Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
865
Views
0
Helpful
4
Replies

problem join win2k domain with Cisco ipsec encryption

ymulia
Level 1
Level 1

‎12-19-2003 10:35 PM - edited ‎02-21-2020 12:58 PM

2 cisco router 2650XM with 2Mb lease line connection between HQ and branch.

link is encrypted with ipsec 3des.

problem arise when win2k workstation at branch site want to join domain at HQ domain controller.

It takes very long time to join the domain, most of the time it just hang at login screen.

But when we remove the encryption from the serial interface meaning there is no encryption for the link,it runs perfectly.

Both routers have vpn module.

please advise,

thanks in advance

Labels:
0 Helpful
4 Replies 4

mostiguy
Level 6
Level 6

‎12-20-2003 12:49 PM

Joining the domain is a one time event. When you add a machine to the domain, you are already logged into it. You configure it to join the domain, the routine asks you for a user account with credentials to join the domain (because currently you are logged into the local machine with local administrative credentials). You enter them, wait a bit, and the machine asks to be rebooted.

Long hangs at login screen sounds like a problem after a reboot. Do these long hangs occur just after you have added a machine to the domain?

Are you running a nt 4 domain or a windows 2000 AD? Do you have any local servers in the branch office? Are the branch office clients configured with dns and wins settings for the main office?

0 Helpful

ymulia
Level 1
Level 1
In response to mostiguy

‎12-20-2003 06:31 PM

Thanks for the reply,

machine is added to the domain when there was no encryption implemented, everything is running well.

tranfering files between clients and server also working fine.

After encryption for the link is implemented, login to the domain and tranfering files become a problem.

the HQ site is running windows 2000 AD, no local server in branch office. client will search for domain controller at HQ.

yes, branch clients configured with DNS and WINS setting.

Branch clients able to ping to win2k server with the encryption. I just suspect the IPsec encryption unable to encrypt/decrypt windows traffic like netbios ?

anybody using encryption and joining domain from branch site without problem ?

thanks & please advise,

0 Helpful

mostiguy
Level 6
Level 6
In response to ymulia

‎12-22-2003 06:37 AM

Netbios traffic is run over tcp/ip - it should be encrypted just like everything else.

WIndows can be quirky as it will sometimes send packets with the Don't Fragment bit set, and if the router cannot fragment them, and they are too large for the tunnel's MTU (which is smaller because of the IPSec overhead), it has to drop them.

When you do a show ipsec crypto sa on the pix, is the packets not encrypted counter or the sent packets counter > 0?

Ideally you would have a local domain controller for authentication. You can try googling for "tcp kerberos windows 2000" - with a registry tweak, you can force win2k to use tcp instead of udp for authentication - this can help packet size limitations for a couple of reasons. That might help speed logins.

0 Helpful

ymulia
Level 1
Level 1
In response to mostiguy

‎12-27-2003 05:17 AM

Thank you for your help,

Problem solved after we added in "no ip route-cache" and "no ip mroute-cache" on the serial interface.

Best Regards,

0 Helpful
Customers Also Viewed These Support Documents