Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

Lotus Notes VPN problems started when Cisco PIX 506E replaced by ASA 5505

Posted on 2007-07-24
17
Medium Priority
?
898 Views
Last Modified: 2013-11-16
Our company has a site-to-site VPN with our mother company in Japan, primarily for connectivity with the Lotus Notes Domino server there.  The VPN is hosted by a Cisco PIX 515E in Japan, and we were using a Cisco PIX 506E here in the states.
However, about a month ago, I unplugged our PIX 506E to plug it into our new UPS unit, and I couldn't get it to boot back up.  So we purchased a new Cisco ASA 5505 to replace it.
I reloaded the old PIX ver. 6.3 config as best I could into the new ASA Version 7.2, (I obtained the pre-shared key info from Japan) and suprisingly enough, the VPN was re-established!  I can put Japan IP addresses into my Explorer address field and enter the access username and password and then browse files over there.
However, the problem is that our Lotus Notes connectivity is now limited.  Before when we were using our PIX 506E, Lotus Notes users here could connect to all databases, send and receive Lotus mail, and write to the database with no problems.  Now that we are VPN'ed through the ASA 5505 on our end, Lotus Notes users can connect to most - but not all - databases, and can read mail but not send it, and can read from but not write to any databases.
We are using Lotus Notes domino client version 4.6.5a here.  I don't know anything about what Lotus Notes server they are running in Japan.
0
Comment
Question by:KTN-IT
  • 8
  • 4
  • 2
  • +2
16 Comments
 
LVL 5

Author Comment

by:KTN-IT
ID: 19559130
Here is our old PIX 506E config:

PIX Version 6.3(1)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password Alohomora encrypted
passwd hocuspocus encrypted
hostname pixfirewall
domain-name ciscopix.com
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
names
access-list inside_access_in permit ip any any
access-list outside_access_in permit icmp any any
access-list outside_access_in permit gre any any
access-list outside_access_in permit tcp any any eq pptp
access-list 101 permit ip 192.168.1.0 255.255.255.0 192.1.1.0 255.255.255.0
access-list 101 permit ip 192.168.1.0 255.255.255.0 192.1.2.0 255.255.255.0
access-list 101 permit ip 192.168.1.0 255.255.255.0 192.1.3.0 255.255.255.0
access-list 101 permit ip 192.168.1.0 255.255.255.0 192.1.4.0 255.255.255.0
access-list 101 permit ip 192.168.2.0 255.255.255.0 192.1.1.0 255.255.255.0
access-list 101 permit ip 192.168.2.0 255.255.255.0 192.1.2.0 255.255.255.0
access-list 101 permit ip 192.168.2.0 255.255.255.0 192.1.3.0 255.255.255.0
access-list 101 permit ip 192.168.2.0 255.255.255.0 192.1.4.0 255.255.255.0
pager lines 24
logging buffered debugging
mtu outside 1500
mtu inside 1500
ip address outside aa.aaa.aa.145 255.255.255.248
ip address inside 192.168.2.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location 192.168.1.0 255.255.255.0 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list 101
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) aa.aaa.aa.149 192.168.2.10 netmask 255.255.255.255 0 0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 aa.aaa.aa.150 1
route inside 192.168.0.0 255.255.255.0 192.168.2.254 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 192.168.1.0 255.255.255.0 inside
http 192.168.2.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set p2policy esp-des esp-md5-hmac
crypto map kawasaki 1 ipsec-isakmp
crypto map kawasaki 1 match address 101
crypto map kawasaki 1 set peer jjj.jjj.jj.240
crypto map kawasaki 1 set transform-set p2policy
crypto map kawasaki interface outside
isakmp enable outside
isakmp key ******** address jjj.jjj.jj.240 netmask 255.255.255.255
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption des
isakmp policy 1 hash md5
isakmp policy 1 group 1
isakmp policy 1 lifetime 86400
telnet 192.168.2.0 255.255.255.0 inside
telnet timeout 50
ssh timeout 5
console timeout 0
dhcpd address 192.168.2.100-192.168.2.150 inside
dhcpd lease 3600
dhcpd ping_timeout 750
terminal width 80
0
 
LVL 5

Author Comment

by:KTN-IT
ID: 19559228
Here is the PIX 515E config in Japan:

PIX Version 6.2(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 jnx security10
enable password abracadabra encrypted
passwd opensesame encrypted
hostname xx-fw
domain-name intra.xx
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
access-list 80 permit icmp any any
access-list 80 permit ip any any
access-list 101 permit ip 192.1.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list 101 permit ip 192.1.1.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list 101 permit ip 192.1.2.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list 101 permit ip 192.1.2.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list 101 permit ip 192.1.3.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list 101 permit ip 192.1.3.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list 101 permit ip 192.1.4.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list 101 permit ip 192.1.4.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list 101 permit icmp any any
pager lines 24
logging on
logging trap debugging
logging host inside 192.1.1.251
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
mtu outside 1500
mtu inside 1500
mtu jnx 1500
ip address outside pppoe setroute
ip address inside 192.1.1.253 255.255.255.0
ip address jnx xxx.xxx.xxx.238 255.255.255.248
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
global (outside) 1 yyy.yyy.yy.242
global (jnx) 1 xxx.xxx.xxx.241
nat (inside) 0 access-list 101
nat (inside) 1 192.1.1.0 255.255.255.0 0 0
nat (inside) 1 192.1.2.0 255.255.255.0 0 0
nat (inside) 1 192.1.3.0 255.255.255.0 0 0
nat (inside) 1 192.1.4.0 255.255.255.0 0 0
static (inside,outside) yyy.yyy.yy.243 192.1.1.251 netmask 255.255.255.255 0 0
static (inside,jnx) xxx.xxx.xxx.242 192.1.1.251 netmask 255.255.255.255 0 0
access-group 80 in interface inside
conduit permit icmp any any
conduit permit tcp host yyy.yyy.yy.243 eq telnet host bbb.bbb.bb.2
conduit permit tcp host xxx.xxx.xxx.242 eq telnet zzz.zzz.zzz.224 255.255.255.248
conduit permit ip 192.1.1.0 255.255.255.0 192.168.2.0 255.255.255.0
conduit permit ip 192.1.2.0 255.255.255.0 192.168.2.0 255.255.255.0
conduit permit ip 192.1.3.0 255.255.255.0 192.168.2.0 255.255.255.0
conduit permit ip 192.1.4.0 255.255.255.0 192.168.2.0 255.255.255.0
route jnx ccc.cc.248.0 255.255.255.0 xxx.xxx.xxx.233 1
route inside 192.1.2.0 255.255.255.0 192.1.1.254 1
route inside 192.1.3.0 255.255.255.0 192.1.1.254 1
route inside 192.1.4.0 255.255.255.0 192.1.1.254 1
route jnx eee.ee.eee.0 255.255.255.0 xxx.xxx.xxx.233 1
route jnx fff.ff.23.0 255.255.255.0 xxx.xxx.xxx.233 1
route jnx ggg.ggg.20.0 255.255.255.0 xxx.xxx.xxx.233 1
route jnx hhh.hhh.119.0 255.255.255.0 xxx.xxx.xxx.233 1
route jnx ddd.ddd.130.0 255.255.255.0 xxx.xxx.xxx.233 1
route jnx ddd.ddd.131.0 255.255.255.0 xxx.xxx.xxx.233 1
route jnx ddd.ddd.132.0 255.255.255.0 xxx.xxx.xxx.233 1
route jnx ddd.ddd.133.0 255.255.255.0 xxx.xxx.xxx.233 1
route jnx ddd.ddd.134.0 255.255.255.0 xxx.xxx.xxx.233 1
route jnx ddd.ddd.135.0 255.255.255.0 xxx.xxx.xxx.233 1
route jnx ddd.ddd.136.0 255.255.255.0 xxx.xxx.xxx.233 1
route jnx ddd.ddd.137.0 255.255.255.0 xxx.xxx.xxx.233 1
route jnx ddd.ddd.140.0 255.255.255.0 xxx.xxx.xxx.233 1
route jnx ddd.ddd.141.0 255.255.255.0 xxx.xxx.xxx.233 1
route jnx ddd.ddd.142.0 255.255.255.0 xxx.xxx.xxx.233 1
route jnx ddd.ddd.143.0 255.255.255.0 xxx.xxx.xxx.233 1
route jnx ddd.ddd.144.0 255.255.255.0 xxx.xxx.xxx.233 1
route jnx ddd.ddd.145.0 255.255.255.0 xxx.xxx.xxx.233 1
route jnx ddd.ddd.146.0 255.255.255.0 xxx.xxx.xxx.233 1
route jnx ddd.ddd.147.0 255.255.255.0 xxx.xxx.xxx.233 1
route jnx xxx.xxx.xxx.0 255.255.255.0 xxx.xxx.xxx.233 1
route jnx ddd.ddd.149.0 255.255.255.0 xxx.xxx.xxx.233 1
route jnx zzz.zzz.zzz.0 255.255.255.0 xxx.xxx.xxx.233 1
route jnx ddd.ddd.151.0 255.255.255.0 xxx.xxx.xxx.233 1
route jnx iii.iii.110.0 255.255.255.0 xxx.xxx.xxx.233 1
route jnx jjj.j.216.0 255.255.255.0 xxx.xxx.xxx.233 1
route jnx jjj.j.217.0 255.255.255.0 xxx.xxx.xxx.233 1
route jnx jjj.j.218.0 255.255.255.0 xxx.xxx.xxx.233 1
route jnx jjj.j.219.0 255.255.255.0 xxx.xxx.xxx.233 1
route jnx jjj.j.220.0 255.255.255.0 xxx.xxx.xxx.233 1
route jnx jjj.j.221.0 255.255.255.0 xxx.xxx.xxx.233 1
route jnx jjj.j.222.0 255.255.255.0 xxx.xxx.xxx.233 1
route jnx kkk.kk.160.0 255.255.255.0 xxx.xxx.xxx.233 1
route jnx kkk.kk.164.0 255.255.255.0 xxx.xxx.xxx.233 1
route jnx mmm.mmm.224.0 255.255.255.0 xxx.xxx.xxx.233 1
route jnx mmm.mmm.225.0 255.255.255.0 xxx.xxx.xxx.233 1
route jnx mmm.mmm.226.0 255.255.255.0 xxx.xxx.xxx.233 1
route jnx mmm.mmm.228.0 255.255.255.0 xxx.xxx.xxx.233 1
route jnx mmm.mmm.229.0 255.255.255.0 xxx.xxx.xxx.233 1
route jnx mmm.mmm.230.0 255.255.255.0 xxx.xxx.xxx.233 1
route jnx mmm.mmm.231.0 255.255.255.0 xxx.xxx.xxx.233 1
route jnx lll.lll.97.0 255.255.255.0 xxx.xxx.xxx.233 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
no sysopt route dnat
crypto ipsec transform-set test1 esp-des esp-md5-hmac
crypto map kawasaki 1 ipsec-isakmp
crypto map kawasaki 1 match address 101
crypto map kawasaki 1 set peer aa.aaa.aa.145
crypto map kawasaki 1 set transform-set test1
crypto map kawasaki interface outside
isakmp enable outside
isakmp key ******** address aa.aaa.aa.145 netmask 255.255.255.255
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption des
isakmp policy 1 hash md5
isakmp policy 1 group 1
isakmp policy 1 lifetime 86400
telnet 192.1.1.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
vpdn group kawasaki request dialout pppoe
vpdn group kawasaki localname c086111116@xyz.com
vpdn group kawasaki ppp authentication pap
vpdn username c086111116@xyz.com password ********
terminal width 80
0
 
LVL 5

Author Comment

by:KTN-IT
ID: 19559309
Now here is my new Cisco ASA 5505 config, translated from the old PIX 506E:

ASA Version 7.2(2)
!
terminal width 60
hostname pixfirewall   <--I was trying to impersonate a PIX, but I don't think this matters...
domain-name ciscopix.com
enable password prettyplease encrypted
names
!
interface Vlan100
 nameif outside
 security-level 0
 ip address aa.aaa.aa.145 255.255.255.248
!
interface Vlan200
 nameif inside
 security-level 100
 ip address 192.168.2.1 255.255.255.0
!
interface Ethernet0/0
 switchport access vlan 100
 switchport protected
!
interface Ethernet0/1
 switchport access vlan 200
 switchport protected
!
interface Ethernet0/2
 shutdown
!
interface Ethernet0/3
 shutdown
!
interface Ethernet0/4
 shutdown
!
interface Ethernet0/5
 shutdown
!
interface Ethernet0/6
 shutdown
!
interface Ethernet0/7
 shutdown
!
passwd abcdefg encrypted
ftp mode passive
clock timezone EST -5
dns server-group DefaultDNS
 domain-name ciscopix.com
access-list inside_access_in extended permit ip any any
access-list outside_access_in extended permit icmp any any
access-list outside_access_in extended permit gre any any
access-list outside_access_in extended permit tcp any any eq pptp
access-list 101 extended permit ip 192.168.1.0 255.255.255.0 192.1.1.0 255.255.2
55.0
access-list 101 extended permit ip 192.168.1.0 255.255.255.0 192.1.2.0 255.255.2
55.0
access-list 101 extended permit ip 192.168.1.0 255.255.255.0 192.1.3.0 255.255.2
55.0
access-list 101 extended permit ip 192.168.1.0 255.255.255.0 192.1.4.0 255.255.2
55.0
access-list 101 extended permit ip 192.168.2.0 255.255.255.0 192.1.1.0 255.255.2
55.0
access-list 101 extended permit ip 192.168.2.0 255.255.255.0 192.1.2.0 255.255.2
55.0
access-list 101 extended permit ip 192.168.2.0 255.255.255.0 192.1.3.0 255.255.2
55.0
access-list 101 extended permit ip 192.168.2.0 255.255.255.0 192.1.4.0 255.255.2
55.0
pager lines 20
logging buffered debugging
mtu outside 1500
mtu inside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-522.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list 101
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) aa.aaa.aa.149 192.168.2.10 netmask 255.255.255.255
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 aa.aaa.aa.150 1
route inside 192.168.0.0 255.255.255.0 192.168.2.254 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:10
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
http server enable
http 192.168.1.0 255.255.255.0 inside
http 192.168.2.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
crypto ipsec transform-set p2policy esp-des esp-md5-hmac
crypto map kawasaki 1 match address 101
crypto map kawasaki 1 set peer jjj.jjj.jj.240
crypto map kawasaki 1 set transform-set p2policy
crypto map kawasaki interface outside
crypto isakmp enable outside
crypto isakmp policy 1
 authentication pre-share
 encryption des
 hash md5
 group 1
 lifetime 86400
tunnel-group jjj.jjj.jj.240 type ipsec-l2l
tunnel-group jjj.jjj.jj.240 ipsec-attributes
 pre-shared-key *
telnet 192.168.2.0 255.255.255.0 inside
telnet timeout 50
ssh timeout 5
console timeout 0
dhcpd ping_timeout 750
!
dhcpd address 192.168.2.100-192.168.2.150 inside
!

!
class-map inspect_default
class-map class_sip_udp
 match port udp eq sip
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map global_policy
 class inspection_default
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect sqlnet
  inspect skinny
  inspect sip
  inspect http
  inspect ils
  inspect esmtp
 class class_sip_udp
  inspect sip
!
service-policy global_policy global
prompt hostname context
0
The IT Degree for Career Advancement

Earn your B.S. in Network Operations and Security and become a network and IT security expert. This WGU degree program curriculum was designed with tech-savvy, self-motivated students in mind – allowing you to use your technical expertise, to address real-world business problems.

 
LVL 63

Expert Comment

by:SysExpert
ID: 19560385
You need to open up 1532 on both routers.

I hope this helps !
0
 
LVL 5

Author Comment

by:KTN-IT
ID: 19565151
Do you mean port 1352?  Lotus' port?
1. How would I do this?
2. Then why did Lotus connect previously across the PIX 506E - PIX 515E VPN?  (And it still connects right now using the ASA, just for read-only, it seems).

Thanks for your help.
0
 
LVL 63

Accepted Solution

by:
SysExpert earned 672 total points
ID: 19565821
Yes,
You need to check your Router Docs on how to open a port.
it may be similar to

access-list 1352 permit ip any any

I hope this helps !
0
 
LVL 5

Author Comment

by:KTN-IT
ID: 19568239
Here is the output of show conn (non-port 1352 lines removed):

# show conn
33 in use, 80 most used

TCP out xxx.1.1.10:1352 in xxx.yyy.2.30:2099 idle 0:02:27 bytes 1256 flags UIO

TCP out xxx.1.1.10:1352 in xxx.yyy.2.30:2085 idle 0:02:52 bytes 41084 flags UIO
TCP out xxx.1.1.10:1352 in xxx.yyy.2.30:2084 idle 0:04:06 bytes 40766 flags UIO
TCP out xxx.1.1.10:1352 in xxx.yyy.2.30:2083 idle 0:04:43 bytes 14450 flags UIO
TCP out xxx.1.1.10:1352 in xxx.yyy.2.30:2081 idle 0:06:04 bytes 41084 flags UIO

TCP out xxx.1.1.10:1352 in xxx.yyy.2.51:1534 idle 0:07:15 bytes 596288 flags UIO

TCP out xxx.1.1.10:1352 in xxx.yyy.2.31:1282 idle 0:04:45 bytes 692442 flags UIO

Please correct me if I'm wrong, but I believe this shows that I already have traffic across (at least out of) port 1352.
0
 
LVL 5

Author Comment

by:KTN-IT
ID: 19568435
One of the Japanese Lotus users in my company today gave me a breakdown of what currently can and can't be done in Lotus Notes right now:

He can access all databases expect for one.  He can both read and send mail messages, however, he cannot send messages with files attached, nor can he open attachments in messages he has received.  He also cannot request renewal of his security certificate (this needs to be done annually? I'm not very Lotus-savvy).
0
 
LVL 31

Assisted Solution

by:qwaletee
qwaletee earned 664 total points
ID: 19570044
You've got a packet fragmenting or packet sequencing problem.  "Simple" transactions will work, because the size (number of packets or packet size) is small.  Notes is using complex RPC calls, which can result in huges amounts of data for each transaction at a very bursty pace. This leads to more opportunity for frgas and for bad packets requiring resequencing, which in turn, since there is so much data coming in, also increases the likelihood that the stack can't compensate for out of sequence packets and has to request retransmission.  Two things can then happen: Notes can not be able to honor that request, or with the number of retries required during a transaction, it may time out.

I would check MTUs first, I know I've seen problems with that in client-based VPNs.

You don't need to open 1352, if your VPN is already carrying 1352 through.  Opening 1352 in this instance, I think, means having 1352 open directly, bypassing the VPN.

It could also be a timing issue, which might even point to bad hardware.
0
 
LVL 31

Expert Comment

by:qwaletee
ID: 19570053
(Note: This is coming from a non-network guy, but I do have some experience working with network guys to resolve these issues.)
0
 
LVL 63

Expert Comment

by:SysExpert
ID: 19570240
I agree that it could be an issue with the Local machine.

Is this affecting the entire Japan Offfice ?

Have you tried updating to a newer client ?

Can you check the MTU on the client machine ?

See dslreports.com for utilities and tools to test connectivity.

Is it possible that there is an issue between your router configs ?


I hope this helps !
0
 
LVL 5

Author Comment

by:KTN-IT
ID: 19573838
Thank you all for your comments.

This problem is affecting multiple client machines at our location (all in the same way), and is not affecting anyone Japan-side.  So I do not think it is a problem with the client machines.  I think it is something having to do with this new ASA I'm using, because that is when the problem started.

I'd love to think it may be a hardware problem, and this will just go away if I replace it (I put the ASA under the SmartNet agreement).

The MTU settings on the ASA (as you can see from the configs) are set the same as they were on the original PIX (which, when we were using, we had no Lotus Notes connectivity issues).

I believe the problem lies in some additional secutiry measures put in place by default on the ASA that were not existent on the PIX.

I appreciate the insights about why packets may be fragmenting under certain conditions.  I will look in to that.

Thanks all.  Solution still pending, but I'll keep looking in to things to see if one of you has led me down the right path.
0
 
LVL 5

Author Comment

by:KTN-IT
ID: 19575761
Here's something I found out today:

The ASA OS no longer uses the 'conduit' command.  Perhaps the conduit commands on the Japan-side config are causing some strange things to happen...
0
 
LVL 63

Expert Comment

by:SysExpert
ID: 19575997
Like I said, You will need to find a networking guy, since this does not appear to be a Notes issue.

If you explicitly open the 1352 port, the problem may be resolved.

I hope this helps !
0
 
LVL 4

Assisted Solution

by:dom_admin
dom_admin earned 664 total points
ID: 19786408
Some words were mentioned about a potential problem with the MTU (Maximum Transmission Unit) ... If this value is not consistent across routers, clients and firewalls it could cause the problems described (just as qwaletee wrote).

An easy way to confirm og bury this theory is using the ping command... start a DOS prompt from one of the client machines then run this command:

ping -l 1500 -f [ip address of the japanese domino server]

This will send packets by a size of 1500 bytes (which is default on an Ethernet network), and the -f flag will tell the ping command that the packets cannot be fragmented - so you have a way of finding the largest possible packet size, which can be sent all the way to the japanese domino server - without being fragmented.

The command above will probably return a message like "Packet needs to be fragmented but DF set".

Then try to adjust the packet size in the ping command (the 1500 number) to a lower number, until you reach a packet size which transmits (and returns the normal reply from a ping command).

When you find the maximum packet size possible - then try to configure the client to use this packet size... Instructions for changing the MTU are here (haven't tested this link):
http://www.pctools.com/guides/registry/detail/280/

Hope this gets you further in your investegations.
0
 
LVL 1

Expert Comment

by:Computer101
ID: 20295644
Forced accept.

Computer101
EE Admin
0

Featured Post

The IT Degree for Career Advancement

Earn your B.S. in Network Operations and Security and become a network and IT security expert. This WGU degree program curriculum was designed with tech-savvy, self-motivated students in mind – allowing you to use your technical expertise, to address real-world business problems.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

On Feb. 28, Amazon’s Simple Storage Service (S3) went down after an employee issued the wrong command during a debugging exercise. Among those affected were big names like Netflix, Spotify and Expedia.
This article explains the fundamentals of industrial networking which ultimately is the backbone network which is providing communications for process devices like robots and other not so interesting stuff.
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…
Suggested Courses

564 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question