Well the ISP doesn't support Annex M as the internet is only upto 8Mbps.

Also my 1801W doesn't support Annex M. It's a similar chipset to my remote 857W which means I get upto 20Mbps but not the full 24Mbps downstream or 2.5Mbps upstream.

I was thinking it was an MTU issue as they use 1492 out here but I have provissioned for that:

Dialer0

ip mtu 1492

So I really don't get it?

I mean the traceroutes that I've run seem to go VPN hopping, as in going via ISP based VPN to one country then via another VPN to the destination country.

- I've never experienced that with my 857W which is located in the UK currently.

Maybe I just won't get proper internet anymore and might need to buy a Zyxell or some other consumer type system which would be unable to handle the 1800+ connections made to other servers/users per day.

I mean at work where we use a Zyxell I can connect perfectly to anywhere with no problem. It's just slow! But at home with my 1801W??? Nothing works :-(

As a Cisco engineer that would be quite a shame to loose the only connection I have to Cisco devices as they're not that popular in the country I'm based in currently as knowledge/price is low/high so..... uh!

Hi,

you should change the layer-2 MTU at the dialer not the IP MTU, ie:

interface dialer0

mtu 1492

You also need to adjut TCP-MSS on the LAN side to a recommended value of 1460.

If you still experience the same, then I would look for a hardware replacment and try with 857W as well and see.

HTH

Mohamed

you should change the layer-2 MTU at the dialer not the IP MTU, ie:
interface dialer0
mtu 1492

Both ways are acceptable. The advantage of chaning interface MTU is only faster PPP negotiation.

Can you try to adjust the mss on your inbound interface for example vlan1 (or whatever Vlan number are you using)

#interface vlan 1

  #ip tcp adjust-mss 1452

And see if there is any difference

Regards

I'll give these config changes a go tonight when I get home.

Hopefully I'll be able to report back tonight but if not I'll be back tomorrow with some more info :-)

Thanks very much for the help!

Check out that if you are using wireless, the commannd goes under bvi1, not vlan1.

Forget about overhead and stuff.

Just apply the commanf as it is, under the inside IP interface.

Thanks a lot everything worked and I can now connect without any issues :-)

Transfer does seem to be a bit slow as there's a lag when browsing but at least I can access the Cisco support forum again.

Quote:

Forget about overhead and stuff.

Sorry.... I guess it's just me just trying to understand things at the core level. We're dealing with slightly more advanced topics then I covered while doing CCNA and of course not working with this stuff yet; means that I am still restricted to what I can afford to get at home but there is always hope out there :-)

Thanks guys for everyone's input!! You rock! :-)

Very good, please remember to rate useful posts clicking on the stars below.

There is however still a glitch with my VPN for some reason?

I mean it's online as running:

sh crypto isakmp sa gives me this:

IPv4 Crypto ISAKMP SA
dst             src             state          conn-id slot status
      QM_IDLE           2010    0 ACTIVE

and running: sh crypto ipsec sa gives generally good output however I do get a few errors:

     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 426, #recv errors 0

    PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 426, #recv errors 0

for the various ACL parameters I've set.....

Could this be related to the MTU as before or is it something else that is causing so many send and receive errors???

I added extra config to the VPN which was this:

crypto isakmp invalid-spi-recovery

as I thought that it might help in resolving the "Invlaid SPI" notice I kept getting from the syslog and debugging.

The actual config is standard standard Site-to-Site:

crypto isakmp policy 10
authentication pre-share
crypto isakmp key address
crypto isakmp invalid-spi-recovery
!
!
crypto ipsec transform-set esp-3des esp-md5-hmac
!
crypto map 10 ipsec-isakmp
set peer
set transform-set
match address 101

with crypto map under the Dialer0 interface.

I also have this: ip nat inside source route-map NO-NAT interface Dialer0 overload

and this:

route-map NO-NAT permit 10
match ip address 110

with ACL's matching my internal networks for VPN packet forwarding and blocking the internal network addresses for NAT'ting.

Any ideas? Thanks!

If you are sure the ACL is right, try: "no ip cef".

I tend to apply this on every build of router I make these days as I had major system lockups with my geographically remote 857w - this device is now fully operational and working and currently not the device in question; am just using it to compare and contrast.

I did the same to my 1801w when I first built it and the config hasn't changed since then.

The strange part is that with the old DSLAM my VPN was working absolutely fine and now with the new DSLAM my old (and still current) config isnt' working?

If necessary I can post the full config of the router here but I'm not sure how good that would do as there 'was' an already working config in place.

Would updating the IOS version help?

Currently am running 12.4T (6)

Thanks