Cisco 1721 831 VPN Setup

Discussion in 'Cisco' started by Sam Cole, Nov 19, 2004.

  1. Sam Cole

    Sam Cole Guest

    I have a problem with the setup of a pure Cisco VPN
    At one end I have a 1721 router and at the other ends I have two 831
    routers.
    I am using site to site VPN and the good news is both VPN tunnels are
    up and running. 

    The bad news is that one of the tunnels will not allow all services to
    operate through it
    A ping of packets up to 1400 in size is fine and responds in an
    expected amount of time. However when I try a more complex thing like
    Terminal Services (RDP) I have problem in that it only displays a
    black screen. Mapping a drive will also fail. But the pings carry on
    with 100% success. The MTU has not been changed on the router from the
    default size

    The thing that makes it really strange is that the two 831's have an
    identical config (apart from ip addresses) and the other 831 worked
    out of the box with out any problems.

    I have the configs if that would help but I will edit them to remove
    ip addresses and logins before I post them

    Has anyone got any ideas on if the problem is at the 1721 end or the
    831 end? I have spent far too long on this now so any help or requests
    for further information email me or post to Aid others
    Sam
     
    Sam Cole, Nov 19, 2004
    #1
    1. Advertising

  2. Sam Cole

    PES Guest

    Sam Cole wrote:
    > I have a problem with the setup of a pure Cisco VPN
    > At one end I have a 1721 router and at the other ends I have two 831
    > routers.
    > I am using site to site VPN and the good news is both VPN tunnels are
    > up and running. 
    >
    > The bad news is that one of the tunnels will not allow all services to
    > operate through it
    > A ping of packets up to 1400 in size is fine and responds in an
    > expected amount of time. However when I try a more complex thing like
    > Terminal Services (RDP) I have problem in that it only displays a
    > black screen. Mapping a drive will also fail. But the pings carry on
    > with 100% success. The MTU has not been changed on the router from the
    > default size
    >
    > The thing that makes it really strange is that the two 831's have an
    > identical config (apart from ip addresses) and the other 831 worked
    > out of the box with out any problems.
    >
    > I have the configs if that would help but I will edit them to remove
    > ip addresses and logins before I post them
    >
    > Has anyone got any ideas on if the problem is at the 1721 end or the
    > 831 end? I have spent far too long on this now so any help or requests
    > for further information email me or post to Aid others
    > Sam


    PMTUD is definitely broken either by you or the ISP. First off on your
    routers inside interfaces make sure you haven't set no ip unreachables.
    Make sure that your outside access lists aren't blocking type 3 code
    4. You could then try to prove to the isp that they are breaking pmtud
    but that would probably be fruitless. If you wanted to do that, use a
    packet genereator like Nemesis to push icmp type 3 code 4 from one end
    to the other and then back the other way. Is one end pppoe? If so,
    drop the mtu on the other end to 1492. Also, I always recommend using
    the ip tcp adjust-mss on pppoe routers due to some isps breaking pmtud.
    Normally this would be set 1452 with pppoe and should be set on one of
    the interfaces the packet would traverse. You will want to drop this
    until it works as expected maybe 1380. I don't have all of the details
    of the tunnel and I don't have time to do the math this morning. You
    need to keep dropping the mtu until packets greater than the mtu without
    the df bit set will go through and come back.

    --
    -------------------------
    Paul Stewart
    Lexnet Inc.
    Email address is in ROT13
     
    PES, Nov 19, 2004
    #2
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Jimmyzshack
    Replies:
    1
    Views:
    562
    Claude LeFort
    Nov 19, 2003
  2. Ligiu Uiorean

    site to site vpn cisco 1721<->831

    Ligiu Uiorean, Nov 9, 2004, in forum: Cisco
    Replies:
    0
    Views:
    670
    Ligiu Uiorean
    Nov 9, 2004
  3. Mark

    1721 or 831 Router? Other?

    Mark, Feb 17, 2005, in forum: Cisco
    Replies:
    4
    Views:
    503
    Cisco Fan
    Feb 18, 2005
  4. Liz Eriksen

    Spec'ing routers: 1721 vs 831

    Liz Eriksen, Sep 1, 2005, in forum: Cisco
    Replies:
    2
    Views:
    587
    www.BradReese.Com
    Sep 1, 2005
  5. Tom Edelbrok

    Cisco router 831 PPTP VPN setup

    Tom Edelbrok, Sep 6, 2005, in forum: Cisco
    Replies:
    1
    Views:
    7,641
    liminas_LT
    Sep 11, 2005
Loading...

Share This Page