Re: Site-to-site IPSec VPN

nojpt · ‎03-28-2006

Hi,

We have a unique problem with one of our vpn field office setup. The vpn tunnel seemed to be perfectly working but application, such as http, smtp and others don't work.

Firewall policies between sites are properly configured and do not filter these applications.

The field office has a 128kbps dsl connection to internet whereas HQ has a dual ds3.

For the most part the problem was that the web content would not display on the IE. The web server is pingable and dns is properly resolving. In the case of SMTP, replication does not go through between mail servers located on both sides but again both are pingable to each other.

We are running out of ideas and running out of time resolving the problem. Anything that could help will be much appreciated.

Thanks!

Jonathan

geoff.noden · ‎03-28-2006

Hi Jonathan,

This sounds strangely familiar to a problem that I encountered in our development lab. We had two offices in different cities connected via two PIX-501's.

In our case, both sides used DSL connections, but from different providers.

We had problems with various applications, but the one that stuck out was web base apps not working.

We ended up adjusting the MTU size downwards until we hit a sweet spot.

Off the top of my head, there was an article on DSLreports.com, and I believe an article on Cisco that provided background to this issue.

In a nutshell, packets routing across the VPN incur some overhead, and the default MTU-size of 1492 bytes (1500-8bytes for the TCP/IP Header) resulted in fragmented packets. The issue is often encountered in DSL installations.

We used Dr.TCP to adjust the MTU size on the windows boxes, but if you use the Cisco VPN client, it also allows you to adjust the MTU size.

You also need to set the MTU size on your routers.

Hope it helps!

Geoff

attrgautam · ‎03-28-2006

On the outgoing interface, just set ip tcp adjust-mss 1350 and see if it helps. It looks like a MTU issue over the VPN.