Core issue
This issue can result from these situations:
- FTP traffic does not get across the tunnel.
- Files larger than 1K are not able to go through the tunnel.
- The remote desktop session does not come up for remote machines on the far end.
Resolution
The VPN tunnel is established and pinging is functional. But, applications that use large packets such as File Transfer Protocol (FTP), Remote desktop Protocol (RDP) or Structured Query Language (SQL) do not work.
The problem is related to either of these issues:
- Maximum Transmission Unit (MTU)/Maximum Segment Size (MSS) size
- Fragmentation policy during encryption
Complete these steps in order to resolve this issue:
- Perform a sniffer trace from the client to the server side in order to find out which is the best MTU to use.
You can also use the ping test:
ping -l 1400 192.168.1.1 -f
192.168.1.1 is the IP address of the remote machine.
- Continue to reduce the value of 1400 by 20 until there is a reply.
Note: The magical value, which works in most instances, is 1300.
- After the appropriate maximum segment size is acheived, adjust it appropriately for the devices in use:
On the Router:
ip tcp adjust-mss 1300
On the PIX Firewall:
sysopt connection tcpmss 1300
Note: If this does not resolve the issue on the router, issue the crypto ipsec df-bit clear command in orto set the Don't Fragment (DF) bit for the encapsulating header in tunnel mode on all interfaces. This also helps to resolve most of the application issues with IPSec over Generic Router Encapsulation (GRE) tunnel interfaces.
Refer to these documents for more illustrative information on fragmentation and MSS:
