Improve company productivity with a Business Account.Sign Up

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1320
  • Last Modified:

very weird networking issues.. related to MTU?

RDP does not work though vpn.  i was told it was MTU.  client packet with vpn overhead was above max size allowed by there dsl provider?

on the day i tested chanign it, rdp started to go through (made it 1450 on my firewall endpoint)  client side firewall does not have a setting.

however it was so slow!  and here is the weird part.  when i typed, it would scrable what i typed.
if i keyed in  123456789123456789   I would get back   something like  12356879124456789
notice alll keys are there, just scrambled.  this was the logon window via rdp.

i dont even know what to say.. or where to begin.  before i dig in much more, maybe someone can give me a clue?
0
Eric
Asked:
Eric
  • 6
  • 3
  • 3
  • +1
3 Solutions
 
bbrunningCommented:
RDP should work fine through the vpn as long as you are connected. Are you trying to connect via computername or ip address? Sometimes the DNS configuration is not setup properly and will not resolve names to ip's when you are connected through the VPN.

Check yur DNS logs and event viewer.

or
You're connection to the internet is slow. 1450 will generally work fine for RDP and VPN but you have to put into consideration other clients on the network, people streaming music, downloading files, transferring files from-to the server. If you server is fairly powerfull you shouldn't have a problem. Check your event viewer and see what kind of errors you are getting and give a little more info.
0
 
Rob WilliamsCommented:
What kid of VPN are you using? If using a standard Windows PPTP VPN, setting to 1450 can actually cause problems. Usually defaults/automatic will work fine but if setting manually a PPTP VPN needs to be 1430 or lower. If you wish to set on the client workstation (most important place) run the DrTCP utility to do so. Link available from following site:
http://www.dslreports.com/faq/7752
0
 
EricIT ManagerAuthor Commented:
its not DNS.
i use ip's for testing. i understand the normal networking issues.  I see it come into my network from the vpn., just nothing happens.
somewhere I saw something about fragmentation, ill see if i can find that note i made.

I know RDP works via VPN, i have many users doing it everyday. this is a "wierd" issue.
0
Improve Your Query Performance Tuning

In this FREE six-day email course, you'll learn from Janis Griffin, Database Performance Evangelist. She'll teach 12 steps that you can use to optimize your queries as much as possible and see measurable results in your work. Get started today!

 
EricIT ManagerAuthor Commented:
RobWill,
im using a hardware, IPSEC VPN.

I tried adding the value to the registry.  when the passwords /user names started coming out in different orders is when I started messing with the MTU.
they are all now back to default.
0
 
EricIT ManagerAuthor Commented:
2006-07-10 12:47:05 Allow 192.168.2.1 192.168.1.3 3389/tcp 1310 3389 0-WAN/IPsec 1-LAN allowed (decrypted packet, SA info: id 0x50be6f2d, mss not exceeding 1400, idle timeout=43205 sec 48 127 (Sitename_VPN-Any-00)  

2006-07-10 12:47:05 Deny "remote pub IP"  "local pub IP" icmp-Dest_Unreach code(4) 0-WAN Firebox icmp error with data src_ip="local pub IP" dst_ip="remote Pub IP" pr=esp-spi=0x1afd0b85 src_port= dst_port= src_intf='0-WAN' dst_intf='0-WAN'  can not match any flow, drop this packet 56 112 (internal policy)  



notice my test used the private IP's via VPN, and the ICMP reply went public ips :|

thats odd.  

I searched the error code 4 and found this.
Code 4: Fragmentation required, and the don't fragment bit was set in the IP header (ICMP_UNREACH_NEEDFRAG)

Note: the typeing coming out in the wrong order happend with vpn enabled or using a nat redirect not through the vpn.  
0
 
Rob WilliamsCommented:
With IPSec you shouldn't need to lower the MTU any further. The only articles I have seen regarding IPSec and MTU suggest 1460 and 1480. However you had set on the local router, not the workstation or it's associated router.
Out of curiosity is there any fragmentation when you do a ping test, as per the following articles for determining optimum MTU size:
http://www.dslreports.com/faq/5793
http://www.howtonetworking.com/VPN/mtu4.htm
0
 
rsivanandanCommented:
The MTU size may go even down that that in some cases, in Cisco VPN I saw it efficient to be 1300. So you never know; But setting the MTU should not be on the router, but the client machine. If interested take a look at this on how to do this;

http://rsivanandan.wordpress.com/2006/07/09/mtu-settings-for-vpn/

Cheers,
Rajesh
0
 
EricIT ManagerAuthor Commented:
it was fixed by clicking an option " ignore the DF flag"  in my ipsec settings on my firewall.

0
 
Rob WilliamsCommented:
Thanks ecszone, for points and update.
--Rob
0
 
rsivanandanCommented:
thnx but you still want to follow the suggestions I had in the link, basically it makes sure that fragmentation doesn't happen!

Cheers,
Rajesh
0
 
EricIT ManagerAuthor Commented:
i was trying it on the server and it was not working.  we were even using packet sniffers. we went down to 1350 I think.
had packet sniffers the works.. it just wasnt working.
0
 
rsivanandanCommented:
hmm.. I'm not sure but that is what is required and exactly what you told your device is to ignore the DF bit and fragment it as necessary...

Cheers,
Rajesh
0
 
EricIT ManagerAuthor Commented:
may be something wierd with the firmware i installed when this started to happen?
not sure.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Improve Your Query Performance Tuning

In this FREE six-day email course, you'll learn from Janis Griffin, Database Performance Evangelist. She'll teach 12 steps that you can use to optimize your queries as much as possible and see measurable results in your work. Get started today!

  • 6
  • 3
  • 3
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now