I too have seen these issues with VPN before, but unfortunately changing the MTU did not help for me.
Robert Raver wrote: > > Everybody, > > I would have to agree with Chuck. I work on TAC for there VPN > support and > deal with these issues everyday. If the tunnel establishes and > the traffic > does not pass then look at the MTU. MTU can cause a lot of > problems!!!! > > Thanks, > Robert Raver > Cisco Systems Inc. > [EMAIL PROTECTED] > > > > > ----- Original Message ----- > From: "Chuck's Long Road" > To: > Sent: Tuesday, October 01, 2002 3:21 PM > Subject: Re: VPN tunnel with IPSec over GRE [7:54634] > > > > some other folks had some good things to say in response. I > just wanted to > > add an experience I had that I was pretty much able to verify > in my lab as > > well as on a customer network. > > > > Customer ran IPX on their network. For particular locations, > the cost of > > frame relay was hideous, so we proposed a VPN. We tunneled > IPX through a > GRE > > tunnel with IPSEC 3DES. Connectivity was fine. I saw all > routes. We could > > ping the routers throughout the network ( IP was enabled on > all routers > for > > remote management ) I saw all IP routes and all IPX routes. > IPX pings and > IP > > pings router to router worked fine. > > > > But the customer workstations could not log on to the IPX > servers, let > alone > > do any work. > > > > Drove me nuts. We had TAC cases open, we had some vendor > involvement for > > Novell and for PCAnywhere, which the customer used to > distribute their > > application. I believe I even had a thread going here on the > issue. > > > > When I did some testing in my home lab, mimicking the > customer network, I > > found a number of problems when I would do IPX and IP pings > using a 1500 > > byte packet, but the problems disappeared when I used a 1499 > byte packet > > size. Go figure. > > > > I also know that using my employer's VPN ( Cisco VPN client > connecting to > a > > CVPN box ) that there was a problem with a particular > application ( it > would > > not work over the VPN, but worked fine when I was in the > office ) that was > > solved by reducing the MTU for the VPN connection ( setting > on the Cisco > VPN > > client software ) from the default to about 600 bytes. > > > > So, whether it is logical or not, it would seem that > connections over > IPSEC > > tunnels can be positively or adversely effected by MTU size. > > > > There is probably a good reason for this. Maybe counting on > my fingers, > all > > the headers, payloads, etc would yield an answer. > > > > But MTU definitely can contribute to problems over IPSEC. > > > > > > Chuck > > -- > > > > www.chuckslongroad.info > > like my web site? > > take the survey! > > > > > > > > ""Thomas N."" wrote in message > > [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > > > Hi All, > > > > > > I am setting up a site-to-site VPN between 2 LANs using > Cisco IOS VPN > > (Cisco > > > 2600 routers). I could get the tunnel up and running > between the two > LANs > > > with IPSec over GRE so that I can run EIGRP. Data transfer > between 2 > LANs > > > across the tunnel looks OK, and all dynamic routes learned > with EIGRP. > > > However, a problem come up when I put a Proxy Server on the > first LAN > and > > > force Internet traffic from workstations from the second > LAN to go out > > with > > > this Proxy server. Workstations from the second LAN could > browse > Internet > > > across the tunnel to reach the Proxy server then hit the > Internet; > > however, > > > the performance is very poor (seem like browsing over a 56k > modem). I > am > > > thinking this may be because of fragmentation on the 2 > routers. Is > there > > > any work around for this issue? If MTU size needs to be > adjusted, what > > > would be the ideal MTU size for IPSec over GRE tunnel in > "tunnel" mode? > > > Again, thank you All for the help! > > > > > > Thomas N. > > Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=54671&t=54634 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
