Windows Logon very slow over VPN link

We've set up a site to site VPN link using a 1700 series Cisco router and a 515 PIX firewall.  The workstations on the remote end are Windows XP, the main site is running Windows 2003 in native mode.

We're noticing an extremely long logon period for the remote users (takes around 15 minutes).  Once in, things move fast enough, but the logon just takes forever.

Any thoughts on what might be causing this and how to fix it?

Thanks in advance...
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Are you using a windows xp VPN client or are you doing a hardware based VPN?
Often long XP login delays to an Active Directory environment are DNS related.  Try pointing the XP clients at the primary domain controler for their DNS (or have the DHCP server give out the IP of the PDC as the DNS to use).
Agree with fixnix, this appears to be a DNS issue. Suggest perhaps putting in a secondary AD DNS server at the remote site.
Increase Security & Decrease Risk with NSPM Tools

Analyst firm, Enterprise Management Associates (EMA) reveals significant benefits to enterprises when using Network Security Policy Management (NSPM) solutions, while organizations without, experienced issues including non standard security policies and failed cloud migrations

Robing66066Author Commented:
Both the clients at the site list the our two domain controllers as their DNS servers.  I was hoping to avoid putting a server in the site as there are only two people there and we have quite a few of these sites to do if we can make this work...  Is there any way to confirm the problem is DNS related?
I would setup up the client workstation to allow lmhosts lookup and put the following entry in their lmhosts file...      mydomaincontroller     PRE   DOM:mydomainname

replacing the x's with your domain controllers ip address... the mydomaincontroller with your domain controllers netbios/wins name (not FQDN).... the mydomainname with your domain names netbios/wins name (not FQDN)... and reboot the machines... attempt to login... if it works then it's a DNS issue...  usually the long logon times are caused by the workstations having trouble locating the srv records for the domain controller...
How to Write an LMHOSTS File for Domain Validation and Other Name Resolution Issues;en-us;Q180094


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Robing66066Author Commented:
Still looking at this one.  Will get back to it soon.
Robing66066Author Commented:
That seems to have done the trick.  Thanks.
Robing66066Author Commented:
As it turned out, that helped, but didn't solve the whole thing.

The final answer turned out to be a problem with the maximum MTU size of the ISP who provided the VPN connection.  The max size was lower than the size of an authentication packet as sent from the workstation/server.  The packet ended up getting fragmented and the server rejected it, sending back a packet with the "Don't fragment" bit turned on.  Unfortunately, the workstation wasn't set up to respond to the "don't fragment" request, so it kept sending without adjusting the MTU.

We had to do a reghack via GPO to every server/workstation to get it to work.  Took several hours with Microsoft to find and resolve.  Very nasty little problem.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Software Firewalls

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.