I have a client with 3 locations, each set up with a Cisco RVS4000. The routers connect fine and everyone can get to the internet. I have a VPN tunnel created between all 3 sites.
If I try to ping any address on any device at any location, I get a successfull reply. I can be at any location and ping any device successfully. So it appears the VPN's are connected properly. (If I look at the router, they also say the tunnels are up)
Here's where the problem is....
If I am at Location A, I can browse PC's and anything I want at location B. Same with Vice Versa, if Im standing at location B, I can browse to Location A. If I go to Location C, although I can still ping devices in other locations, if I try to browse PC's or if I try to access any web management tool, it times out and does not work. This is whether I am trying to access the Router Web Management tool or a phone system web management tool. If I am at either Location A or B, I can not browse to the web management tools at Location C.
A few details and things we've tried.
An RDP session to or from Location C works fine through the VPN.
A Test VPN directly to Cisco prduced the same results, but confirmed RDP works.
I have tried a new router in Location C
I then took the old router from location C and confirmed if moved to location B, it acts perfectly, just like the original at location B
I have done firmware upgrades
I have contacted the ISP, not much help.
They asked if I can test the throughput of the VPN tunnel to see if all ports are being forwarded. Any idea how to do this? It seems like a good test, but don't know of a utility to test it.
Since the ping is successful from any location to any location, tunnel must be up and fine on all 3 (A,B,C) routers. So it is neither firmware nor hardware issue, at least that's the way it looks like to me. I think there is MTU, MSS issue.
if you ping from Location C to say, Location B with Don't-Fragment Bit set, and length set to 1460 (keep decrementing by 10) till it succeeds, what is the length at which ping succeeds?
(The ping command from Windows would be: ping -f -l 1460 )
I would take that value and set it as MTU on Internal LAN interface and 40 bytes lesser MSS value on the same interface. So,
ip mtu 1400
ip tcp adjust-mss 1360
I would also try clearing df-bit for crypto.
crypto ipsec df-bit clear
I don't think you need to test if the ports are open unless you have NAT-exemption issues. For example, if you have static port forwarding configured on the Router-C, make sure you use route-map to deny nat'ing (or port forwarding) for VPn traffic:
I did test the pinging, the I worked my way down and the first successful ping was at 1020 bytes. Is this abnormally low? Is there a way to fix the underlying problem causing it? i.e Increased bandwidth
To Set MTU - I have only ever used the web interface on the RVS4000. I looked around but it does not appear to be a setting that I can modify. Do I need to log into the router with a terminal program or can it be modified some other way?
It is an XData connection. I understand this to ba a partial T1. It was originally a cheaper dynamic service. We upgraded this and got a static address to begin this process. I have a call into their ISP, waiting on a return call, the guy I'm working with has been pretty helpful. I'll let you know as soon as I hear anything.
I contacted the ISP. They checked the equipment and the MTU is at 1500. We can successfully ping all the way to my router with packets of 1500 bytes.
I found that internally I cannot even get a response from the router it packets of 1500 bytes. I found where to set the MTU in the WAN settings tab, but cannot find any way to set the MTU to 1500 on my LAN port. This seems like it could be my problem. Is there a way to log in through terminal access to change MTU?
BenefitsDocumentationPrerequisiteImage Download LinksLimitationsSupported PlatformsLicense RequirementsTopologyStep-By-Step ConfigurationConfigure Virtual ServiceActivate the virtual service and configure guest IPsConfiguring UTD (Service Plane)Configurin...
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...