Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

very weird networking issues.. related to MTU?

Posted on 2006-07-13
14
Medium Priority
?
1,250 Views
Last Modified: 2007-12-19
RDP does not work though vpn.  i was told it was MTU.  client packet with vpn overhead was above max size allowed by there dsl provider?

on the day i tested chanign it, rdp started to go through (made it 1450 on my firewall endpoint)  client side firewall does not have a setting.

however it was so slow!  and here is the weird part.  when i typed, it would scrable what i typed.
if i keyed in  123456789123456789   I would get back   something like  12356879124456789
notice alll keys are there, just scrambled.  this was the logon window via rdp.

i dont even know what to say.. or where to begin.  before i dig in much more, maybe someone can give me a clue?
0
Comment
Question by:Eric
  • 6
  • 3
  • 3
  • +1
13 Comments
 
LVL 10

Expert Comment

by:bbrunning
ID: 17103634
RDP should work fine through the vpn as long as you are connected. Are you trying to connect via computername or ip address? Sometimes the DNS configuration is not setup properly and will not resolve names to ip's when you are connected through the VPN.

Check yur DNS logs and event viewer.

or
You're connection to the internet is slow. 1450 will generally work fine for RDP and VPN but you have to put into consideration other clients on the network, people streaming music, downloading files, transferring files from-to the server. If you server is fairly powerfull you shouldn't have a problem. Check your event viewer and see what kind of errors you are getting and give a little more info.
0
 
LVL 77

Assisted Solution

by:Rob Williams
Rob Williams earned 900 total points
ID: 17103841
What kid of VPN are you using? If using a standard Windows PPTP VPN, setting to 1450 can actually cause problems. Usually defaults/automatic will work fine but if setting manually a PPTP VPN needs to be 1430 or lower. If you wish to set on the client workstation (most important place) run the DrTCP utility to do so. Link available from following site:
http://www.dslreports.com/faq/7752
0
 
LVL 11

Author Comment

by:Eric
ID: 17103884
its not DNS.
i use ip's for testing. i understand the normal networking issues.  I see it come into my network from the vpn., just nothing happens.
somewhere I saw something about fragmentation, ill see if i can find that note i made.

I know RDP works via VPN, i have many users doing it everyday. this is a "wierd" issue.
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 11

Author Comment

by:Eric
ID: 17103896
RobWill,
im using a hardware, IPSEC VPN.

I tried adding the value to the registry.  when the passwords /user names started coming out in different orders is when I started messing with the MTU.
they are all now back to default.
0
 
LVL 11

Author Comment

by:Eric
ID: 17103947
2006-07-10 12:47:05 Allow 192.168.2.1 192.168.1.3 3389/tcp 1310 3389 0-WAN/IPsec 1-LAN allowed (decrypted packet, SA info: id 0x50be6f2d, mss not exceeding 1400, idle timeout=43205 sec 48 127 (Sitename_VPN-Any-00)  

2006-07-10 12:47:05 Deny "remote pub IP"  "local pub IP" icmp-Dest_Unreach code(4) 0-WAN Firebox icmp error with data src_ip="local pub IP" dst_ip="remote Pub IP" pr=esp-spi=0x1afd0b85 src_port= dst_port= src_intf='0-WAN' dst_intf='0-WAN'  can not match any flow, drop this packet 56 112 (internal policy)  



notice my test used the private IP's via VPN, and the ICMP reply went public ips :|

thats odd.  

I searched the error code 4 and found this.
Code 4: Fragmentation required, and the don't fragment bit was set in the IP header (ICMP_UNREACH_NEEDFRAG)

Note: the typeing coming out in the wrong order happend with vpn enabled or using a nat redirect not through the vpn.  
0
 
LVL 77

Assisted Solution

by:Rob Williams
Rob Williams earned 900 total points
ID: 17105120
With IPSec you shouldn't need to lower the MTU any further. The only articles I have seen regarding IPSec and MTU suggest 1460 and 1480. However you had set on the local router, not the workstation or it's associated router.
Out of curiosity is there any fragmentation when you do a ping test, as per the following articles for determining optimum MTU size:
http://www.dslreports.com/faq/5793
http://www.howtonetworking.com/VPN/mtu4.htm
0
 
LVL 32

Accepted Solution

by:
rsivanandan earned 600 total points
ID: 17105605
The MTU size may go even down that that in some cases, in Cisco VPN I saw it efficient to be 1300. So you never know; But setting the MTU should not be on the router, but the client machine. If interested take a look at this on how to do this;

http://rsivanandan.wordpress.com/2006/07/09/mtu-settings-for-vpn/

Cheers,
Rajesh
0
 
LVL 11

Author Comment

by:Eric
ID: 17365372
it was fixed by clicking an option " ignore the DF flag"  in my ipsec settings on my firewall.

0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 17365416
Thanks ecszone, for points and update.
--Rob
0
 
LVL 32

Expert Comment

by:rsivanandan
ID: 17365447
thnx but you still want to follow the suggestions I had in the link, basically it makes sure that fragmentation doesn't happen!

Cheers,
Rajesh
0
 
LVL 11

Author Comment

by:Eric
ID: 17365631
i was trying it on the server and it was not working.  we were even using packet sniffers. we went down to 1350 I think.
had packet sniffers the works.. it just wasnt working.
0
 
LVL 32

Expert Comment

by:rsivanandan
ID: 17365664
hmm.. I'm not sure but that is what is required and exactly what you told your device is to ignore the DF bit and fragment it as necessary...

Cheers,
Rajesh
0
 
LVL 11

Author Comment

by:Eric
ID: 17365748
may be something wierd with the firmware i installed when this started to happen?
not sure.
0

Featured Post

Lessons on Wi-Fi & Recommendations on KRACK

Simplicity and security can be a difficult  balance for any business to tackle. Join us on December 6th for a look at your company's biggest security gap. We will also address the most recent attack, "KRACK" and provide recommendations on how to secure your Wi-Fi network today!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This month, Experts Exchange’s free Course of the Month is focused on CompTIA IT Fundamentals.
This article will show you step-by-step instructions to build your own NTP CentOS server.  The network diagram shows the best practice to setup the NTP server farm for redundancy.  This article also serves as your NTP server documentation.
In this video we outline the Physical Segments view of NetCrunch network monitor. By following this brief how-to video, you will be able to learn how NetCrunch visualizes your network, how granular is the information collected, as well as where to f…
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…

782 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question