Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1054
Views
3
Helpful
4
Replies

DMVPN and active directory (logon)

Go to solution
DHunter123
Level 1
Level 1

‎09-20-2013 04:53 AM - edited ‎02-21-2020 07:10 PM

Hi All,

we have a DMVPN setup between a couple of sites and everything seems well except that logons across the VPN to a new active directory domain are painfully slow (10-15 minutes). I believe the problem may be with the tunnel and packet fragmentation as AD is configured correctly.

I'm looking for some recommendations or advice on MTU and TCP MSS settings to see if it resolves the issue,

currently both the hub and spoke are running with the following MTU and MSS settings (ive removed some irrelevant info) Tunnel0 was originally running an mtu of 1440 but if anything 1400 is even worse.

thanks

interface Tunnel0

ip mtu 1400

ip nat inside

ip nhrp authentication SP1

ip nhrp map multicast dynamic

ip nhrp network-id 1

ip virtual-reassembly in

no ip split-horizon

tunnel source Dialer0

tunnel mode gre multipoint

tunnel key 0

tunnel protection ipsec profile 1

interface Dialer0

mtu 1492

ip address negotiated

ip nat outside

ip virtual-reassembly in

encapsulation ppp

ip tcp adjust-mss 1452

dialer pool 1

dialer-group 1

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marcin Latosiewicz
Cisco Employee
Cisco Employee

‎09-20-2013 08:05 AM

Darren,

Typically the prolem is due to Kerberos over UDP traffic.

There are several ways you can fix this:

1) Switching to Kerberos over TCP. (suggested)

2) Adjusting this MSS on tunnel interface not on dialler (recommended)

3) Enabling tunnel PMTUD (strongly suggested).

M.

View solution in original post

4 Replies 4

Go to solution
Marcin Latosiewicz
Cisco Employee
Cisco Employee

‎09-20-2013 08:05 AM

Darren,

Typically the prolem is due to Kerberos over UDP traffic.

There are several ways you can fix this:

1) Switching to Kerberos over TCP. (suggested)

2) Adjusting this MSS on tunnel interface not on dialler (recommended)

3) Enabling tunnel PMTUD (strongly suggested).

M.

Go to solution
DHunter123
Level 1
Level 1
In response to Marcin Latosiewicz

‎09-23-2013 12:54 AM

Hi Thanks for your advice,

I read a little on PMTUD and it says that it does not work with UDP, if that is the case how will it assist with this situation?

When adjusting the MSS on the tunnel, is there a recommendation or simply trial and error?

thanks

0 Helpful

Go to solution
DHunter123
Level 1
Level 1
In response to Marcin Latosiewicz

‎09-23-2013 01:17 AM

Hey,

I adjusted the MSS on the tunnel as suggested to 1300, rebooted and everything seems to be resolved so thanks for your help.

I may try to optimise it soon but i'm just happy it seems to be working. When you set the MSS on the tunnel interface does it override the dialer interface settings? like an order of precedence?

0 Helpful

Go to solution
Marcin Latosiewicz
Cisco Employee
Cisco Employee
In response to DHunter123

‎09-23-2013 01:20 AM

Darren,

I think the PMTUD doc you're quoting is a bit out of date. I managed to find a workaround to a very similar problem by forcing PMTUD on Kerberos traffic.

irt MSS, think of it like this, since VPN traffic going out the dialer interface is already encapsulated (and thus not TCP by TCP over GRE over IPsec) there's nothing that that MSS does.

0 Helpful
Customers Also Viewed These Support Documents