Charles, I've had a similar issue with another customer and here the reason was due to a configuration of the VPN router.
Our situation was that the package size sent by Win2000 DCs was larger than the one allowed by the router, however, the MS packages have the DF flag (don't fragment), so that the router wasn't allowed to fragment the packages. The size of the default packets sent by Microsoft was 1482 byte - and the VPN router allowed a max of 1476 bytes. In our case the problem was that the router's "IP unreachable" feature was turned off => turning on this feature resolved our problem as the ICMP message back to the DC told it to use a differnt package size which it then did much quicker than before, where it waited on a timeout. I'm not a network guy - so don't ask me if it would have also been sufficient to increase the max package size on the router... /Guido -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Carerros, Charles Sent: Monday, January 31, 2005 8:30 PM To: '[email protected]' Subject: RE: [ActiveDir] VPN Connections with 2003 ADs We have been monitoring the traffic from there and it only seems to be using from 5 to 10% of their line. They have a 512 DSL line and there are only 10 users at that site so it isn't big enough for me to place a DC there. They do a lot of printing and we are using Exchange 5.5 right now. I don't know. But we have also been experience some SSL issues with our internet traffic that might be part of this cause. I guess for now I might be able to eliminate the VPN connection from the problem as the DNS and network traffic seems steady. The only other thing that I could think of checking on the VPN is the packet size. Thanks for the suggestions. -----Original Message----- From: Chandra Burra [mailto:[EMAIL PROTECTED] Sent: Monday, January 31, 2005 1:06 PM To: [email protected] Subject: RE: [ActiveDir] VPN Connections with 2003 ADs I had seen a similar issue, this was resolved after placing a DC in the local site and also configuring it as a local print server. Major hits were with the print server, each time user prints it goes to the spooler in HQ and then comes back to print in local office, later the notification is expected by the client from the print server on completion of the print. Other traffic might also be going through same tunnel...like other business applications, E2K and so on... have the n/w team monitor the link or use netmon to get the same yourself...that might give you more insight... Regards, Chandra -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Paul van Geldrop Sent: 31 January 2005 17:14 To: [email protected] Subject: RE: [ActiveDir] VPN Connections with 2003 ADs Are there still NT4 machines at the site ? You seem to have symptoms of timeouts and/or DNS misconfiguration. Any errors in the DNS server logs ? Have you ran DNSdiag yet by any chance ? -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Carerros, Charles Sent: Monday, January 31, 2005 5:53 PM To: '[email protected]' Subject: RE: [ActiveDir] VPN Connections with 2003 ADs This site goes back to our main location that houses this sites DNS, DC, GC and other server related sites. The VPN concentrator at this location grants DHCP servers to the location and uses a routing table for security. All of the ISA and other firewall issues are dealt with at the main location as the routing table only allows communication through here. We are using AD integrated DNS (which is housed on our DCs) and all DCs are GCs. The odd thing is that if you are at that location and are using a workstation on the NT domain then all web services as well as workstation boot up and logon times are normally. Only AD related workstations are affected. We are using Cisco VPN concentrators on both ends. Does this cover the information that you were looking for. If you need something else, let me know. Charlie -----Original Message----- From: Paul van Geldrop [mailto:[EMAIL PROTECTED] Sent: Monday, January 31, 2005 10:36 AM To: '[email protected]' Subject: RE: [ActiveDir] VPN Connections with 2003 ADs Some more info might be good.. such as location of DCs, GCs, DNS configuration, etc. I presume you're setting up the VPN with firewalls.. or are you using ISA Server ? Regards, Paul -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Carerros, Charles Sent: maandag 31 januari 2005 17:27 To: '[email protected]' Subject: [ActiveDir] VPN Connections with 2003 ADs I am working on a NT to 2003 AD migration where I have a lot of remote locations. I have just completed the migration of our of my sites that is using a VPN connection to our central hub. Before the migration they were not experiencing any issues, however after the migration they are not seeing large lag times in starting up their machines and logging in. Also, when they browse the internet and they try to access pages that require authentication they get stuck (the page never loads completely and they do not receive an error message and this includes sites such as mail.yahoo and gmail.com). Has anyone seen an issue like this where the migration of the network kills the VPN? Thanks, Charlie List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
