10) till it succeeds, what is the length at which ping succeeds?

(The ping command from Windows would be: ping -f -l 1460 )

Check this link for more info:

http://www.cisco.com/en/US/tech/tk827/tk369/technologies_white_paper09186a00800d6979.shtml

I would take that value and set it as MTU on Internal LAN interface and 40 bytes lesser MSS value on the same interface. So,

interface

ip mtu 1400

ip tcp adjust-mss 1360

I would also try clearing df-bit for crypto.

crypto ipsec df-bit clear

I don't think you need to test if the ports are open unless you have NAT-exemption issues. For example, if you have static port forwarding configured on the Router-C, make sure you use route-map to deny nat'ing (or port forwarding) for VPn traffic:

ip access-list ext nonat

deny ip router-c-lan to router-a/b-lan

permit ip any any

route-map nonat-rm permit 10

match address nonat

ip nat source static tcp route-map nonat-rm

Let me know how it goes.

Regards,

Praveen

sirmystic · ‎11-02-2010

I did test the pinging, the I worked my way down and the first successful ping was at 1020 bytes. Is this abnormally low? Is there a way to fix the underlying problem causing it? i.e Increased bandwidth

To Set MTU - I have only ever used the web interface on the RVS4000. I looked around but it does not appear to be a setting that I can modify. Do I need to log into the router with a terminal program or can it be modified some other way?

Praveena Shanubhogue · ‎11-02-2010

Hi Brian,

That is very low to what i normally see. It is only because of a device with LOW MTU set in the path (from C to A or C to B). If you can talk to your ISP and get more info on that, it would be great.

--- Did you try "crypto ipsec df-bit clear" or comething similer in RVS4000?

--- If telnet is allowed to RVS4000, then you should be able to modify it in Interface config mode. I am not sure if RVS4000 does have CLI facility.

Let me know how it goes.

Regards,

Praveen

e.craig · ‎11-02-2010

What type of circuit is at Site C...If it's DSL type then it's definately MTU/tcp adjust-mss value..

sirmystic · ‎11-02-2010

It is an XData connection. I understand this to ba a partial T1. It was originally a cheaper dynamic service. We upgraded this and got a static address to begin this process. I have a call into their ISP, waiting on a return call, the guy I'm working with has been pretty helpful. I'll let you know as soon as I hear anything.

sirmystic · ‎11-03-2010

I contacted the ISP. They checked the equipment and the MTU is at 1500. We can successfully ping all the way to my router with packets of 1500 bytes.

I found that internally I cannot even get a response from the router it packets of 1500 bytes. I found where to set the MTU in the WAN settings tab, but cannot find any way to set the MTU to 1500 on my LAN port. This seems like it could be my problem. Is there a way to log in through terminal access to change MTU?