Ping timeout: lan to lan through vpn. (newbie)

Discussion in 'Cisco' started by Paul Clancy, Feb 2, 2004.

  1. Paul Clancy

    Paul Clancy Guest

    Hi.

    I have successfully setup a vpn between an IpCop box and a Cisco 837 FW. All
    working reasonably well except I get timeouts with certain packet sizes.
    This is causing problems for the remote end sending (amongst others) mail on
    smtp. I have tried pinging until I found the upper and lower limit of the
    packet size causing timeouts and it ranges from 1410 bytes to 1472 bytes. If
    I send a packet 1473 bytes it fragments and informs me. My ISP default
    config for DSL mtu is 1452 and both the 1721 and 837 are set to this value
    on eth0.

    The 837 is running Version 12.2(13)ZH2 and the 1721 Version 12.3(1a).

    How can I fix this problem?

    If more info is needed please let me know.

    Thanks,

    Paul
     
    Paul Clancy, Feb 2, 2004
    #1
    1. Advertisements

  2. :I have successfully setup a vpn between an IpCop box and a Cisco 837 FW. All
    :working reasonably well except I get timeouts with certain packet sizes.
    :This is causing problems for the remote end sending (amongst others) mail on
    :smtp. I have tried pinging until I found the upper and lower limit of the
    :packet size causing timeouts and it ranges from 1410 bytes to 1472 bytes. If
    :I send a packet 1473 bytes it fragments and informs me. My ISP default
    :config for DSL mtu is 1452 and both the 1721 and 837 are set to this value
    :eek:n eth0.

    That's a relatively low MTU, but not unheard of.

    VPN tunnels have per-packet overheads, so you have to send even less
    data in order to fit your packet within the 1452 limit that the DSL
    line will carry. A good firewall should be able to figure out the
    effective MTU, and should be able to reduce the effective MTU on the
    link if need be -- I see the appropriate messages sometimes on my
    pix-to-pix connections. You might need to explicitly permit "icmp
    unreachable" through some intermediate layers (and if there is NAT
    -after- that layer, you have to make sure the packets -from- the VPN
    device itself get NAT'd too, a point that is often overlooked.)


    These documents might help:

    http://www.cisco.com/en/US/products/hw/routers/ps4081/products_tech_note09186a0080094268.shtml

    http://www.ietf.org/rfc/rfc1191.txt


    The IPCop 1.3 documentation appears to be lacking in the discussion
    of issues such as MTU. For those interested, it is at
    http://www.ipcop.org/cgi-bin/twiki/view/IPCop/IPCopDocumentationv01
     
    Walter Roberson, Feb 2, 2004
    #2
    1. Advertisements

  3. Paul Clancy

    Paul Guest

    Hi Walter,

    Thanks for the reference material. It took a bit of reading and some further
    reading to understand what I was reading. Somewhere in all that I found
    reference to the vpn packets and the additional byte overhead. Taking all
    that into account I modified the "ip tcp adjust-mss" from 1452 to 1412 (40
    byte header) on the ethernet interface on each router and "presto" - smtp
    xfer from remote end worked!

    Thanks again.

    Paul
     
    Paul, Feb 5, 2004
    #3
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.