RTR tp 3005 VPN Not passing Active Directory

Discussion in 'Cisco' started by RM, Jan 30, 2004.

  1. RM

    RM Guest

    Is there a trick to getting AD to function over a router to 3005 VPN? When
    I take out the router and put a pix in its place everything works fine.
    With the router the vpn comes up an passes lower level traffice (ping, tftp,
    telnet) but AD will not replicate and drive maps do not work.

    Thanks

    -D
     
    RM, Jan 30, 2004
    #1
    1. Advertisements

  2. :Is there a trick to getting AD to function over a router to 3005 VPN? When
    :I take out the router and put a pix in its place everything works fine.
    :With the router the vpn comes up an passes lower level traffice (ping, tftp,
    :telnet) but AD will not replicate and drive maps do not work.

    What do the logs say?

    We don't have experience with AD here yet; we're still with the
    NETBIOS-dependant Exchange Server, so my findings might or might
    not be relevant.

    With the NETBIOS-dependant version, I have noticed many instances in
    which the local end will open a connection to the remote Exchange
    server, put through a few packets, and close the connection (or let it
    lapse for UDP). Then at some arbitrary time later (minutes, hours,
    days, even more than a week later), when the server has something to
    say to the local system, it assumes that the local port is still
    available and attempts to connect to it... and will continue to attempt
    the connection for days until the local system happens to connect
    through again. Of course when the PIX sees the TCP connection close or
    sees inactivity on the UDP stream, it tears down the dynamic port
    translation and there's no way the server is going to be able to
    connect back.

    If you were to see similar problems in your situation, then there would
    be little that could be done except to statically map all your IPs (at
    least when talking to the server) and permit connections initiated from
    the server on all ports in the dynamic allocation range (typically 1024 -
    1199, but I don't think that's a fixed upper value.)

    But you might be having some other problem completely. We need
    to see the PIX logs to say much more.
     
    Walter Roberson, Jan 30, 2004
    #2
    1. Advertisements

  3. RM

    RM Guest

    The pix piece was working like a champ, the router was screwing everything
    up and did not spit anything out in the logs. I believe what was happening
    is the MTU size was causing issues with the higher level AD stuff. I turned
    up a route map and set the DF Bit to zero and the problem went away. My
    thinking is that with the MTU set to 1500 on the server and all of the
    workstations, the IPSEC was adding overhead to the packet thus making it
    larger than 1500. The lower level protocols (icmp, tftp telnet) could
    handle the fragmentation that takes place, but the AD stuff could not. I
    believe the PIX makes adjustments and handles that issue by default. I may
    be way off, but the command below fixed it:
    2600(config)#route-map dfbit permit 10

    2600(config-route-map)#set ip df 0

    2600(config)#int FastEthernet0

    2600(config-if)#ip policy route-map dfbit



    Then there was also a setting on the 3005 to match.
     
    RM, Jan 31, 2004
    #3
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.