Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

Problem with WAN,IPSec and Windows AD Logon

Hi there,

I just came across a small problem today. One of our remote offices is connected by an E1 line to our central site. The remote office has a 2621XM with an IOS 12.2(10b) and the central site has the same router with same IOS version. We want to use IPSec Tunnel mode on the connection so that all data gets encrypted. Everything seems to be OK, but the problem is that at the remote site the Win2K clients aren't able to logon to our Active Directory Domain anymore. You can still logon, but downloading the security policy at windows logon takes forever until you are told that it doesn't work. Also the Logon-Scripts don't start on the clients. Basically IP software like Lotus Notes and other stuff works on the clients, you can also map network drives, but the event log is full of errors about downloading the policies.

I already had problems like this when small offices and Teleworkers connected via ADSL to an VPN3030 Concentrator, there was the same AD logon problem. That was fixed with an updated firmware for the SOHO routers (non-Cisco). I already tried changing MTU sizes and also the PMTU option in IOS, but the problem still exists. The connection is made via a serial interface on both routers which is connected to the E1. The serial interface has a MTU of 1500. The IPSec Tunnel is bound to the serial interfaces and has a MTU of 1514 in 'sh int ser0/0'. The Tunnel uses GRE. On the Serial interfaces we use PPP.

Did anyone of you guys ever come across a problem like this ??? It would be great if anyone can help me with this.

I can also paste config here,but it's really nothing special in the configuration, so maybe someone can help without seeing the actual config.

Thank you.

Hall of Fame Super Gold

Re: Problem with WAN,IPSec and Windows AD Logon


I have encountered problems that sound similar to the symptoms that you describe. I solved the problem using this command:

ip tcp adjust-mss 1375

I applied this command to the LAN interface. I have also heard of people applying this command to the tunnel interface.

I suggest that you try this command and let us know if it makes any difference in the issue you are experiencing.



CreatePlease to create content