I'm experiencing very slow Windows domain logins over an IPSec VPN connection. The AD is in Site 1, some users are in Site 2. Two Cisco ASA firewalls connect both sites by an IPSec VPN over the Internet.
I made some registery changes on the Windows XP client on site2 to let Kerberos communicate over TCP instead of UDP. Still the logins take extremely long (45 minutes). Profiles are very small, so there had to be a problem with Kerberos, MTU sizes or somethin like that. I already changed the clients MTU settings to 1000 byes, but login is still very slow. I made some sniffer logs...
Does anybody know what the problem can be ?
The most common issue with slowness over VPN is going to be fragementation. In general below are the recommendations to avoid fragmentation
1. For TCP traffic, use "ip tcp adjust-mss 1360" on the Internal LAN Interface on the Router. If you are using GRE then configure "ip mtu 1400" under the Tunnel Interface.
If you are not using GRE then the value of "ip tcp adjust-mss" depends on the type of transform-set being used E.g. AES\3DES etc, so you can increase the value of TCP adjust command from 1360 to a higher value. Though I will start from 1360 first for testing.
Also take a look at the below article for MTU Issues
I already thought it would have something to do with fragmentation. I adjusted the MTU setting on the Windows XP client to 1000 by regedit. But same, slow performance.. I've noticed that the MTU is about 1273 bytes, by the ping -f -l 1272 command.. So on this way, it has to work, isn't it ?
Thank you for the reply.
Did you also configure "ip tcp adjust-mss.." since you are using TCP for Kerberos now ?
If that also didn't help then we will have to analyze the packet captures to see where the delay could be, the best way to do that is to open a TAC case and then TAC can analyze the captures taken at both ends.
I think you mean the "sysopt connection tcpmss" command. The other command if for a router. We are using a Cisco ASA firewall here.
What does the command do ? Correct me if i'm wrong, but lowering the MTU setting on the client to 1000, or lowering the MTU size on the ASA interfaces to 1000 achieve the same results, don't they ?
Yes.. The 'sysopt connection..' command on the ASA serves the same purpose as the "ip tcp adjust-mss..." on the router.
A value of 1380 should be fine assuming you are not encrypting GRE traffic (i.e. no router behind ASA acting as GRE endpoint ?).
If above is true and you are still seeing the issue we will need to analyze the captures taken at both ends.
By adding command "ip tcp adjust-mss 1360" on the LAN interface of the router, has resolved my slow login issue. I had IPSEC tunnel betwen two sites.