I initially started looking at this from one viewpoint, and then I began to think about slow link detection.
You've taken traces to determine the size... What is the return message from ICMP when this large packet is detected by the PIX? Or, does the PIX just discard it? If the PIX is discarding it, I suspect it might be possible that the link is being interpreted as very slow. What if you disable slow link detection at the GPOs? Rick -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of knighTslayer Sent: Friday, June 24, 2005 5:35 AM To: [email protected] Subject: [ActiveDir] Increase ICMP packet size on a PIX - GPO related Hi, I have a problem with remote sites in active directory not applying group policies. I've discovered that when the PC starts or logs on it will send an oversize ICMP packet to the DC to establish that the connection is available and good. As my sites are connected through a VPN via a PIX I've discovered that the ICMP gets blocked by the PIX. App., by default, the PIX does not allow ICMP packets greater the 2k and the packet from the PC to the DC is bigger than this, therefore the PC doesn't get a reply so assumes that the connection is not that great, thus the USERENV does not download and apply the GPO's. I've found that there are two work-arounds to this problem; One is to modify the registry on every PC to not bother sending the packet and just download GPO's anyway by adding these keys: Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System] "GroupPolicyMinTransferRate"=dword:00000000 Windows Registry Editor Version 5.00 [HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System] "GroupPolicyMinTransferRate"=dword:00000000 ..and the other is to increase the allowed size of the ICMP packet on the PIX from 2k to something higher like 3k. I can't really justify changing 1000's of PCs registry settings when I believe there is a quicker solution by modifying the PIX. So the question is (finally!), does anyone know how to increase the ICMP packet size on the PIX? TIA Adam List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
