VPN Problems 1710 to 1710 via ADSL

Discussion in 'Cisco' started by Paul Stewart, Dec 5, 2003.

  1. Paul Stewart

    Paul Stewart Guest

    Hi everyone...

    I have a problem that I'm hoping somebody will shed some light on.

    We just setup a client a week ago with a pair of 1710's for VPN and
    Internet. The VPN works kinda, the internet works great. Each end is
    connected via 3 Meg DSL (3 meg down/640k up) using PPPOE.

    The problem is with the VPN. The user's cannot see the network when
    they browse except what's at each end of the VPN. One office is head
    office, other office is remote accounting. Their primary application
    software is BusinessVision Accounting. The speed is somewhat slow at
    all times but for day to day stuff it's "not bad" according to the
    users. When they do reports in their accounting it takes up to a day
    if at the remote office while at the head office takes 3-4 minutes. I
    don't believe this is a bandwidth issue, rather an MTU issue or more
    likely a Windows networking issue.

    Since I'm new at VPN's of this nature I'm hoping it's just something
    simple. ;) Their network is comprised of Windows NT 4 server running
    PDC and Windows 98 workstations.. nothing really complicated. The
    workstations and server have TCP/IP *and* Netbeau installed (not sure
    if Netbeau is the problem and don't know why they really require it).

    Here's the configs for each end:

    Remote Office

    !
    version 12.3
    no parser cache
    no service pad
    service tcp-keepalives-in
    service tcp-keepalives-out
    service timestamps debug datetime localtime
    service timestamps log datetime localtime
    service password-encryption
    !
    hostname gw-cooney-cavan
    !
    logging buffered 4096 debugging
    no logging rate-limit
    enable secret 5 XXXXXXXXXXXXXXXXXXXXXXXXXXX
    !
    username admin privilege 15 password 7 XXXXXXXXXXXXXXXX
    memory-size iomem 25
    clock timezone EST -5
    clock summer-time EDT recurring
    ip subnet-zero
    no ip source-route
    !
    !
    ip domain name XXXXXXXXXXXXXXx
    ip name-server 216.168.96.10
    ip name-server 216.168.96.13
    !
    ip dhcp pool CLIENT
    import all
    network 192.168.124.0 255.255.255.0
    default-router 192.168.124.254
    dns-server 216.168.96.10 216.168.96.13 216.168.96.83
    netbios-name-server 192.168.123.5
    lease 0 2
    !
    ip cef
    ip audit notify log
    ip audit po max-events 100
    no ftp-server write-enable
    !
    !
    !
    !
    crypto isakmp policy 10
    hash md5
    authentication pre-share
    crypto isakmp key XXXXXXXXXXX address XXXXXXXXXXX no-xauth
    !
    !
    crypto ipsec transform-set myset esp-3des esp-md5-hmac
    crypto ipsec df-bit clear
    !
    crypto map mymap 10 ipsec-isakmp
    set peer XXXXXXXXXXXXXXXXXXXX
    set transform-set myset
    match address 100
    !
    !
    !
    !
    interface Loopback0
    no ip address
    !
    interface Ethernet0
    no ip address
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    ip accounting access-violations
    ip nat outside
    ip tcp adjust-mss 1355
    full-duplex
    pppoe enable
    pppoe-client dial-pool-number 1
    no cdp enable
    crypto map mymap
    !
    interface FastEthernet0
    ip address 192.168.124.254 255.255.255.0
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    ip accounting access-violations
    ip nat inside
    ip tcp adjust-mss 1355
    speed 100
    full-duplex
    no cdp enable
    hold-queue 32 in
    !
    interface Dialer1
    ip address negotiated
    ip mtu 1395
    ip nat outside
    encapsulation ppp
    ip route-cache flow
    ip tcp adjust-mss 1200
    dialer pool 1
    dialer-group 1
    no cdp enable
    ppp authentication pap callin
    ppp pap sent-username XXXXXXXXXXXXXXX password 7 XXXXXXXXXXXXXXXXX
    crypto map mymap
    !
    ip nat inside source route-map nonat interface Dialer1 overload
    ip classless
    ip route 0.0.0.0 0.0.0.0 Dialer1
    no ip http server
    no ip http secure-server
    !
    !
    access-list 100 permit ip 192.168.124.0 0.0.0.255 192.168.123.0
    0.0.0.255
    access-list 102 deny ip 192.168.124.0 0.0.0.255 192.168.123.0
    0.0.0.255
    access-list 102 permit ip 192.168.124.0 0.0.0.255 any
    dialer-list 1 protocol ip permit
    no cdp run
    !
    route-map nonat permit 10
    match ip address 102
    !
    line con 0
    line aux 0
    line vty 0 4
    exec-timeout 120 0
    privilege level 15
    password 7 XXXXXXXXXXXX
    login local
    transport preferred ssh
    transport input ssh
    transport output ssh
    !
    no scheduler allocate
    !
    end

