Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Create a new article
1631
Views
0
Helpful
0
Comments

Unable to pass e-mail traffic over a VPN tunnel on a router running IOS Firewall and there is intermittent poor performance/failure to connect TCP sessions

TCC_2
Level 10
Level 10

on ‎06-17-2009 10:21 PM

Core issue

E-mail traffic is blocked over the VPN tunnel.

This issue happens when TCP/25 connections are established through the tunnel. However, after the 3-way handshake, the endpoint drops the session.

E-mail traffic gets blocked when the IOS Firewall's default session establishment and half-open session thresholds are still in use although the traffic demand on the network is much higher. This causes new sessions in excess of the thresholds to drop.

Resolution

In order to identify this issue, use these commands:

Hostname (config)# show ip inspect statistics
Hostname (config)# show ip inspect config

Once verified, add these commands in order to resolve this issue:

Hostname (config)# ip inspect max-incomplete low 800

Hostname (config)# ip inspect one-minute low 3500

This might also be an MTU size-related issue. In order to resolve MTU-related issues on the router, refer to Unable to pass large packets through the site-to-site VPN tunnel, IPSec, with the routers and the PIX 500 Series Firewall
Labels:
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents