Solved

MTU problems with VPN

Posted on 2003-10-24
5
689 Views
Last Modified: 2012-06-22
Hi,

I want to connect two offices using VPN on Microsoft Windows 2000. The installation is not the problem; we had this set up and working in just a few hours.
However, when I connect to a POP3 server using a telnet client talking raw POP3 protocol I found that a packet is dropped silently when i send the LIST command. When there are a lot of messages in the inbox the response is not received.

I've tried a router-to-router solution without using VPN. The same problem occured with that solution. After hours and hours of debugging, reading and testing I found that the problem lies in the MTU. I made a few changes in the MTU settings and it worked! :)
The router-to-router solution is not encrypted. As soon as I add encryption OR use VPN the same problem happens again. I guess it is again the MTU, but this time I really can't figure it out.

Here is how the network looks like:

Internet -- InetGateway (192.168.1.100) -- Office1 (192.168.1.*) -- W2kGateway1 (192.168.1.1) --(WIFI Connection)-- W2kGateway2 (192.168.2.1) -- Office2 (192.168.2.*)

One more important thing: Both Windows 2000 gateways have 2 NIC's. One is configured and connected to the office LAN, the other is configured in a seperate subnet (10.0.0.*) and connected to the other gateway by a wireless connection.

Could anyone explain to me which adapter needs which MTU value? And what is "RAS MTU" and do I need to set this? (I found this option with DrTCP)

Help would really be appreciated, I can't figure it out ... Thanks in advance.
0
Comment
Question by:rschuil
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
5 Comments
 
LVL 31

Accepted Solution

by:
qwaletee earned 250 total points
ID: 9614049
Usually, f the there are MTU problems due to a VPN, it will be n the internet traffic, not the internal traffic.  The VPN needs to take all your "regular" packets, encrypt them, and wrap them inside a new packet that is sent to the VPN server.  The VPN server then unwraps the packets, and retransmits them to the original IP address your application was trying to reach.  This typically results in the original packet eing broken up, because the original packet is too large to add all the VPN wrappering withou breakin the basic MTU limit.  The re-assembly effectively sends "fragmented packets," as if the packets had reached a router whose MTU was smaller than what you were sending.  Some VPNs are better than others at maintaining large packet caches, and reasembling the core packets as unfragmented units.

To ensre this does not happen at all, you have to drop your PC MTU to a size that is normal MTU minus maximum VPN per-packet overhead - which consists of teh ful size of a standard IP packet, plus encryption information.  Sometimes, you also have to do this on the internal servers, so that they will never send a frgamenting packet back to you; this is usually NOT a problem.

RAS MTU = Remote Access Services Maximum Transmission Unit, which is basically teh MTU for dial-up traffic.
0
 
LVL 31

Expert Comment

by:qwaletee
ID: 9614070
I woud start by changing your PC MTU to 1000, see if it works (very unlikely that your VPN would add 400+ bytes per packet).  If so, start bumping it up in 100 increments untl it fails again, then start splitting the difference.

If 1000 doesn't do it, then experiment with doing the same with the POP3 server you are trying to reach.
0
 

Assisted Solution

by:cue_man
cue_man earned 250 total points
ID: 11833188
0

Featured Post

Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
How to extreme from web browser to the internet 2 47
VPN Exposure 19 41
Samsung Tablet no Internet but does connect to WiFi 7 51
PCI report results 1 16
If your business is like most, chances are you still need to maintain a fax infrastructure for your staff. It’s hard to believe that a communication technology that was thriving in the mid-80s could still be an essential part of your team’s modern I…
Most of the applications these days are on Cloud. Cloud is ubiquitous with many service providers in the market. Since it has many benefits such as cost reduction, software updates, remote access, disaster recovery and much more.
Internet Business Fax to Email Made Easy - With  eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, f…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

739 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question