09-20-2013 04:53 AM - edited 02-21-2020 07:10 PM
Hi All,
we have a DMVPN setup between a couple of sites and everything seems well except that logons across the VPN to a new active directory domain are painfully slow (10-15 minutes). I believe the problem may be with the tunnel and packet fragmentation as AD is configured correctly.
I'm looking for some recommendations or advice on MTU and TCP MSS settings to see if it resolves the issue,
currently both the hub and spoke are running with the following MTU and MSS settings (ive removed some irrelevant info) Tunnel0 was originally running an mtu of 1440 but if anything 1400 is even worse.
thanks
interface Tunnel0
ip mtu 1400
ip nat inside
ip nhrp authentication SP1
ip nhrp map multicast dynamic
ip nhrp network-id 1
ip virtual-reassembly in
no ip split-horizon
tunnel source Dialer0
tunnel mode gre multipoint
tunnel key 0
tunnel protection ipsec profile 1
interface Dialer0
mtu 1492
ip address negotiated
ip nat outside
ip virtual-reassembly in
encapsulation ppp
ip tcp adjust-mss 1452
dialer pool 1
dialer-group 1
Solved! Go to Solution.
09-20-2013 08:05 AM
Darren,
Typically the prolem is due to Kerberos over UDP traffic.
There are several ways you can fix this:
1) Switching to Kerberos over TCP. (suggested)
2) Adjusting this MSS on tunnel interface not on dialler (recommended)
3) Enabling tunnel PMTUD (strongly suggested).
M.
09-20-2013 08:05 AM
Darren,
Typically the prolem is due to Kerberos over UDP traffic.
There are several ways you can fix this:
1) Switching to Kerberos over TCP. (suggested)
2) Adjusting this MSS on tunnel interface not on dialler (recommended)
3) Enabling tunnel PMTUD (strongly suggested).
M.
09-23-2013 12:54 AM
Hi Thanks for your advice,
I read a little on PMTUD and it says that it does not work with UDP, if that is the case how will it assist with this situation?
When adjusting the MSS on the tunnel, is there a recommendation or simply trial and error?
thanks
09-23-2013 01:17 AM
Hey,
I adjusted the MSS on the tunnel as suggested to 1300, rebooted and everything seems to be resolved so thanks for your help.
I may try to optimise it soon but i'm just happy it seems to be working. When you set the MSS on the tunnel interface does it override the dialer interface settings? like an order of precedence?
09-23-2013 01:20 AM
Darren,
I think the PMTUD doc you're quoting is a bit out of date. I managed to find a workaround to a very similar problem by forcing PMTUD on Kerberos traffic.
irt MSS, think of it like this, since VPN traffic going out the dialer interface is already encapsulated (and thus not TCP by TCP over GRE over IPsec) there's nothing that that MSS does.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide