W2K logon through a VPN tunnel over ADLS problem

jpersyn · ‎05-28-2002

Problem:

When I try to logon to our W2K domain with the cisco 3000 VPN client 3.5.1(C) using the "enable start before logon" option, I'm only able to logon with cached information. I can ping all my servers in the network ( IP addresses or names ), I can telnet to devices, but I can't open my mail or connect to shares.

I already tried this with a WXP and a W2K PC because of the difference in the use of the PPPOE protocol ( embedded in XP ).

If I try this with a ISDN or modem DAIL-UP connection I CAN logon to the domain and then I CAN connect to shares, open my mail, and so on.

SETUP:

a concentrator 3015 setup with an internal database with 1 user ( for testing ) and a route to ur internal network ( 10.x.y.z ).

All traffic is tunnel over port 80

Has anyone had the same problem, I have currently logged this problem with 3 different providers, but none has a workable solution yet.

jpersyn · ‎05-29-2002

I got it working for WXP clients using the following article.

The MTU was changed, but not only the LAN MTU had to be changed, also the DIAL-IP MTU had to be changed in order to make it work ( overhead ).

http://www.cisco.com/warp/public/707/ipsec_debug.html

kenneth.bailey · ‎06-10-2002

We resolved the problem by forcing Kerboros to always use TCP instead of UDP on the client machines. To do this apply the following registry fix:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters]

"MaxPacketSize"=dword:00000001

anezereau · ‎06-10-2002

is the mtu set beetween 1200 and 1400 ?