Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

DMVPN and active directory (logon)

Hi All,

we have a DMVPN setup between a couple of sites and everything seems well except that logons across the VPN to a new active directory domain are painfully slow (10-15 minutes). I believe the problem may be with the tunnel and packet fragmentation as AD is configured correctly.

I'm looking for some recommendations or advice on MTU and TCP MSS settings to see if it resolves the issue,

currently both the hub and spoke are running with the following MTU and MSS settings (ive removed some irrelevant info) Tunnel0 was originally running an mtu of 1440 but if anything 1400 is even worse.

thanks

interface Tunnel0

ip mtu 1400

ip nat inside

ip nhrp authentication SP1

ip nhrp map multicast dynamic

ip nhrp network-id 1

ip virtual-reassembly in

no ip split-horizon

tunnel source Dialer0

tunnel mode gre multipoint

tunnel key 0

tunnel protection ipsec profile 1

interface Dialer0

mtu 1492

ip address negotiated

ip nat outside

ip virtual-reassembly in

encapsulation ppp

ip tcp adjust-mss 1452

dialer pool 1

dialer-group 1

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

DMVPN and active directory (logon)

Darren,

Typically the prolem is due to Kerberos over UDP traffic.

There are several ways you can fix this:

1) Switching to Kerberos over TCP. (suggested)

2) Adjusting this MSS on tunnel interface not on dialler (recommended)

3) Enabling tunnel PMTUD (strongly suggested).

M.

4 REPLIES
Cisco Employee

DMVPN and active directory (logon)

Darren,

Typically the prolem is due to Kerberos over UDP traffic.

There are several ways you can fix this:

1) Switching to Kerberos over TCP. (suggested)

2) Adjusting this MSS on tunnel interface not on dialler (recommended)

3) Enabling tunnel PMTUD (strongly suggested).

M.

New Member

DMVPN and active directory (logon)

Hi Thanks for your advice,

I read a little on PMTUD and it says that it does not work with UDP, if that is the case how will it assist with this situation?

When adjusting the MSS on the tunnel, is there a recommendation or simply trial and error?

thanks

New Member

DMVPN and active directory (logon)

Hey,

I adjusted the MSS on the tunnel as suggested to 1300, rebooted and everything seems to be resolved so thanks for your help.

I may try to optimise it soon but i'm just happy it seems to be working. When you set the MSS on the tunnel interface does it override the dialer interface settings? like an order of precedence?

Cisco Employee

DMVPN and active directory (logon)

Darren,

I think the PMTUD doc you're quoting is a bit out of date. I managed to find a workaround to a very similar problem by forcing PMTUD on Kerberos traffic.

irt MSS, think of it like this, since VPN traffic going out the dialer interface is already encapsulated (and thus not TCP by TCP over GRE over IPsec) there's nothing that that MSS does.

461
Views
3
Helpful
4
Replies
CreatePlease to create content