Im in big trouble now... I have my office with Cisco 2811 and Data centre with Cisco ASA 5510. IPsec VPN has been established between this two devices. Our Exchange 2007 is at Data Centre LAN. Everything was working fine for past few months. No problem at all. We able to access to exchange using Outlook at our office over VPN smoothly. But now, The VPN is connected, ping to Exchange server IP from my Office over VPN tunnel no problem. But Outlook just cant get load email from exchange. Its took near 10min to load everything. And if click next email, it took longer time to preview it. I haved checked my office and Data Centre Internet line performance, no problem. When I used webmail(OWA) through internet from my office, no problem. its load very fast. But if used OWA using VPN tunnel, its load very slow. Here is some info
My office LAN : 192.168.39.xxx/24
Data Centre LAN : 192.168.38.xxx/24
Data Centre Public IP for Exchange Server : 210.48.xxx.xxx (Cisco ASA will port forward this ip to Exchange Server real IP)
Data Centre Private IP for Exchange Server : 192.168.38.2
if I used https://210.48.xxx.xxx/owa .......... from my office, no prob at all .......
if I used https://192.168.38.2/owa...... from my office ........ using tunnel... very slow..
if I used outlook(outlook connect to Exchange Server using VPN tunnel(192.168.38.2))......Very slow...
ping to Exchange server Private IP(192.168.38.2).....very smooth...20ms average
Please advice if threre could be any problem causing the issue...
No improvement. Is it need to configure it in my office router and data cantre Cisco ASA also? if its is how to configure it in ASA?
Then let us add the same feature on the ASA as well,
On the ASA,
crypto ipsec df-bt clear " WAN interface name " like crypto ipsec df-bit clear outside
Also, add the following command on both the ASA and the Router,
crypto ipsec fragmentation before-encryption
Let me know how it goes.
Try lowering down the MSS on the outlook client side ASA to around 1200. Or check the packet captures to find the optimum MSS the client and server is exchanging. I suspect a lot of frags and TCP Dup ACK causing this problem. Turning off the DF bit is not a good idea.
I have chaged mss value is ASA.... looks better... is it need to change mss value in my office router also? if yes, which interface i should configure it?
Lower it down further. I know this is not the efficient way of determining the MSS. However, if you feel that the experience is better that means we are focusing in the right direction. Determination of the optimum MSS should be automatic and if ICMP error messages are being exchanged than PMTUD should be doing the trick. Try Dr. TCP on the host and lower down the MTU of the host to around 1300.
U mean change MTU of my Exchange server? And 1 big question.... Why is it the problem arrise in sudden while past few month no problem at all? if this is due to mss and MTU value, why is it no problem occured during past month?
MTU on the client not the server. Why would you even imagine changing the MTU on the server when the problem could be with only one client, I wonder.