Velocity Reviews

Velocity Reviews (http://www.velocityreviews.com/forums/index.php)
-   Cisco (http://www.velocityreviews.com/forums/f27-cisco.html)
-   -   Large Packets from site to site VPN not coming through (http://www.velocityreviews.com/forums/t632916-large-packets-from-site-to-site-vpn-not-coming-through.html)

chary 08-29-2008 03:41 PM

Large Packets from site to site VPN not coming through
 
I am in desperate need of help. I've been trying to configure this 1841 Cisco Router for 2 months and can not get SMTP to route properly from our other site. Smaller SMTP packets comes through fine, but when a large email tries to come through everything stops. This also goes with any type of larger packets.

I have a feeling it may be an MTU setting or something with fragmentation, or the IP virtual-reassembly line on the interfaces.
I would greatly appreciate any help from anyone. I have copied my config. Let me know if anyone needs any more information.

ip cef
!
ip domain name fake.com
ip inspect name SDM_LOW cuseeme
ip inspect name SDM_LOW dns
ip inspect name SDM_LOW ftp
ip inspect name SDM_LOW h323
ip inspect name SDM_LOW https
ip inspect name SDM_LOW icmp
ip inspect name SDM_LOW imap
ip inspect name SDM_LOW pop3
ip inspect name SDM_LOW netshow
ip inspect name SDM_LOW rcmd
ip inspect name SDM_LOW realaudio
ip inspect name SDM_LOW rtsp
ip inspect name SDM_LOW esmtp
ip inspect name SDM_LOW sqlnet
ip inspect name SDM_LOW streamworks
ip inspect name SDM_LOW tftp
ip inspect name SDM_LOW tcp
ip inspect name SDM_LOW udp
ip inspect name SDM_LOW vdolive
ip ips sdf location flash://128MB.sdf autosave
ip ips notify SDEE
ip ips name sdm_ips_rule
!
ip tcp synwait-time 10
ip ssh time-out 60
ip ssh authentication-retries 2
!
!
crypto isakmp policy 10
hash md5
authentication pre-share
!
crypto isakmp policy 11
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key ****** address 22.22.22.201 (2nd Location)
crypto isakmp key ****** address 62.223.29.9 (3rd Location)
!
!
crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto ipsec transform-set myset3des esp-3des esp-md5-hmac
!
crypto map newmap 10 ipsec-isakmp
set peer 22.22.22.201
set security-association lifetime seconds 86400
set transform-set myset
match address 101
crypto map newmap 11 ipsec-isakmp
set peer 62.223.29.9
set security-association lifetime seconds 86400
set transform-set myset3des
match address 102
!
!
!
interface Loopback23
ip address 1.1.1.1 255.255.255.252
no ip proxy-arp
ip virtual-reassembly
ip route-cache flow
!
interface FastEthernet0/0
description outside
ip address 77.33.232.101 255.255.255.248
ip verify unicast reverse-path
no ip proxy-arp
ip nat outside
ip inspect SDM_LOW out
ip ips sdm_ips_rule out
ip virtual-reassembly
ip route-cache flow
duplex full
speed 100
no keepalive
crypto map newmap
!
interface FastEthernet0/1
description inside
ip address 192.168.1.1 255.255.255.0
ip access-group 104 in
no ip proxy-arp
ip nat inside
ip ips sdm_ips_rule in
ip virtual-reassembly
ip route-cache flow
ip policy route-map NO_NAT_ROUTE
duplex auto
speed auto
!
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat pool GLOBALNAT 77.33.232.102 77.33.232.102 netmask 255.255.255.248
ip nat inside source route-map SDM_RMAP_1 pool GLOBALNAT overload
ip nat inside source static 192.168.1.2 77.33.232.103
ip nat inside source static 192.168.1.3 77.33.232.104
ip nat inside source static 192.168.1.4 77.33.232.105 (smtp and dns)
!
logging trap debugging
logging 10.31.1.19
access-list 1 permit 10.31.0.0 0.0.255.255
access-list 101 permit ip 192.168.0.0 0.0.255.255 10.10.0.0 0.0.255.255 (2nd Location)
access-list 102 permit ip 192.168.0.0 0.0.255.255 10.20.0.0 0.0.255.255 (3rd Location)
access-list 104 deny ip host 255.255.255.255 any
access-list 104 deny ip 127.0.0.0 0.255.255.255 any
access-list 104 permit ip any any
access-list 130 deny ip 192.168.0.0 0.0.255.255 10.10.0.0 0.0.255.255
access-list 130 deny ip 192.168.0.0 0.0.255.255 10.20.0.0 0.0.255.255
access-list 130 permit ip 192.168.0.0 0.0.255.255 any
access-list 131 permit ip 192.168.0.0 0.0.255.255 10.10.0.0 0.0.255.255
access-list 131 permit ip 192.168.0.0 0.0.255.255 10.20.0.0 0.0.255.255
no cdp run
!
route-map NO_NAT_ROUTE permit 1
match ip address 131
set ip next-hop 1.1.1.2
!
route-map SDM_RMAP_1 permit 1
match ip address 130
!

padvou 09-03-2008 06:45 AM

defrag
 
It look's like fragmentation to me.
Try and calculate mtu regarding vpn traffic.

bradlee71 09-05-2008 06:42 PM

Large packets not coming through....
 
I ran in to this a while back. I set a mss limit of 1266 (vpn overhead takes you over 1500 mtu on large packets) on the outbound interface.


All times are GMT. The time now is 07:41 PM.

Powered by vBulletin®. Copyright ©2000 - 2014, vBulletin Solutions, Inc.
SEO by vBSEO ©2010, Crawlability, Inc.