Solved: VPN breaks with different ISP

tato386 · ‎06-16-2005

I have been running a hub-and-spoke IPSec/GRE tunnel based network using the same ISP at all locations for several years with no problem. I use 1721 routers at the remote offices and a PIX at the hub site. All traffic, including Internet browsing is routed thru the hub site where a PIX/WebSense combo does URL filtering. Recently we started to migrate to a new ISP. I reconfigured two remote offices to use the IPs and T1 of the new ISP. I did not have to make any changes to the IPSec/GRE config and the new office tunnels seem to come up fine. However, when users started browsing they immediately noticed the some, only some, web sites would not load anymore. The browser would just hang at "loading page". Funny thing is that all applications that remotes hit at the hub run fine and many web sites also run fine. I immediately assumed an MTU issue and began to lower the MTU of the new tunnels. I went all the way to a ridiculously low 768 MTU and no luck. At this point I don't know what to try next. I have temporarily re-routed the remote PCs directly out of their T1 to relive the problem but I need to get them routed back thru the hub so we can filter URLs. What can I try/troubleshoot here?

Thanks,

Diego

aacole · ‎06-16-2005

Hi Diego,

Have you tried using the ip tcp adjust-mss command on the 1721 routers to adjust the TCP segment size?

Have a look at this url for more details, it may help you here.

http://www.cisco.com/en/US/products/sw/iosswrel/ps1839/products_feature_guide09186a00804247fc.html

Andy

View solution in original post

aacole · ‎06-16-2005

Hi Diego,

Have you tried using the ip tcp adjust-mss command on the 1721 routers to adjust the TCP segment size?

Have a look at this url for more details, it may help you here.

http://www.cisco.com/en/US/products/sw/iosswrel/ps1839/products_feature_guide09186a00804247fc.html

Andy

tato386 · ‎06-23-2005

None of my routers are blocking any type of ICMP. What I did was use "ip mtu 1420" on the tunnel interface and "ip tcp adj-mss 1400" on the ethernet interface where the clients reside. So far, so good.

Thanks!

Diego

jeffrey_ala · ‎06-24-2005

Diego,

Did you have to set the MTU on all the interfaces or just the public interfaces?

I am having a similar issue with ADSL in India with a PIX501 Ezvpn back to the US end that has a 3005 concentrator. Everything worked for a month or so, now outlook client stopped working and one of our intranet web servers pages won't load for them.

I've tried lowering the "sysopt conn tcpmss" on the PIX as low as 1100, MTU's on the clients,PIX, and 3005. Made sure ICMP was not blocked as well. ISP in India of course says nothing has changed.......

I was able to remote desktop onto one of the pc's and get the webpages from our intranet server in the US to load at 2AM India time. Then it all breaks again by the time they get into the office.......Even with only one pc up and running on the LAN.

I'm stumped on this one.

Jeff

tato386 · ‎06-24-2005

In my case the PIX is not a tunnel endpoint it is only an IPSec endpoint. I have 1700 routers that have a GRE tunnel to a 2600 router that is behind the PIX. So I use MTU of 1420 on the tunnel interfaces of the remote router and the hub router behind the PIX. I then use MSS of 1400 (slightly smaller than MTU) on the inside ethernet of the remote 1700 so that PC clients negotiate a smaller MSS. I encrypt the GRE between the remote router and the PIX but the GRE actually terminates behind the PIX at the 2600. My PIX is using defaults.

Hope this helps.

Diego

jeffrey_ala · ‎06-22-2005

Are you blocking ICMP Type 3 and 4 messages anywhere in the path? If so, try unblocking them.Also make sure the ISP is not filtering anything. Perhaps this is happening and PMTU is broken.

Jeff