I configured IPSEC VTIs between branch locations and a head office but whenever the tunnels are up machines on the domain at the branches are unable to come up and get an IP address they are stuck in preparing network connections once the tunnel is down they work fine. Also if the tunnel is up and the machine is not apart of the domain it will get an IP address and will be able to work as it should.
The routers were using advanced security 12.4 15 T7 but it seems that has some issues, none that I have seen that are specific to VPNS, so I have upgraded all locations to 12.4 22 T but I have not been able to test it yet.
The router config is pretty simple it's just the interfaces the tunnel and routing nothing fancy. Is there anything that you guys can think of that could be the problem? It would really be appreciated.
The DHCP server is at the HO and this problem only occurs with the atm links, the metro links and frame links that other branches use to get to the HO are fine. So I did a little research and it turns out it has to do with the MSS. I adjusted it to 1330 so that we were actually able to get to the machines and log on locallay but whenever they try to come across the link for domain information I suppose they just cant get on.
Any idea what the MSS should be on the tunnels when using shdsl links?
Setting MSS value forces TCP traffic through the interface that has that value to adjust the MSS to what you configure it is known that Domain traffic tends to be large packets so forcing the MSS to be lower than the default (1460) forces the TCP speakers to send traffic with less TCP MSS and fragment when needed.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...