VPN over L2TP patchy connectivity while L2TP Traffic without VPN is fine.

Discussion in 'Cisco' started by Gary, Apr 22, 2005.

  1. Gary

    Gary Guest

    We set up a L2 Tunnel bertween to ADSL users.

    At first nothing worked until we discovered the overhead of the L2 Tunnel
    (40 bytes) and adjusted MTU's to compensate and all seemed good.

    Then we added a VPN between these 2 users and things started to break again.

    i.e PIng works down the VPN and varoious other things but terminal services
    and Outlook trying to collect mail from the other end point does not.

    It seems that the VPN again plays havoc with the MTU or packet
    fragmentation.

    Config below fixed the initial issues.

    username NET-TEST-L2TP password 7 08
    username NET-TEST2-L2TP password 7 04

    vpdn enable
    vpdn multihop
    vpdn search-order domain
    vpdn domain-delimiter @ suffix
    !
    vpdn-group NET-TEST-L2TP
    accept-dialin
    protocol l2tp
    virtual-template 1
    terminate-from hostname NET-TEST-L2TP
    source-ip 82.151.255.5
    local name NET-TEST-L2TP
    lcp renegotiation always
    l2tp tunnel password 7 151

    #Added these 2 lines to fix initial issues.
    ip pmtu
    ip mtu adjust
    !
    vpdn-group NET-TEST2-L2TP
    accept-dialin
    protocol l2tp
    virtual-template 2
    terminate-from hostname NET-TEST2-L2TP
    source-ip x.x.x.x
    local name NET-TEST2-L2TP
    lcp renegotiation always
    l2tp tunnel password 7 01

    #Added these 2 lines to fix initial issues.
    ip pmtu
    ip mtu adjust


    interface Virtual-Template1
    ip unnumbered Loopback0
    no ip redirects
    no ip proxy-arp

    #Added this line as part fo the fix
    ip tcp adjust-mss 1400
    ip policy route-map clear-df
    no logging event link-status
    peer default ip address pool SPPOOL
    keepalive 60
    ppp authentication chap
    ppp multilink
    ppp multilink fragment disable
    !
    interface Virtual-Template2
    ip unnumbered Loopback0
    no ip redirects
    no ip proxy-arp

    #Added this line as part fo the fix
    ip tcp adjust-mss 1400
    ip policy route-map clear-df
    no logging event link-status
    peer default ip address pool SPPOOL
    keepalive 60
    ppp authentication chap
    ppp multilink
    ppp multilink fragment disable


    #Added this line as part of the fix
    access-list 111 permit tcp any any
    !
    route-map clear-df permit 10
    match ip address 111
    set ip df 0


    VPN's have the same types off issues as normal traffic prior to the added
    lines above.

    How do I get the VPN to compensate or am I way off???

    Help please.
    Gary
     
    Gary, Apr 22, 2005
    #1
    1. Advertising

  2. In article <pqdae.5397$H53.1503@lakeread05>, Gary <> wrote:
    :We set up a L2 Tunnel bertween to ADSL users.

    :At first nothing worked until we discovered the overhead of the L2 Tunnel
    :(40 bytes) and adjusted MTU's to compensate and all seemed good.

    :Then we added a VPN between these 2 users and things started to break again.

    Read the documentation on the tcpmss sysopt, see the calculation
    there, remove from the equation the AH layer if you aren't using
    AH, subtract off the L2 tunnel overhead; also subtract off
    the size of an IP header with options if you are using NAT-T
    [to take into account UDP encapsulation.]

    If you want a more exact number, temporarily disable the
    tcpmss sysopt and enable PMTUD (Path MTU Discovery) between
    two of the endpoints, and monitor to see what MTU they end up with.

    --
    History is a pile of debris -- Laurie Anderson
     
    Walter Roberson, Apr 23, 2005
    #2
    1. Advertising

  3. Gary

    Gary Guest

    "Walter Roberson" <-cnrc.gc.ca> wrote in message
    news:d4dj4b$76m$...
    > In article <pqdae.5397$H53.1503@lakeread05>, Gary <>
    > wrote:
    > :We set up a L2 Tunnel bertween to ADSL users.
    >
    > :At first nothing worked until we discovered the overhead of the L2 Tunnel
    > :(40 bytes) and adjusted MTU's to compensate and all seemed good.
    >
    > :Then we added a VPN between these 2 users and things started to break
    > again.
    >
    > Read the documentation on the tcpmss sysopt, see the calculation
    > there, remove from the equation the AH layer if you aren't using
    > AH, subtract off the L2 tunnel overhead; also subtract off
    > the size of an IP header with options if you are using NAT-T
    > [to take into account UDP encapsulation.]
    >
    > If you want a more exact number, temporarily disable the
    > tcpmss sysopt and enable PMTUD (Path MTU Discovery) between
    > two of the endpoints, and monitor to see what MTU they end up with.
    >
    > --
    > History is a pile of debris -- Laurie Anderson


    I think those are PIX commands.

    The end points are routers i.e One cisco router and one cheap and cheerful
    whatever ADSL router at the other end.

    We own the router in the middle which handles the VPDN or L2 Tunnel to the
    ADSL provider so they are invisible in the ADSL link.

    It looks like this

    1 End User on whatever router connects via ADSL to the ADSL Central PIPE of
    our ADSL provider. We connect over VPDN to them so we hand out our own
    address space.

    The other ADSL end point is a Cisco router and there are many connections
    coming in from remote offices to this Cisco router which handles all the
    VPN's.

    When not using a VPN between end users all is OK.

    What commands should I read about on the routers as opposed to the PIX
    please.

    Gary
     
    Gary, Apr 24, 2005
    #3
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. AM
    Replies:
    1
    Views:
    564
  2. AM
    Replies:
    0
    Views:
    467
  3. Au79

    Another patchy performance from Microsoft

    Au79, Aug 5, 2006, in forum: Computer Support
    Replies:
    3
    Views:
    398
    Fuzzy Logic
    Aug 15, 2006
  4. Theo Markettos

    VOIP over VPN over TCP over WAP over 3G

    Theo Markettos, Feb 3, 2008, in forum: UK VOIP
    Replies:
    2
    Views:
    941
    Theo Markettos
    Feb 14, 2008
  5. davidls
    Replies:
    0
    Views:
    1,080
    davidls
    Mar 31, 2009
Loading...

Share This Page