Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

MTU Packet size, VPN with Active Directory

Posted on 2007-04-06
10
Medium Priority
?
5,138 Views
Last Modified: 2010-05-18
I have a windows 2003 network, with a mix of 2003 and 2000 domain controllers, there are branch offices connected to the lan via a VPN, recently this vpn was upgraded from Pick boxes to Cisco 1720, since then, active directory relication has been troublesome at best. I tested the max packet size with ping, 1472 gets fragmented, 1380 is the max size which can go through without fragmentation.

The currect packet size is the default of 1472. There are about 15 DCs in the domain, I spoke to the Router Vendor, who reports that he can not increase the packet size because of the tunnel and the ecription he is using.

Just a few questions:

1)  If I make no changes, what is the actions AD will take, will it try the 1472, then scale down to the largest non fragmented packet size, or will it fragment the packet and what would the effect of this be.

2) Do I need to edit the registry on each DC to the 1380 packet size.

3) Are there any tools which can help determine if the AD replication packets are being fragmented as currently configures, I know I can use ping to determin the max no fragmented size, but can a see what AD is doing.

4) what would be the recommended solution to what is going on here.

Thanks
Steve
0
Comment
Question by:AccessYourBiz_Com
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 2
  • 2
  • +2
10 Comments
 
LVL 38

Assisted Solution

by:Shift-3
Shift-3 earned 300 total points
ID: 18864624
This article has some methods for tuning the MTU to deal with so-called "black hole" routers:
http://support.microsoft.com/kb/314825
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 18864766
>>"the Router Vendor, who reports that he can not increase the packet size "
Correct 1472 is the maximum, but you want to lower, they should be able to do that.

Doing the fragmentation test is not truly accurate as you are doing so over a VPN. The VPN takes up some "overhead" so the acceptable packet size would be larger than your tested 1380, but still likely not 1472 base on your tests.

You can easily change the MTU on a given system using the common DrTCP tool
http://www.dslreports.com/drtcp
0
 
LVL 3

Author Comment

by:AccessYourBiz_Com
ID: 18864997
If I make no changes, what is the actions AD will take, will it try the 1472, then scale down to the largest non fragmented packet size, or will it fragment the packet or drop the packet  and what would the effect of this be.

Right now the AD appears to be replicating, if the max size is 1380 and the MTU on the DCs are set to the default how is this being replicated?
0
WEBINAR - Latest Cyber Tips for Defense

Join the WatchGuard Threat Research Team on October 26th for an informative webinar featuring expert tips and tricks for defending your organization from today's latest cyber threats. Don't leave yourself vulnerable to attack. Register for the webinar today!

 
LVL 77

Expert Comment

by:Rob Williams
ID: 18865044
AD will not "scale down to the largest non fragmented packet size"
The only time Windows will change the default packet size if it sees the presence of a specified Internet service. For example if you configure a network adapter to connect directly to the Internet using a PPPoE connection, it will set it to 1492, an L2TP/IPSec 1472, etc.

The reason it is likely currently working is that the device/server creating the packet is doing so at an acceptable size. usually it is recommended all generating sources and routers at the same site be changed, but I have found as a rule that if the device generating the packet is reduced the packet size will be passed along unchanged, except of course with addition header information being added such as VPN encapsulation.
0
 
LVL 3

Author Comment

by:AccessYourBiz_Com
ID: 18884471
If I wanted to adjust the MTU in the registry to 1380, where is that key located?

Thanks
Steve
0
 
LVL 77

Accepted Solution

by:
Rob Williams earned 900 total points
ID: 18884529
The key actually doesn't exist unless it has been changed at some point in the past. At that, it is difficult to find as there can be numerous active and old regustry key sets for the same adapter. The easiest way to change is with the well known DrTCP tool:
http://www.dslreports.com/drtcp
0
 
LVL 38

Expert Comment

by:Shift-3
ID: 18886215
See Method 3 from my link.
0
 

Assisted Solution

by:expertssmart
expertssmart earned 300 total points
ID: 18896424
Hi,
Fragmentation is not a good idea as it causes overhead: every fragment requires the IP header (20 or 40 bytes), and with IPv6, an additional 8 bytes for the Fragment Header.
Changing the MTU size in the hosts (DCs in this case) is also not recomended. Ideally in this scenareo, a Path MTU Discovery (PMTUD) is used - this is done by sending an ICMP message to the transmitting host (Packet Too Big). The MTU size is then mutually nigotiated and further transmission happens on the acceptable MTU size.
This requires the ICMP to be allowed on the router and host interfaces.

Pls go thru "IETF RFC 4459 / RFC4459" to learn more about MTU and Fragmentation Issues with In-the-Network Tunneling

Jordan



 
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 18970100
Thanks AccessYourBiz_Com,
Cheers !
--Rob
0
 
LVL 1

Expert Comment

by:Yamumm
ID: 23046524
http://support.microsoft.com/kb/244474 is how to force Kerberos to use TCP not UDP. It would appear over a VPN, UDP packets were black holeing forcing TCP resolved our issue straight away. I have previously set MTU sizes etc without any joy. We can now get to network shares very quickly

Cheers

Martin
0

Featured Post

Ready for your healthcare security check-up?

In the past few years, healthcare organizations have become a prime target for advanced attacks. Does your organization have what it needs to defend itself? Schedule your healthcare security check-up today and download our free Healthcare Security Resource Kit today!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This process allows computer passwords to be managed and secured without using LAPS. This is an improvement on an existing process, enhanced to store password encrypted, instead of clear-text files within SQL
How to deal with a specific error when using the Enable-RemoteMailbox cmdlet to create a mailbox in the cloud-based service, for an existing user in an on-premises Active Directory.
This video shows how to use Hyena, from SystemTools Software, to update 100 user accounts from an external text file. View in 1080p for best video quality.
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…
Suggested Courses

610 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question