    Head Office

    !
    version 12.3
    no parser cache
    no service pad
    service tcp-keepalives-in
    service tcp-keepalives-out
    service timestamps debug datetime localtime
    service timestamps log datetime localtime
    service password-encryption
    !
    hostname XXXXXXXXXXXXXXXXXXX
    !
    logging buffered 4096 debugging
    no logging rate-limit
    enable secret 5 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
    !
    username admin privilege 15 password 7 XXXXXXXXXXXXXXXXX
    username cooney password 7 XXXXXXXXXXXXXXXXXXXX
    memory-size iomem 25
    clock timezone EST -5
    clock summer-time EDT recurring
    aaa new-model
    !
    !
    aaa authentication login userauthen local
    aaa authorization network default local
    aaa session-id common
    ip subnet-zero
    no ip source-route
    !
    !
    ip domain name XXXXXXXXXXXXXXXXXXXXXX
    ip name-server 216.168.96.10
    ip name-server 216.168.96.13
    ip dhcp excluded-address 192.168.123.5
    ip dhcp excluded-address 192.168.123.254
    !
    ip dhcp pool CLIENT
    import all
    network 192.168.123.0 255.255.255.0
    default-router 192.168.123.254
    dns-server 216.168.96.10 216.168.96.13 216.168.96.83
    lease 0 2
    !
    no ip bootp server
    ip cef
    ip audit notify log
    ip audit po max-events 100
    vpdn enable
    !
    vpdn-group 1
    request-dialin
    protocol pppoe
    !
    no ftp-server write-enable
    !
    !
    !
    !
    crypto isakmp policy 3
    encr 3des
    authentication pre-share
    group 2
    !
    crypto isakmp policy 10
    hash md5
    authentication pre-share
    crypto isakmp key XXXXXXXXXXXXXXXXXXXX address XXXXXXXXXXXXXXX
    no-xauth
    !
    crypto isakmp client configuration group 3000client
    key XXXXXXXXXXXXXXX
    dns 216.168.96.10 216.168.96.13
    domain nexicom.net
    pool ippool
    !
    !
    crypto ipsec transform-set myset esp-3des esp-md5-hmac
    crypto ipsec df-bit clear
    !
    crypto dynamic-map dynmap 10
    set transform-set myset
    !
    !
    crypto map clientmap client authentication list userauthen
    crypto map clientmap isakmp authorization list default
    crypto map clientmap client configuration address respond
    crypto map clientmap 1 ipsec-isakmp
    set peer XXXXXXXXXXXXXXXXXXXX
    set transform-set myset
    match address 100
    crypto map clientmap 10 ipsec-isakmp dynamic dynmap
    !
    !
    !
    !
    interface Loopback0
    no ip address
    !
    interface Ethernet0
    no ip address
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    ip accounting access-violations
    ip nat outside
    ip tcp adjust-mss 1355
    half-duplex
    pppoe enable
    pppoe-client dial-pool-number 1
    no cdp enable
    crypto map clientmap
    hold-queue 32 in
    hold-queue 100 out
    !
    interface FastEthernet0
    ip address 192.168.123.254 255.255.255.0
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    ip accounting access-violations
    ip nat inside
    ip tcp adjust-mss 1355
    speed auto
    no cdp enable
    hold-queue 32 in
    hold-queue 100 out
    !
    interface Dialer1
    ip address negotiated
    ip mtu 1395
    ip nat outside
    encapsulation ppp
    ip route-cache flow
    ip tcp adjust-mss 1200
    dialer pool 1
    dialer-group 1
    no cdp enable
    ppp authentication pap callin
    ppp pap sent-username XXXXXXXXXXXXXXX password 7 XXXXXXXXXXXXXXX
    crypto map clientmap
    !
    ip local pool ippool 14.1.1.100 14.1.1.200
    ip nat inside source static udp 192.168.123.200 5632 interface Dialer1
    5632
    ip nat inside source static tcp 192.168.123.200 5631 interface Dialer1
    5631
    ip nat inside source route-map nonat interface Dialer1 overload
    ip classless
    ip route 0.0.0.0 0.0.0.0 Dialer1
    no ip http server
    no ip http secure-server
    !
    !
    access-list 100 permit ip 192.168.123.0 0.0.0.255 192.168.124.0
    0.0.0.255
    access-list 102 deny ip 192.168.123.0 0.0.0.255 192.168.124.0
    0.0.0.255
    access-list 102 permit ip 192.168.123.0 0.0.0.255 any
    dialer-list 1 protocol ip permit
    no cdp run
    !
    route-map nonat permit 10
    match ip address 102
    !
    radius-server authorization permit missing Service-Type
    !
    line con 0
    line aux 0
    line vty 0 4
    exec-timeout 120 0
    privilege level 15
    password 7 XXXXXXXX
    transport preferred ssh
    transport input ssh
    transport output ssh
    !
    !
    end


