Re: Lan-to-Lan VPN Upload Issue

murphyw · ‎02-21-2006

Hi everyone,

I am hoping someone can shed a little light on this for me (had a TAC open for well over a week, not that quick at getting back to me).

Anyhow, i have a Cisco 837 ADSL Router connecting to a VPN Concentrator using IPSec. Their are no connecting issues and browsing the Internet is working without any issues. The problem I have is with uploads through the VPN connection.

If i try sending information from the ADSL Site to the Central Site, it just starts timing out. A packet capture shows a lot of retransmissions and also some duplicate ACKs going on.

Cisco have suggested changing the External Interface on the Concentrator to reset the DF bit. This has not made any difference.

Anyhow, i have tested uploading through the ADSL Line without a VPN Connection and there are no issues on the line, its definately something to do with the VPN.

Any help would be much appreciated.

Regards

Wayne

murphyw · ‎02-21-2006

Got a response from CiscoTAC. The fix for this is to set the Clear DF-Bit on the Concentrator and to do something similar on the Router;

Router commands

(config)# crypto ipsec df-bit clear

(config)# int eth0

(config-if)#ip tcp adjust-mss 1200

Cheers

Wayne

rszumloz · ‎02-21-2006

When you do an FTP the first part of the connection negotiates the MTU size. Set the server or the client to an MTU size of 1200 and this will give you a quick fix for the problem and you will not see any slowdown of the connection. You can use this program. http://www.dslreports.com/drtcp A reboot is necessary after this chnage is done.

You need to do this because when wrapping the encryption packets around the FTP session it causes the MTU size to be bigger that 1500 which causes fragmentation and dropped packets (normal firewall activity for fragmented packets).

Adjusting MTU size on the devices in between the connection will do nothing since MTU size is negotiated between the client and server.

.