VPN site-to-site betweem Cisco 1841 and SonicWall 170

Discussion in 'Cisco' started by amitgat, Jan 2, 2006.

  1. amitgat

    amitgat Guest

    Hi,

    I'm trying to connect a Cisco 1841 to Sonicwall 170.

    The tunnel is establishing successfully, but I can't ping computers
    from any LAN to the other side of the tunnel.

    When running Tunnel Diagnostics on Cisco SDM I get the following
    report:

    ------------------------------------------------------------
    VPN Troubleshooting Report Details

    Router Details

    Attribute Value
    Router Model 1841
    Image Name c1841-advsecurityk9-mz.124-5.bin
    IOS Version 12.4(5)

    Test Activity Summary

    Activity Status
    Checking the tunnel status... Up

    Test Activity Details

    Activity Status
    Checking the tunnel status... Up
    Encapsulation :0
    Decapsulation :0
    Send Error :0
    Received Error :0

    Troubleshooting Results
    Failure Reason(s)
    A ping with data size of this VPN interface MTU size and 'Do not
    Fragment' bit set to the other end VPN device is failing. This may
    happen if there is a lesser MTU network which drops the 'Do not
    fragment' packets

    Recommended Action(s)
    1)Contact your ISP/Administrator to resolve this issue.
    2)Issue the command 'crypto ipsec df-bit clear' under the VPN interface
    to avoid packets drop due to fragmentation.
    ------------------------------------------------------------

    On the Sonicwall side, I see this message whenever I try to access the
    other side:
    Message - "Malformed or unhandled IP packet dropped"
    Source - <Other Side Public IP>, 0, WAN
    Destination - <Local Side Public IP>
    Notes - IP Protocol 51"

    Do you have any ideas what can I do to fix the tunnel?

    Thanks a lot in advance.

    Amit Gatenyo
     
    amitgat, Jan 2, 2006
    #1
    1. Advertisements

  2. amitgat

    nazgulero Guest

    Hello,

    there might be a problem with the MSS size configured on your local LAN
    interface. Try and set this to 1350:

    interface FastEthernet0/0
    ip tcp adjust-mss 1350

    Regards,

    Naz
    a écrit :
     
    nazgulero, Jan 2, 2006
    #2
    1. Advertisements

  3. amitgat

    amitgat Guest

    Sadly, it didn't work.

    I've set it on the interface that is connected to the LAN
    (FastEthernet0/0) but it didn't do the trick, the tunnel is still being
    created successfully, but I can't ping computers on the remote LAN.
     
    amitgat, Jan 3, 2006
    #3
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.