    On one of these routers, normally I set the MTU to 1455 and MSS to
    1415. It has to be these settings on DSL normally due to the backhaul
    of DSL signalling via VLAN trunking. Long story short...;)

    I've even went so far as to bring the MTU down to 1240 and MSS to 1200
    but it seems to make the speed worse...

    Is there any experts on this topic? I've talked to Cisco and they
    don't really have an answer other than that the VPN is working right
    now so must be a windows problem....??

    Thanks in advance for *any* help you may have...

    Paul
     
    Paul Stewart, Dec 5, 2003
    #1
    1. Advertisements

  2. Ah, the dreaded PPPOE MTU and fragmentation issues.

    Are you working from http://www.cisco.com/warp/public/794/router_mtu.html?
    NETBEUI == Netbios Extended User Interface. This is a link level protocol,
    so unless you are bridging it should not enter the equation. You can likely
    remove it.
    Why dfbit clear? I'd think you WANT to avoid fragmentation!
    Why so low? Why not 1452? Why change the MTU at all?
    Grumble. 8-(

    You will need to stop fragmentation. I recommend keeping DF *ON* and left
    the ethernet provide hints back when traffic to the PPPOE dialer interface
    exceeds the MTU. Windows 98

    debug ip ICMP to be sure these hints are sent back.

    By allowing fragmentation, you are just begging for performance problems!

    Another desperate measure if you change the MTU **ON THE PCs** to 1300 and
    see if that helps.

    Can you tell me more about the application? What protocol does it use? If
    it uses UDP, you may be out of luck since TCP MSS does not affect that.

    Also see http://www.cisco.com/warp/public/105/38.shtml. Windows 98 should
    honor PMTU by default. Make sure nobody has tweaked the machines to do
    otherwise. DRTCP can be used for this task.

    Get Ethereal or some packet sniffer and look for fragmentation.
     
    Phillip Remaker, Dec 5, 2003
    #2
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.