Solved

very weird networking issues.. related to MTU?

Posted on 2006-07-13
14
1,236 Views
Last Modified: 2007-12-19
RDP does not work though vpn.  i was told it was MTU.  client packet with vpn overhead was above max size allowed by there dsl provider?

on the day i tested chanign it, rdp started to go through (made it 1450 on my firewall endpoint)  client side firewall does not have a setting.

however it was so slow!  and here is the weird part.  when i typed, it would scrable what i typed.
if i keyed in  123456789123456789   I would get back   something like  12356879124456789
notice alll keys are there, just scrambled.  this was the logon window via rdp.

i dont even know what to say.. or where to begin.  before i dig in much more, maybe someone can give me a clue?
0
Comment
Question by:Eric
  • 6
  • 3
  • 3
  • +1
14 Comments
 
LVL 10

Expert Comment

by:bbrunning
ID: 17103634
RDP should work fine through the vpn as long as you are connected. Are you trying to connect via computername or ip address? Sometimes the DNS configuration is not setup properly and will not resolve names to ip's when you are connected through the VPN.

Check yur DNS logs and event viewer.

or
You're connection to the internet is slow. 1450 will generally work fine for RDP and VPN but you have to put into consideration other clients on the network, people streaming music, downloading files, transferring files from-to the server. If you server is fairly powerfull you shouldn't have a problem. Check your event viewer and see what kind of errors you are getting and give a little more info.
0
 
LVL 77

Assisted Solution

by:Rob Williams
Rob Williams earned 300 total points
ID: 17103841
What kid of VPN are you using? If using a standard Windows PPTP VPN, setting to 1450 can actually cause problems. Usually defaults/automatic will work fine but if setting manually a PPTP VPN needs to be 1430 or lower. If you wish to set on the client workstation (most important place) run the DrTCP utility to do so. Link available from following site:
http://www.dslreports.com/faq/7752
0
 
LVL 11

Author Comment

by:Eric
ID: 17103884
its not DNS.
i use ip's for testing. i understand the normal networking issues.  I see it come into my network from the vpn., just nothing happens.
somewhere I saw something about fragmentation, ill see if i can find that note i made.

I know RDP works via VPN, i have many users doing it everyday. this is a "wierd" issue.
0
 
LVL 11

Author Comment

by:Eric
ID: 17103896
RobWill,
im using a hardware, IPSEC VPN.

I tried adding the value to the registry.  when the passwords /user names started coming out in different orders is when I started messing with the MTU.
they are all now back to default.
0
 
LVL 11

Author Comment

by:Eric
ID: 17103947
2006-07-10 12:47:05 Allow 192.168.2.1 192.168.1.3 3389/tcp 1310 3389 0-WAN/IPsec 1-LAN allowed (decrypted packet, SA info: id 0x50be6f2d, mss not exceeding 1400, idle timeout=43205 sec 48 127 (Sitename_VPN-Any-00)  

2006-07-10 12:47:05 Deny "remote pub IP"  "local pub IP" icmp-Dest_Unreach code(4) 0-WAN Firebox icmp error with data src_ip="local pub IP" dst_ip="remote Pub IP" pr=esp-spi=0x1afd0b85 src_port= dst_port= src_intf='0-WAN' dst_intf='0-WAN'  can not match any flow, drop this packet 56 112 (internal policy)  



notice my test used the private IP's via VPN, and the ICMP reply went public ips :|

thats odd.  

I searched the error code 4 and found this.
Code 4: Fragmentation required, and the don't fragment bit was set in the IP header (ICMP_UNREACH_NEEDFRAG)

Note: the typeing coming out in the wrong order happend with vpn enabled or using a nat redirect not through the vpn.  
0
 
LVL 77

Assisted Solution

by:Rob Williams
Rob Williams earned 300 total points
ID: 17105120
With IPSec you shouldn't need to lower the MTU any further. The only articles I have seen regarding IPSec and MTU suggest 1460 and 1480. However you had set on the local router, not the workstation or it's associated router.
Out of curiosity is there any fragmentation when you do a ping test, as per the following articles for determining optimum MTU size:
http://www.dslreports.com/faq/5793
http://www.howtonetworking.com/VPN/mtu4.htm
0
Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 32

Accepted Solution

by:
rsivanandan earned 200 total points
ID: 17105605
The MTU size may go even down that that in some cases, in Cisco VPN I saw it efficient to be 1300. So you never know; But setting the MTU should not be on the router, but the client machine. If interested take a look at this on how to do this;

http://rsivanandan.wordpress.com/2006/07/09/mtu-settings-for-vpn/

Cheers,
Rajesh
0
 
LVL 11

Author Comment

by:Eric
ID: 17365372
it was fixed by clicking an option " ignore the DF flag"  in my ipsec settings on my firewall.

0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 17365416
Thanks ecszone, for points and update.
--Rob
0
 
LVL 32

Expert Comment

by:rsivanandan
ID: 17365447
thnx but you still want to follow the suggestions I had in the link, basically it makes sure that fragmentation doesn't happen!

Cheers,
Rajesh
0
 
LVL 11

Author Comment

by:Eric
ID: 17365631
i was trying it on the server and it was not working.  we were even using packet sniffers. we went down to 1350 I think.
had packet sniffers the works.. it just wasnt working.
0
 
LVL 32

Expert Comment

by:rsivanandan
ID: 17365664
hmm.. I'm not sure but that is what is required and exactly what you told your device is to ignore the DF bit and fragment it as necessary...

Cheers,
Rajesh
0
 
LVL 11

Author Comment

by:Eric
ID: 17365748
may be something wierd with the firmware i installed when this started to happen?
not sure.
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Suggested Solutions

Some time ago I was asked to set up a web portal PC to put at our entrance. When customers arrive, they could see a webpage 'promoting' our company. So I tried to set up a windows 7 PC as a kiosk PC.......... I will spare you all the annoyances I…
I found an issue or “bug” in the SonicOS platform (the firmware controlling SonicWALL security appliances) that has to do with renaming Default Service Objects, which then causes a portion of the system to become uncontrollable and unstable. BACK…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now