Large Packets from site to site VPN not coming through

Discussion in 'Cisco' started by chary, Aug 29, 2008.

  1. chary

    chary

    Joined:
    Aug 26, 2008
    Messages:
    3
    I am in desperate need of help. I've been trying to configure this 1841 Cisco Router for 2 months and can not get SMTP to route properly from our other site. Smaller SMTP packets comes through fine, but when a large email tries to come through everything stops. This also goes with any type of larger packets.

    I have a feeling it may be an MTU setting or something with fragmentation, or the IP virtual-reassembly line on the interfaces.
    I would greatly appreciate any help from anyone. I have copied my config. Let me know if anyone needs any more information.

    ip cef
    !
    ip domain name fake.com
    ip inspect name SDM_LOW cuseeme
    ip inspect name SDM_LOW dns
    ip inspect name SDM_LOW ftp
    ip inspect name SDM_LOW h323
    ip inspect name SDM_LOW https
    ip inspect name SDM_LOW icmp
    ip inspect name SDM_LOW imap
    ip inspect name SDM_LOW pop3
    ip inspect name SDM_LOW netshow
    ip inspect name SDM_LOW rcmd
    ip inspect name SDM_LOW realaudio
    ip inspect name SDM_LOW rtsp
    ip inspect name SDM_LOW esmtp
    ip inspect name SDM_LOW sqlnet
    ip inspect name SDM_LOW streamworks
    ip inspect name SDM_LOW tftp
    ip inspect name SDM_LOW tcp
    ip inspect name SDM_LOW udp
    ip inspect name SDM_LOW vdolive
    ip ips sdf location flash://128MB.sdf autosave
    ip ips notify SDEE
    ip ips name sdm_ips_rule
    !
    ip tcp synwait-time 10
    ip ssh time-out 60
    ip ssh authentication-retries 2
    !
    !
    crypto isakmp policy 10
    hash md5
    authentication pre-share
    !
    crypto isakmp policy 11
    encr 3des
    hash md5
    authentication pre-share
    group 2
    crypto isakmp key ****** address 22.22.22.201 (2nd Location)
    crypto isakmp key ****** address 62.223.29.9 (3rd Location)
    !
    !
    crypto ipsec transform-set myset esp-des esp-md5-hmac
    crypto ipsec transform-set myset3des esp-3des esp-md5-hmac
    !
    crypto map newmap 10 ipsec-isakmp
    set peer 22.22.22.201
    set security-association lifetime seconds 86400
    set transform-set myset
    match address 101
    crypto map newmap 11 ipsec-isakmp
    set peer 62.223.29.9
    set security-association lifetime seconds 86400
    set transform-set myset3des
    match address 102
    !
    !
    !
    interface Loopback23
    ip address 1.1.1.1 255.255.255.252
    no ip proxy-arp
    ip virtual-reassembly
    ip route-cache flow
    !
    interface FastEthernet0/0
    description outside
    ip address 77.33.232.101 255.255.255.248
    ip verify unicast reverse-path
    no ip proxy-arp
    ip nat outside
    ip inspect SDM_LOW out
    ip ips sdm_ips_rule out
    ip virtual-reassembly
    ip route-cache flow
    duplex full
    speed 100
    no keepalive
    crypto map newmap
    !
    interface FastEthernet0/1
    description inside
    ip address 192.168.1.1 255.255.255.0
    ip access-group 104 in
    no ip proxy-arp
    ip nat inside
    ip ips sdm_ips_rule in
    ip virtual-reassembly
    ip route-cache flow
    ip policy route-map NO_NAT_ROUTE
    duplex auto
    speed auto
    !
    !
    ip http server
    ip http authentication local
    ip http secure-server
    ip http timeout-policy idle 60 life 86400 requests 10000
    ip nat pool GLOBALNAT 77.33.232.102 77.33.232.102 netmask 255.255.255.248
    ip nat inside source route-map SDM_RMAP_1 pool GLOBALNAT overload
    ip nat inside source static 192.168.1.2 77.33.232.103
    ip nat inside source static 192.168.1.3 77.33.232.104
    ip nat inside source static 192.168.1.4 77.33.232.105 (smtp and dns)
    !
    logging trap debugging
    logging 10.31.1.19
    access-list 1 permit 10.31.0.0 0.0.255.255
    access-list 101 permit ip 192.168.0.0 0.0.255.255 10.10.0.0 0.0.255.255 (2nd Location)
    access-list 102 permit ip 192.168.0.0 0.0.255.255 10.20.0.0 0.0.255.255 (3rd Location)
    access-list 104 deny ip host 255.255.255.255 any
    access-list 104 deny ip 127.0.0.0 0.255.255.255 any
    access-list 104 permit ip any any
    access-list 130 deny ip 192.168.0.0 0.0.255.255 10.10.0.0 0.0.255.255
    access-list 130 deny ip 192.168.0.0 0.0.255.255 10.20.0.0 0.0.255.255
    access-list 130 permit ip 192.168.0.0 0.0.255.255 any
    access-list 131 permit ip 192.168.0.0 0.0.255.255 10.10.0.0 0.0.255.255
    access-list 131 permit ip 192.168.0.0 0.0.255.255 10.20.0.0 0.0.255.255
    no cdp run
    !
    route-map NO_NAT_ROUTE permit 1
    match ip address 131
    set ip next-hop 1.1.1.2
    !
    route-map SDM_RMAP_1 permit 1
    match ip address 130
    !
    chary, Aug 29, 2008
    #1
    1. Advertising

  2. chary

    padvou

    Joined:
    Sep 3, 2008
    Messages:
    4
    defrag

    It look's like fragmentation to me.
    Try and calculate mtu regarding vpn traffic.
    padvou, Sep 3, 2008
    #2
    1. Advertising

  3. chary

    bradlee71

    Joined:
    Sep 5, 2008
    Messages:
    1
    Large packets not coming through....

    I ran in to this a while back. I set a mss limit of 1266 (vpn overhead takes you over 1500 mtu on large packets) on the outbound interface.
    bradlee71, Sep 5, 2008
    #3
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Benson
    Replies:
    8
    Views:
    7,381
    bvlmv
    Jul 14, 2005
  2. AM
    Replies:
    3
    Views:
    630
  3. Evolution
    Replies:
    2
    Views:
    2,388
    Walter Roberson
    Apr 11, 2006
  4. mercutio.viz@gmail.com
    Replies:
    3
    Views:
    844
    Walter Roberson
    Dec 14, 2006
  5. pasatealinux
    Replies:
    1
    Views:
    2,036
    pasatealinux
    Dec 17, 2007
Loading...

Share This Page