I recently had an issue with two sites that had a site-2-site vpn tunnel between them. One site was hosting all the application servers (let's call this site A). All clients at site B (second site) were able to ping servers at site A using both the IP address and the DNS name. However, applications such as SAP and Outlook would not connect to the servers, even though ping was working fine. On some workstations, applications were working fine and on some, applications were not working fine. All workstations were running Windows XP SP2.
I entered the following command on the router at site B. The router was the VPN endpoint. After enterting this command, all workstations were able to connect to the applications successfully.
crypto ipsec df-bit clear
I believe this command clears the df bit setting from the client and allows the router to defragment the packet if needed. However, why were some clients able to connect to the applications and others not, even though they were running the same OS with the same Service Pack.
The DF bit is to allow a user to specify there router to clear, set or copy the DF bit (Dont Fragment bit)from the encapsulated header, which basically determnines whether a router is allowed to fragment a packet so basically if the DF bit is set to clear, routers can fragment packets regardless of the original DF bit setting. HTH
Thanks for your reply. I understand what you explained, but I am confused about the fact that some workstations were able to connect to the applications successfully and some were not. After making the change in the router for the df bit setting, all the workstations connected successfully.
All workstations have the same OS (Windows XP) and the same networking settings.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :