Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Why do some applications fail through multiple VPN hops?

We have set up ipsec VPN tunnels using IOS (mostly 2851 and 2921 routers) between multiple locations in a hub-and-spoke topology.  Everything works well except that some applications fail when traversing multiple VPN hops.  In other words:

    Office_1 <---VPN---> Office_2 <---VPN---> Office_3

Office_1 and Office_3 have basic IP connectivity with each other (passing through Office_2) that can be verified through pings and traceroutes.

But some applications fail between Office_1 and Office_3.  For example, a web browser in Office_1 may not be able to connect to a web server in Office_3, although the client can ping the server successfully.

We've worked around this a few times by creating additional VPN tunnels so that the clients can access the servers in a single hop.

Has anyone else seen this problem?

Thanks,

Dave Crawford

Senior Systems Engineer

Paul Hastings LLP

Everyone's tags (2)
2 REPLIES
New Member

Why do some applications fail through multiple VPN hops?

I'll reply to this myself since I figured out the solution.

The solution was to use the global command "crypto ipsec df-bit clear" on the VPN router in the middle.

That points to an MTU/fragmentation problem.  I still don't understand why the problem only showed up when the traffic passed through multiple hops, but I'm perfectly willing to implement an effective solution without fully understanding it.

Dave Crawford

Senior Systems Engineer

Paul Hastings LLP

Why do some applications fail through multiple VPN hops?

Thanks for posting you response,

Tarik Admani
*Please rate helpful posts*

Tarik Admani *Please rate helpful posts*
443
Views
5
Helpful
2
Replies
CreatePlease login to create content