Solved

Full Network Access Between Two Cisco 877 Routers in EasyVPN Server/Client Link Up

Posted on 2006-11-20
3
369 Views
Last Modified: 2013-11-16
I am able to establish a VPN link between HQ and a remote site using two Cisco 877 routers configured as a EasyVPN server and client configuration.

Upon establishing the remote site with a "network extension" mode (not "client" mode), I am only able to ping the HQ Cisco 877 internal IP address but not any other valid internal IPs at HQ. HQ too can only ping the remote site's Cisco 877 internal IP address. "Interesting" traffic has been set correctly as ping destination are forced via the VPN tunnel when pings are made to both ends' internal IP addresses. But a traceroute (in MSDOS prompt) reveals a "Request timeout error" to IPs other than the Cisco 877 routers' interal IP addresses.

Testing the VPN tunnel (on the remote site's Cisco 877) reveals this error despite a successful link up:

"A ping with data size of this VPN interface MTU size and 'Do not Fragment' bit set to the other end VPN device is failing. This may happen if there is a lesser MTU network which drops the 'Do not fragment' packets."

Both sites have static public IP address for the routers.

What could be the problem?
0
Comment
Question by:portalphenom
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
3 Comments
 
LVL 5

Accepted Solution

by:
WGhen earned 500 total points
ID: 17989674
The VPN encryption makes the packet size larger.  If it exceeds the MTU size of the router, and it refuses to fragment the packet then the packet must be dropped.   Standard mtu is 1500.
Try reducing the MTU size a little.  In your WAN interface on both ends:
     int s0/0         [or whatever]
     ip mtu 1400
 

1400 probably slightly smaller than it needs to be, but if this works then you can try, say 1450, 1480 etc. until you break it again.

WGhen
0

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

The related questions "How do I recover the passwords for my Q-See DVR" and "How can I reset my Q-See DVR to eliminate a password" are seen several times a week.  Here we discuss the grim reality of the situation.
Most MSPs worth their salt are already offering cybersecurity to their customers. But cybersecurity as a service is wide encompassing and can mean many things.  So where are MSPs falling in this spectrum?
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question