Files larger than 1K are not able to go through the tunnel.
The remote desktop session does not come up for remote machines on the far end.
The VPN tunnel is established and pinging is functional. But, applications that use large packets such as File Transfer Protocol (FTP), Remote desktop Protocol (RDP) or Structured Query Language (SQL) do not work.
The problem is related to either of these issues:
Maximum Transmission Unit (MTU)/Maximum Segment Size (MSS) size
Fragmentation policy during encryption
Complete these steps in order to resolve this issue:
Perform a sniffer trace from the client to the server side in order to find out which is the best MTU to use.
You can also use the ping test:
ping -l 1400 192.168.1.1 -f
192.168.1.1 is the IP address of the remote machine.
Continue to reduce the value of 1400 by 20 until there is a reply.
Note: The magical value, which works in most instances, is 1300.
After the appropriate maximum segment size is acheived, adjust it appropriately for the devices in use:
Note: If this does not resolve the issue on the router, issue the crypto ipsec df-bit clear command in orto set the Don't Fragment (DF) bit for the encapsulating header in tunnel mode on all interfaces. This also helps to resolve most of the application issues with IPSec over Generic Router Encapsulation (GRE) tunnel interfaces.
Refer to these documents for more illustrative information on fragmentation and MSS:
Hi everyone, I have some questions regarding the Umbrella Virtual Appliance implementation. I'm considering DNS Security Advantage licenses, in a deployment with Umbrella virtual appliance on the customer premises. Do these virtual appliances re...
I am using Azure MFA as an SSO server from FTD. What I would like to do is have multiple SSO objects from FTD to Azure to differentiate between multiple URLS or connection profiles (think employees vs partners). but you cannot create multiple SSO objects ...
Hi Guys, Following is the IKEv2 setup I have (which works perfectly fine)However, I would like to know how we can add an IP Pool to issue IP addresses during the IKE Phase (Phase 1)The requirement is to have multiple spoke devices to establish an IPS...
Hi, i red on many and many sites that cisco ise automatically show the list of ssid where you can choose the prefer one from the sponsor portal. Actually i put many ssid (more than 1 as guide told) but nothing happen on sponsor portal. Some...
Hi, I just installed a fresh virtual ISE 3.0 in my lab and then imported the configuration from my previous ISE 2.7.I noticed that the network device group and all the network devices were missing and the option to add a new device is greyed out. The...