Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
434
Views
0
Helpful
2
Replies

VPN Between PIX and VPN Client Connection slow down

m.hossein
Level 1
Level 1

‎12-28-2004 12:02 AM

Hi all

I installed my VPN Connection between PIX501 with IOS 6.3(1) and Cisco VPN

Client 4.0.1...

Everything goes will till I start connecting to my DBase server behind the

PIX...

I noticed that the connection slow down and I cannot run the application from my VPN Client PC..

Is there an ocnsideration I have to consider while I am connecting to my remote DB server behind the PIX???

Please note that I am using DLS internet Service with 256Kbps to connect the

Two sites, and the Ping command gave me around 250 - 350 ms with the reply...

Your reply is highly appreciated..

Best regards,,

Magdy

Labels:
0 Helpful
2 Replies 2

admukada
Level 1
Level 1

‎12-28-2004 02:12 AM

Hi Madgy,

There are few things we woul wnt to check.

1> Did we replicate the same issue from another PC ?

2> Did we replicate the issue from another Site ?

These issues are mostly caused due to MTU across the link.This may not be specific to a site.The link MTU can vary from site to site.We shall try check the MTU size which can travel across without fragmentation.For that :

* Once the VPN client is connected open up the DOS prompt.

* ping -l MTU Size -f DBase serverIP

eg: start with ping -l 1400 -f IP adress of server

*We may get packet needs fragmentation.Keep on reducing the MTU size till we get a echo reply from the server.Lets say the MTU size we get is 1270.

* On the PIX issue command,

sysopt connection tcp-ss 1270 ( reconfirm if its tcpmss or tcp-mss )

This would not reduce the size of the packet on layer 3 but this would do it on layer 4 instead.And this would help to speed up the connection considerable.

* These issues occur because lets say the max size of packet which can travel across the Tunnel without fragmentation is 1270.

* A packet with size 1300 comes to pix from the server,the PIX would not be able to send teh packet thru teh tunnel as dont fragment bit is set on it.Andthe packet would get droped.

* sysopt tcpmss command would fragment the pcket at layer 4.By this we have already reduced the size of thepacket & now it can travel across the tunnel .

>> If the above still doesnt work much ( which it should ) we can try to set the MTU size on the client ( although the issue mostly is on the head end ).

*To set MTU on the VPN client,

Start>Program>CiscoVPN client >Set MTU.

Set the MTU which we have found.The system would ask you to reboot.

>>> These are the only things which can be possible on client & the PIX end.

If we still face issue then it would be a performance issue & you would want to check with the ISP end.

Let me know if any query

Thanks

Adi

aditya.mukadam@gmail.com

0 Helpful

aftermath
Level 1
Level 1

‎12-28-2004 03:16 AM

Hi Magdy,

This looks like one of the very first issue's I ever had myself with VPN.

All though there are obvious security concerns, you can ENABLE " split tunneling ".

0 Helpful
Customers Also Viewed These Support Documents