Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Cisco 877 VPNworking, but only 2 laptops can use tunnel at a time

Hi, I have a Cisco 877 router in VPN mode to a Cisco 3015. The VPN is up and my first laptop is working fine over it. I have added a second and that seems fine, the 3rd however takes forever to logon and when it does it can ping everything (IP, DNS) over the VPN, but can't open Emails, Citrix eventhough they can ping them. I have tried 3 more PC and they are the same.

I had this error on the console is it related? And what debug commands can I run to see if the VNP is doing something?

Oct 11 14:06:49.748: %IP_VFR-4-FRAG_TABLE_OVERFLOW: Dialer1: the fragment table has reached its maximum threshold 16

Router-877>

Oct 11 14:52:36.618: %IP_VFR-4-FRAG_TABLE_OVERFLOW: Dialer1: the fragment table has reached its maximum threshold 16

Oct 11 14:52:36.666: %FW-4-TCP_OoO_SEG: Dropping TCP Segment: seq:3775764964 1500 bytes is out-of-order; expected seq:3775744524. Reason: TCP reassembly queue overflow - session 172.19.15.14:2182 to 192.168.21.20:80

Router-877>

Router-877>

18 REPLIES

Re: Cisco 877 VPNworking, but only 2 laptops can use tunnel at a

This appears to me as an MTU-size problem.

The link below describes this situation, and how to resolve it, in more detail:

http://www.cisco.com/en/US/tech/tk827/tk369/technologies_white_paper09186a00800d6979.shtml

regards,

Leo

New Member

Re: Cisco 877 VPNworking, but only 2 laptops can use tunnel at a

Could this cause the VPN issue I described?

Re: Cisco 877 VPNworking, but only 2 laptops can use tunnel at a

Not if all PC's were configured identical.

My guess is that some of them have a fixed MTU or the MTU on your VPN is too small.

The latter is something that your ISP should know more about.

It can do no harm to configure tcp-mss on the router as described in the URL.

Leo

New Member

Re: Cisco 877 VPNworking, but only 2 laptops can use tunnel at a

Leo thanks for your help here. I'm not sure it can be the ISP as my Cisco 837s and 1841 work fine. I don't remember setting this on the others. Interesting thing is though, I do have access lists working with denying stuff, I will post the config when I get home.

I take from the example I would have add a ip TCP adjust-mss to the global config?

Re: Cisco 877 VPNworking, but only 2 laptops can use tunnel at a

Fragmentation occurs when a datagram is larger than the link can transport. This can severly affect the performance of a connection.

Considering the log messages you guys received, I did not initially thought it likely that this was acl-related. The fact that two PC's are working may be pointing in this direction though.

After giving it a second thought, my hunch is that you could have two issues at the same time:

1: An incorrectly set MTU that is causing the fragment-messages.

2: A bad acl that is blocking all hosts but two.

Let us know how it develops!

Leo

New Member

Re: Cisco 877 VPNworking, but only 2 laptops can use tunnel at a

Hello,

Interestingly enough I can't see that I have set the mtu (ip tcp adjust-mss) on any config. Is this bad? Would this be set on the ATM 0 or Dialer 1, or not?

On one of the pages of your link it says a problem could be having:

access-list 101 permit icmp any any unreachable

access-list 101 permit icmp any any time-exceeded

access-list 101 deny icmp any any

access-list 101 permit ip any any

Look at my 877 config and at the top of my "ip access-list extended inbound_acl"

I'm very new to this could this be anything to do with it?

Thanks

Re: Cisco 877 VPNworking, but only 2 laptops can use tunnel at a

This seems like a fairly complicated acl indeed for someone who is new to this.;-) Just for a test, try the following:

conf t

interface Vlan1

no ip inspect outbound in

interface Dialer1

no ip access-group inbound_acl in

end

Then try again. At least you will know whether the cause is in your acl or not.

Leo

New Member

Re: Cisco 877 VPNworking, but only 2 laptops can use tunnel at a

He he, a guy who left did a lot of this.

Without the access lists will this allow everthing or the opposite though the tunnel?

Do you think I should add an mtu setting too?

Can't wait to try this, will do it when I get to work.

New Member

Re: Cisco 877 VPNworking, but only 2 laptops can use tunnel at a

Update:

I did what you asked:

conf t

interface Vlan1

no ip inspect outbound in

interface Dialer1

no ip access-group inbound_acl in

end

And still get the same issues. Even stranger I put 3 laptops into the hub that comes off (FE0/0) the Cisco 837, the 2 that worked yesterday still do, if I put a third in then that does work and that's any laptop ot pc.

