VPN over L2TP patchy connectivity while L2TP Traffic without VPN is fine.

Discussion in 'Cisco' started by Gary, Apr 22, 2005.

  1. Gary

    Gary Guest

    We set up a L2 Tunnel bertween to ADSL users.

    At first nothing worked until we discovered the overhead of the L2 Tunnel
    (40 bytes) and adjusted MTU's to compensate and all seemed good.

    Then we added a VPN between these 2 users and things started to break again.

    i.e PIng works down the VPN and varoious other things but terminal services
    and Outlook trying to collect mail from the other end point does not.

    It seems that the VPN again plays havoc with the MTU or packet
    fragmentation.

    Config below fixed the initial issues.

    username NET-TEST-L2TP password 7 08
    username NET-TEST2-L2TP password 7 04

    vpdn enable
    vpdn multihop
    vpdn search-order domain
    vpdn domain-delimiter @ suffix
    !
    vpdn-group NET-TEST-L2TP
    accept-dialin
    protocol l2tp
    virtual-template 1
    terminate-from hostname NET-TEST-L2TP
    source-ip 82.151.255.5
    local name NET-TEST-L2TP
    lcp renegotiation always
    l2tp tunnel password 7 151

    #Added these 2 lines to fix initial issues.
    ip pmtu
    ip mtu adjust
    !
    vpdn-group NET-TEST2-L2TP
    accept-dialin
    protocol l2tp
    virtual-template 2
    terminate-from hostname NET-TEST2-L2TP
    source-ip x.x.x.x
    local name NET-TEST2-L2TP
    lcp renegotiation always
    l2tp tunnel password 7 01

    #Added these 2 lines to fix initial issues.
    ip pmtu
    ip mtu adjust


    interface Virtual-Template1
    ip unnumbered Loopback0
    no ip redirects
    no ip proxy-arp

    #Added this line as part fo the fix
    ip tcp adjust-mss 1400
    ip policy route-map clear-df
    no logging event link-status
    peer default ip address pool SPPOOL
    keepalive 60
    ppp authentication chap
    ppp multilink
    ppp multilink fragment disable
    !
    interface Virtual-Template2
    ip unnumbered Loopback0
    no ip redirects
    no ip proxy-arp

    #Added this line as part fo the fix
    ip tcp adjust-mss 1400
    ip policy route-map clear-df
    no logging event link-status
    peer default ip address pool SPPOOL
    keepalive 60
    ppp authentication chap
    ppp multilink
    ppp multilink fragment disable


    #Added this line as part of the fix
    access-list 111 permit tcp any any
    !
    route-map clear-df permit 10
    match ip address 111
    set ip df 0


    VPN's have the same types off issues as normal traffic prior to the added
    lines above.

    How do I get the VPN to compensate or am I way off???

    Help please.
    Gary
     
    Gary, Apr 22, 2005
    #1
    1. Advertisements

  2. :We set up a L2 Tunnel bertween to ADSL users.

    :At first nothing worked until we discovered the overhead of the L2 Tunnel
    :(40 bytes) and adjusted MTU's to compensate and all seemed good.

    :Then we added a VPN between these 2 users and things started to break again.

    Read the documentation on the tcpmss sysopt, see the calculation
    there, remove from the equation the AH layer if you aren't using
    AH, subtract off the L2 tunnel overhead; also subtract off
    the size of an IP header with options if you are using NAT-T
    [to take into account UDP encapsulation.]

    If you want a more exact number, temporarily disable the
    tcpmss sysopt and enable PMTUD (Path MTU Discovery) between
    two of the endpoints, and monitor to see what MTU they end up with.
     
    Walter Roberson, Apr 23, 2005
    #2
    1. Advertisements

  3. Gary

    Gary Guest

    I think those are PIX commands.

    The end points are routers i.e One cisco router and one cheap and cheerful
    whatever ADSL router at the other end.

    We own the router in the middle which handles the VPDN or L2 Tunnel to the
    ADSL provider so they are invisible in the ADSL link.

    It looks like this

    1 End User on whatever router connects via ADSL to the ADSL Central PIPE of
    our ADSL provider. We connect over VPDN to them so we hand out our own
    address space.

    The other ADSL end point is a Cisco router and there are many connections
    coming in from remote offices to this Cisco router which handles all the
    VPN's.

    When not using a VPN between end users all is OK.

    What commands should I read about on the routers as opposed to the PIX
    please.

    Gary
     
    Gary, Apr 24, 2005
    #3
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.