05-24-2006 08:38 AM
We are in the process of replacing a PIX with a 2821 running the VPN feature set. When we put in place and terminte a VPN tunnel to the PIX at the far end, then connection and tunnels appears to come up fine, but we seem to be having some issues with DNS and/or AD. The PC on the remote networks can ping the central Domain contollers, but when they go to logon, they can logon onto the network, but are unable to run the logon script wihich maps drive, printers and applies the security policy. Anyone see this before or have any ideas
05-30-2006 07:33 AM
Are you getting any error messages?
05-30-2006 11:34 AM
Is it possible that in the process of making changes something was done that prevents PMTUD (Path MTU Discovery) from working. This could produce a problem with packets that are large, require fragmentation, but can not be fragmented. I have seen this happen when someone decided to deny ICMP (including the ICMP error fragmentation required but DF set which is essential to PMTUD).
You might try configuring ip tcp adjust-mss on the 2821 and setting the segment size to a fairly low value (I have had good success with 1370) and see what happens.
HTH
Rick
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide