Solved

very weird networking issues.. related to MTU?

Posted on 2006-07-13
14
1,243 Views
Last Modified: 2007-12-19
RDP does not work though vpn.  i was told it was MTU.  client packet with vpn overhead was above max size allowed by there dsl provider?

on the day i tested chanign it, rdp started to go through (made it 1450 on my firewall endpoint)  client side firewall does not have a setting.

however it was so slow!  and here is the weird part.  when i typed, it would scrable what i typed.
if i keyed in  123456789123456789   I would get back   something like  12356879124456789
notice alll keys are there, just scrambled.  this was the logon window via rdp.

i dont even know what to say.. or where to begin.  before i dig in much more, maybe someone can give me a clue?
0
Comment
Question by:Eric
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 3
  • 3
  • +1
14 Comments
 
LVL 10

Expert Comment

by:bbrunning
ID: 17103634
RDP should work fine through the vpn as long as you are connected. Are you trying to connect via computername or ip address? Sometimes the DNS configuration is not setup properly and will not resolve names to ip's when you are connected through the VPN.

Check yur DNS logs and event viewer.

or
You're connection to the internet is slow. 1450 will generally work fine for RDP and VPN but you have to put into consideration other clients on the network, people streaming music, downloading files, transferring files from-to the server. If you server is fairly powerfull you shouldn't have a problem. Check your event viewer and see what kind of errors you are getting and give a little more info.
0
 
LVL 77

Assisted Solution

by:Rob Williams
Rob Williams earned 300 total points
ID: 17103841
What kid of VPN are you using? If using a standard Windows PPTP VPN, setting to 1450 can actually cause problems. Usually defaults/automatic will work fine but if setting manually a PPTP VPN needs to be 1430 or lower. If you wish to set on the client workstation (most important place) run the DrTCP utility to do so. Link available from following site:
http://www.dslreports.com/faq/7752
0
 
LVL 11

Author Comment

by:Eric
ID: 17103884
its not DNS.
i use ip's for testing. i understand the normal networking issues.  I see it come into my network from the vpn., just nothing happens.
somewhere I saw something about fragmentation, ill see if i can find that note i made.

I know RDP works via VPN, i have many users doing it everyday. this is a "wierd" issue.
0
Easy, flexible multimedia distribution & control

Coming soon!  Ideal for large-scale A/V applications, ATEN's VM3200 Modular Matrix Switch is an all-in-one solution that simplifies video wall integration. Easily customize display layouts to see what you want, how you want it in 4k.

 
LVL 11

Author Comment

by:Eric
ID: 17103896
RobWill,
im using a hardware, IPSEC VPN.

I tried adding the value to the registry.  when the passwords /user names started coming out in different orders is when I started messing with the MTU.
they are all now back to default.
0
 
LVL 11

Author Comment

by:Eric
ID: 17103947
2006-07-10 12:47:05 Allow 192.168.2.1 192.168.1.3 3389/tcp 1310 3389 0-WAN/IPsec 1-LAN allowed (decrypted packet, SA info: id 0x50be6f2d, mss not exceeding 1400, idle timeout=43205 sec 48 127 (Sitename_VPN-Any-00)  

2006-07-10 12:47:05 Deny "remote pub IP"  "local pub IP" icmp-Dest_Unreach code(4) 0-WAN Firebox icmp error with data src_ip="local pub IP" dst_ip="remote Pub IP" pr=esp-spi=0x1afd0b85 src_port= dst_port= src_intf='0-WAN' dst_intf='0-WAN'  can not match any flow, drop this packet 56 112 (internal policy)  



notice my test used the private IP's via VPN, and the ICMP reply went public ips :|

thats odd.  

I searched the error code 4 and found this.
Code 4: Fragmentation required, and the don't fragment bit was set in the IP header (ICMP_UNREACH_NEEDFRAG)

Note: the typeing coming out in the wrong order happend with vpn enabled or using a nat redirect not through the vpn.  
0
 
LVL 77

Assisted Solution

by:Rob Williams
Rob Williams earned 300 total points
ID: 17105120
With IPSec you shouldn't need to lower the MTU any further. The only articles I have seen regarding IPSec and MTU suggest 1460 and 1480. However you had set on the local router, not the workstation or it's associated router.
Out of curiosity is there any fragmentation when you do a ping test, as per the following articles for determining optimum MTU size:
http://www.dslreports.com/faq/5793
http://www.howtonetworking.com/VPN/mtu4.htm
0
 
LVL 32

Accepted Solution

by:
rsivanandan earned 200 total points
ID: 17105605
The MTU size may go even down that that in some cases, in Cisco VPN I saw it efficient to be 1300. So you never know; But setting the MTU should not be on the router, but the client machine. If interested take a look at this on how to do this;

http://rsivanandan.wordpress.com/2006/07/09/mtu-settings-for-vpn/

Cheers,
Rajesh
0
 
LVL 11

Author Comment

by:Eric
ID: 17365372
it was fixed by clicking an option " ignore the DF flag"  in my ipsec settings on my firewall.

0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 17365416
Thanks ecszone, for points and update.
--Rob
0
 
LVL 32

Expert Comment

by:rsivanandan
ID: 17365447
thnx but you still want to follow the suggestions I had in the link, basically it makes sure that fragmentation doesn't happen!

Cheers,
Rajesh
0
 
LVL 11

Author Comment

by:Eric
ID: 17365631
i was trying it on the server and it was not working.  we were even using packet sniffers. we went down to 1350 I think.
had packet sniffers the works.. it just wasnt working.
0
 
LVL 32

Expert Comment

by:rsivanandan
ID: 17365664
hmm.. I'm not sure but that is what is required and exactly what you told your device is to ignore the DF bit and fragment it as necessary...

Cheers,
Rajesh
0
 
LVL 11

Author Comment

by:Eric
ID: 17365748
may be something wierd with the firmware i installed when this started to happen?
not sure.
0

Featured Post

NFR key for Veeam Backup for Microsoft Office 365

Veeam is happy to provide a free NFR license (for 1 year, up to 10 users). This license allows for the non‑production use of Veeam Backup for Microsoft Office 365 in your home lab without any feature limitations.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

#Citrix #Citrix Netscaler #HTTP Compression #Load Balance
This article will inform Clients about common and important expectations from the freelancers (Experts) who are looking at your Gig.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question