Improve company productivity with a Business Account.Sign Up


Cannot ping over certain number of bytes

Posted on 2004-08-05
Medium Priority
Last Modified: 2010-04-11
Hi Folks,

We have an office in the UK (main office) and an office in the US. These are connected over a dedicated VPN link. Both sites have managed Cisco 1700 routers. The UK office contains all the servers and domain controllers. One day when i came into the office (UK) the US site could not log onto the domain. Also from the UK we could not map to any of the US Folders. When i pinged the US from the UK everything seemed ok (4 replies) however when i increased the byte size to 3000 bytes it started to time out.

After numerous phone calls to our ISP who manage our routers and VPN they could not work out why this was happening. I ran every test you could imagine on our domain controllers and LAN but to no avail. Left for the weekend, came back Monday morning ready to do battle and the Link was back to normal. I phoned our ISP to see what they had done over the weekend but they claimed they had done nothing. When i pinged the US everything was ok, pinging up to 10000 bytes and over no problem.

Is their any reason why i could not ping the US with a byte size over 3000?

Also a point to note, during the time when the link was not working the US could still dial direct into our RAS (bypassing the router), log on, receive e-mails etc.

This has been really annoying me as their has been no explanation why this happened either from our ISP or from myself and i do not want this to happen again.

Any ideas would most appreciated.

Many thanks,


Question by:Baikie

Expert Comment

ID: 11724692
Maybe just internet congestion, or a dead router somewhere at either ISP or one of the major links? If your RAS is a phone based system then that is why you would have had no problems with that. Only real solution for that is some sort of secondary link, a satellite or something. But that is a little over-the-top.

Author Comment

ID: 11724748
Should have mentioned that this went on for 4 days then suddenly started to work again. I only mentioned the RAS to prove that our system was working and that the US could log onto the domain using this method. Therefore authentication issues must be ok.

LVL 27

Accepted Solution

pseudocyber earned 100 total points
ID: 11724899
I've been fighting an MTU issue between different versions of code on our VPN.  You're aware, of course, that the maximum size for regular ethernet packets is 1518 bytes?  This includes protocol overhead, so actual data is a little less.  Anything over this size has to be fragmented, which, for VPN is usually bad.

After much gnashing of teeth, sore foreheads from beating them against brick walls, and just general aggravation, I've read and experienced improved results from changing all MTU settings on interfaces, clients, links, etc. to 1430.  This results in no fragmentation and increased performance from our VPN.

This doesn't explain why you couldn't ping with large datagrams - but it might lead you towards a solution.

Hope this helps.

Assisted Solution

kronos540 earned 100 total points
ID: 11729958
Good point on testing with Ras.

What is the CIR (a.k.a Garunteed minumum bandwith ) from the Solution provider ?
Although this does sound like a banwith issue that caused some of your problems.I think the Solution provider is not being ohnest about not changing the confuration of the vpn . A 1700 series router is just designed to handle a small home office and not a large corp connection. It all depends on how they setup the tunnel and how much bandwith the ISP/Solution provider has ..

The larger the packet size you send the longer it takes to get back (latency) especially if
the bandwith is over congested.. a vpn adds to the bandwith requirements and the cpu processing on the routers ..

Either the internet pipe was conjested, someone screwed up something on the souter configs, or the routers just got over loaded .. unless you have only 20 people or less accessing information accross the vpn. I would request a better router (2621 or better with at least 32 mb of ram) to handle the traffic and computation for encryption and decryption accross the vpn)



Featured Post

What Kind of Coding Program is Right for You?

There are many ways to learn to code these days. From coding bootcamps like Flatiron School to online courses to totally free beginner resources. The best way to learn to code depends on many factors, but the most important one is you. See what course is best for you.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

This article explains the fundamentals of industrial networking which ultimately is the backbone network which is providing communications for process devices like robots and other not so interesting stuff.
This article is about building a site to site VPN tunnels in Cisco CSR1000V router with IOS XE. There are two Policy Based IPsec VPN tunnels configured on CSR1000V router one with NAT and another without NAT.
After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…

606 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question