Site To Site VPN, MTU

I have a site to site vpn set up from a Netgear to a cisco router. THe vpn is stable, i can ping, ftp, telnet, rdp, etc down the tunnel.

I have a NAS device at one end which i would like to be able to copy NFS shares to overnight, However they wont copy. The file writes to the disk then hangs and lists the share as 0 bytes.

I can transfer from Windows to NAS and back the other way, however the speed is not great. I  can also tranfer from window sto windows.

I can browse the NFS shares on the NAS from the linux box but i cant transfer data.

The MTU is set to 1500 on both lans. I can ping with MTU of 1472 from windows to linux at one side hovever not back the other way.

When i ping windows to windows, or windows to NAS/NFS with 1473 i get the reply i would expect

"packet needs to be fragmented but DF set"

However when i drop the packet size to 1472, the ping request times out. This is the same to 1416. It is not untill 1415 that i get a ping response.

I am confused as to why this would happen? could this be casusing my problems due to fragemented packets? Would lowering the MTU fix this problem

thanks in adavance
Paul-BrooksAsked:
Who is Participating?
 
Kerem ERSOYPresidentCommented:
Hi,

As you told this is definitely a packet fragmentation issue. So you need to tune down your VPN just to allow you to access your NAS device. NAS devices generally set packet size in the range 16-32K to gain performance this might be the issue as well. So I'll suggest you to read the related sections from your NAS configuration administrator guide and set the MTU accordingly for NASs device too.
0
 
ajcaruso00Commented:
Typically an MTU of 1350 works for me.


As far as setting the MTU to 1500 and then sending a 1415 ICMP through the tunnel, you have to remember that the IPSec happens before the MTU check.  IPSec adds about (well, I I take your word on the packet sizes 75 bytes :-) to the header.  And, an IPSec packet post encrypting cannot be fragg'd hence DF.

Hope that helps. -T
0
Protect Your Employees from Wi-Fi Threats

As Wi-Fi growth and popularity continues to climb, not everyone understands the risks that come with connecting to public Wi-Fi or even offering Wi-Fi to employees, visitors and guests. Download the resource kit to make sure your safe wherever business takes you!

 
Paul-BrooksAuthor Commented:
that would make sence, so i add the commands to the dialer0 interface?
0
 
ajcaruso00Commented:
I haven't seen your config, but I would think dialer0 to be the outside internet-facing interface.  You want to control the MTU before the packet gets to the inside interface (the LAN side) so put it there (on both devices).

-T
0
 
Galtar99Commented:
With a 1500 byte MTU the largest unfragmented ping is 1472 because you have a 28 byte IP header and a 8 byte ICMP header.
0
 
Paul-BrooksAuthor Commented:
i have the folling config for dialer0

interface Dialer0
 ip address negotiated
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat outside
 ip virtual-reassembly
 encapsulation ppp
 ip route-cache flow
 dialer pool 1
 dialer-group 1
 no cdp enable
 ppp authentication chap pap callin
 ppp chap hostname xxxxxxxx
 ppp chap password xxxxxxxxxxxxx
 ppp pap sent-username xxxxxxxxx
password xxxxxxxxxxx
 crypto map SDM_CMAP_1

when i try to change the MTU settings the VPN drops. I asumme this is due to the cpnfig needing to be changed at the netgear end. HOweag the netgear vpn is basic, is is posisible to change the MTU settings for this?

0
 
Kerem ERSOYConnect With a Mentor PresidentCommented:
You might want to try:
conf term
int Dialer0
ppp mtu <mtu_value>

then you'd retry dialing.
0
 
Paul-BrooksAuthor Commented:
will try it but what do i need to do to change the Netgear end? or does that not matter?
0
 
Kerem ERSOYPresidentCommented:
In fact it depends on the device. As a rule of thumb if one end tries to negotiate a value, the other end should try not exceed this one to prevent fragmentation. But sometimes the other end tries to keep its default setting and requires configuration too. You better try and let us know.
0
 
Paul-BrooksAuthor Commented:
ok thanks for you help, wont be tryibng it untill tomorrow but i will let you know how it works out.
0
 
Paul-BrooksAuthor Commented:
i have now managed to get the files to copy over the performance is as good as i would hope but i think i now just need to tweak it a little.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.