LOL! Yeah, quite true - if I can't get the policy out, how do you disable it?
I did the same in regards to the PIX docs. I can't find any setting anywhere that allows a define on the size of the ICMP packet. As to the actual size of the ICMP for slow link.... Huh. Don't know. I did the same as you, Darren. Looked through some code and didn't find anything the screamed 'here is where the max ICMP size is set'. I like your registry.pol scheme, and it might be really the only option available in this circumstance. Rick -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia Sent: Friday, June 24, 2005 10:45 AM To: [email protected] Subject: RE: [ActiveDir] Increase ICMP packet size on a PIX - GPO related This is one of those chicken and egg problems. When ICMP slow link detection fails (i.e. no response is received to the ping request), no GP processing occurs at all, so you can't disable slow detection through GP. So you can't deliver the reg changes to disable slow link detection through GP. Fun. One novel approach I've seen is to make the change on the local GPO and then copy the relevant registry.pol files from the local GPO to all machines in the environment. Not elegant, but it gets the job done. I've seen it documented that slow link detection uses max. packet sizes of 2048 bytes. However, in looking at the code around slow link detection, I found nothing in there that limited it to that, so I kinda wonder. In sniffer traces that I've done, however, I've not seen it above that, and often see smaller sizes. You say below that you are allowing 2K packets--is it exactly 2000 bytes or is it 2048? Frankly, rather than having to lose the benefits of slow link detection by disabling it completely, I would definitely take the approach of opening up the firewall a bit to allow it to happen naturally. Unfortunately, my Cisco skills have evaporated over the years so I am no help in directing you to actually make the change. A quick look at a Cisco Pix config. guide didn't show it where I would have expected it, either in the access list commands or in the icmp command. Darren -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan Sent: Friday, June 24, 2005 8:23 AM To: [email protected] Subject: RE: [ActiveDir] Increase ICMP packet size on a PIX - GPO related I initially started looking at this from one viewpoint, and then I began to think about slow link detection. You've taken traces to determine the size... What is the return message from ICMP when this large packet is detected by the PIX? Or, does the PIX just discard it? If the PIX is discarding it, I suspect it might be possible that the link is being interpreted as very slow. What if you disable slow link detection at the GPOs? Rick -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of knighTslayer Sent: Friday, June 24, 2005 5:35 AM To: [email protected] Subject: [ActiveDir] Increase ICMP packet size on a PIX - GPO related Hi, I have a problem with remote sites in active directory not applying group policies. I've discovered that when the PC starts or logs on it will send an oversize ICMP packet to the DC to establish that the connection is available and good. As my sites are connected through a VPN via a PIX I've discovered that the ICMP gets blocked by the PIX. App., by default, the PIX does not allow ICMP packets greater the 2k and the packet from the PC to the DC is bigger than this, therefore the PC doesn't get a reply so assumes that the connection is not that great, thus the USERENV does not download and apply the GPO's. I've found that there are two work-arounds to this problem; One is to modify the registry on every PC to not bother sending the packet and just download GPO's anyway by adding these keys: Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System] "GroupPolicyMinTransferRate"=dword:00000000 Windows Registry Editor Version 5.00 [HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System] "GroupPolicyMinTransferRate"=dword:00000000 ..and the other is to increase the allowed size of the ICMP packet on the PIX from 2k to something higher like 3k. I can't really justify changing 1000's of PCs registry settings when I believe there is a quicker solution by modifying the PIX. So the question is (finally!), does anyone know how to increase the ICMP packet size on the PIX? TIA Adam List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