I notice that one of the 2 that had worked had problems connecting when I put the 3 one in too, when I tok the 3rd one off it was ok.

I added tried the 1841 and 837 routers again and they are fine and use the same config almost.

Not sure what debug commands I could run?

Looks like the 3rd laptop can access the internet via the VPN though.

Re: Cisco 877 VPNworking, but only 2 laptops can use tunnel at a

Hi,

It seems that the number of datagrams being reassembled at one time has reached its maximum limit.

1. Try increasing the maximum number of datagrams that it can reassembled at one time by this command;

ip virtual-reassembly max-reassemblies

2. Check also your laptops, maybe one of them is infected with Virus and sending DDOS.

Regards,

Dandy

New Member

Re: Cisco 877 VPNworking, but only 2 laptops can use tunnel at a

What interface do I put that on Dandy, and it says 1-1024?

I have tried so many different laptops.

Re: Cisco 877 VPNworking, but only 2 laptops can use tunnel at a

Hi,

In the 877 interfaces;

- Interface connecting to LAN of your laptops

- Interface connecting to remote VPN device

Check this link about VFR http://www.cisco.com/univercd/cc/td/doc/product/software/ios123/123newft/123t/123t_8/gt_vfrag.htm

Regards,

Dandy

New Member

Re: Cisco 877 VPNworking, but only 2 laptops can use tunnel at a

I'll add it to ATM 0, dialer 1 and VLAN 1.

I'll try ip virtual-reassembly max-reassemblies 64 max-fragments 16 timeout 5

Just tried the 1841, all is good on the same ADSL line and very similar config.

New Member

Re: Cisco 877 VPNworking, but only 2 laptops can use tunnel at a

I turned the debug ip virtual-reassembly on see file attached, hope it helps. I will go through the doc now.

172.19.15.12 is having issues it shows up in the attachment.

This might help:

Router-877#sh ip virtual-reassembly

ATM0:

Virtual Fragment Reassembly (VFR) is ENABLED...

Concurrent reassemblies (max-reassemblies): 16

Fragments per reassembly (max-fragments): 32

Reassembly timeout (timeout): 3 seconds

Drop fragments: OFF

Current reassembly count:0

Current fragment count:0

Total reassembly count:0

Total reassembly timeout count:0

Vlan1:

Virtual Fragment Reassembly (VFR) is ENABLED...

Concurrent reassemblies (max-reassemblies): 16

Fragments per reassembly (max-fragments): 32

Reassembly timeout (timeout): 3 seconds

Drop fragments: OFF

Current reassembly count:0

Current fragment count:0

Total reassembly count:3

Total reassembly timeout count:0

Dialer1:

Virtual Fragment Reassembly (VFR) is ENABLED...

Concurrent reassemblies (max-reassemblies): 16

Fragments per reassembly (max-fragments): 32

Reassembly timeout (timeout): 3 seconds

Drop fragments: OFF

Current reassembly count:0

Current fragment count:0

Total reassembly count:4

Total reassembly timeout count:0

New Member

Re: Cisco 877 VPNworking, but only 2 laptops can use tunnel at a

whoops here is the debug.txt

New Member

Re: Cisco 877 VPNworking, but only 2 laptops can use tunnel at a

I think I have solved it. Under the interface Vlan 1 I had a "no ip unreachables" I added "ip unreachables" and bang everything started to work on the laptops.

For my understanding does this make sense why this would cause these problems?

Re: Cisco 877 VPNworking, but only 2 laptops can use tunnel at a

Hi,

Looks like an MTU problem then.

The "no ip unreachables" switch off ICMP "packet too big" and/or "fragmentation needed and DF bit set" message for an interface. It will also disables IP Path MTU discovery because path discovery is created/provided by "unreachable messages".

But this is the first I see that enabling "ip unreachables" fix a certain problem about MTU because all host send packets with DF bit and most systems has a fix MTU of 1500 or in case of tunneling theres a workaround like tcp mss.

On top of that, IOS hardening recommends applying "no ip unreachables" in the interface.

But hey, you fix the problem :)

Regards,

Dandy

New Member

Re: Cisco 877 VPNworking, but only 2 laptops can use tunnel at a

I added the ip unreachable to vlan 1 and dialer 1, so it might of been the dialer 1 too. I left the ip virtual-unassembly on the interfaces, to tidy things shoul I be adding the Max rate or setting the mtu rate.

Just wondered what your thoughts were.

Thanks

527
Views
0
Helpful
18
Replies
CreatePlease to create content