RTR tp 3005 VPN Not passing Active Directory

Discussion in 'Cisco' started by RM, Jan 30, 2004.

  1. RM

    RM Guest

    Is there a trick to getting AD to function over a router to 3005 VPN? When
    I take out the router and put a pix in its place everything works fine.
    With the router the vpn comes up an passes lower level traffice (ping, tftp,
    telnet) but AD will not replicate and drive maps do not work.

    Thanks

    -D
     
    RM, Jan 30, 2004
    #1
    1. Advertising

  2. In article <JdjSb.3870$>,
    RM <> wrote:
    :Is there a trick to getting AD to function over a router to 3005 VPN? When
    :I take out the router and put a pix in its place everything works fine.
    :With the router the vpn comes up an passes lower level traffice (ping, tftp,
    :telnet) but AD will not replicate and drive maps do not work.

    What do the logs say?

    We don't have experience with AD here yet; we're still with the
    NETBIOS-dependant Exchange Server, so my findings might or might
    not be relevant.

    With the NETBIOS-dependant version, I have noticed many instances in
    which the local end will open a connection to the remote Exchange
    server, put through a few packets, and close the connection (or let it
    lapse for UDP). Then at some arbitrary time later (minutes, hours,
    days, even more than a week later), when the server has something to
    say to the local system, it assumes that the local port is still
    available and attempts to connect to it... and will continue to attempt
    the connection for days until the local system happens to connect
    through again. Of course when the PIX sees the TCP connection close or
    sees inactivity on the UDP stream, it tears down the dynamic port
    translation and there's no way the server is going to be able to
    connect back.

    If you were to see similar problems in your situation, then there would
    be little that could be done except to statically map all your IPs (at
    least when talking to the server) and permit connections initiated from
    the server on all ports in the dynamic allocation range (typically 1024 -
    1199, but I don't think that's a fixed upper value.)

    But you might be having some other problem completely. We need
    to see the PIX logs to say much more.
    --
    Rome was built one paycheck at a time. -- Walter Roberson
     
    Walter Roberson, Jan 30, 2004
    #2
    1. Advertising

  3. RM

    RM Guest

    The pix piece was working like a champ, the router was screwing everything
    up and did not spit anything out in the logs. I believe what was happening
    is the MTU size was causing issues with the higher level AD stuff. I turned
    up a route map and set the DF Bit to zero and the problem went away. My
    thinking is that with the MTU set to 1500 on the server and all of the
    workstations, the IPSEC was adding overhead to the packet thus making it
    larger than 1500. The lower level protocols (icmp, tftp telnet) could
    handle the fragmentation that takes place, but the AD stuff could not. I
    believe the PIX makes adjustments and handles that issue by default. I may
    be way off, but the command below fixed it:
    2600(config)#route-map dfbit permit 10

    2600(config-route-map)#set ip df 0

    2600(config)#int FastEthernet0

    2600(config-if)#ip policy route-map dfbit



    Then there was also a setting on the 3005 to match.






    "Walter Roberson" <-cnrc.gc.ca> wrote in message
    news:bvcj7d$oks$...
    > In article <JdjSb.3870$>,
    > RM <> wrote:
    > :Is there a trick to getting AD to function over a router to 3005 VPN?

    When
    > :I take out the router and put a pix in its place everything works fine.
    > :With the router the vpn comes up an passes lower level traffice (ping,

    tftp,
    > :telnet) but AD will not replicate and drive maps do not work.
    >
    > What do the logs say?
    >
    > We don't have experience with AD here yet; we're still with the
    > NETBIOS-dependant Exchange Server, so my findings might or might
    > not be relevant.
    >
    > With the NETBIOS-dependant version, I have noticed many instances in
    > which the local end will open a connection to the remote Exchange
    > server, put through a few packets, and close the connection (or let it
    > lapse for UDP). Then at some arbitrary time later (minutes, hours,
    > days, even more than a week later), when the server has something to
    > say to the local system, it assumes that the local port is still
    > available and attempts to connect to it... and will continue to attempt
    > the connection for days until the local system happens to connect
    > through again. Of course when the PIX sees the TCP connection close or
    > sees inactivity on the UDP stream, it tears down the dynamic port
    > translation and there's no way the server is going to be able to
    > connect back.
    >
    > If you were to see similar problems in your situation, then there would
    > be little that could be done except to statically map all your IPs (at
    > least when talking to the server) and permit connections initiated from
    > the server on all ports in the dynamic allocation range (typically 1024 -
    > 1199, but I don't think that's a fixed upper value.)
    >
    > But you might be having some other problem completely. We need
    > to see the PIX logs to say much more.
    > --
    > Rome was built one paycheck at a time. -- Walter Roberson
     
    RM, Jan 31, 2004
    #3
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Steve Baker
    Replies:
    2
    Views:
    7,511
    Martin Bilgrav
    Feb 20, 2004
  2. Paul Mclean
    Replies:
    1
    Views:
    3,003
    Scott Lowe
    Nov 29, 2004
  3. David L

    Active Directory and VPN setup

    David L, Jun 23, 2003, in forum: Computer Support
    Replies:
    0
    Views:
    1,870
    David L
    Jun 23, 2003
  4. G-ram

    Active Directory with Win2003 VPN server

    G-ram, Jul 15, 2004, in forum: Computer Support
    Replies:
    1
    Views:
    657
    Duane Arnold
    Jul 15, 2004
  5. vhn2001
    Replies:
    0
    Views:
    426
    vhn2001
    Sep 7, 2006
Loading...

Share This Page