Microsoft DFS Cisco Site To site VPN

Hi Experts,

I am completely stumped with a DFS issue, We have a cisco site to site vpn for two locations with cisco 871W devices on one and a 877 on the other. The VPN works fine for everything such as remote desktop, intranet and other applications.

We have a Microsoft windows server 2008 at HQ site running asthe Domain controller and a member server on the remote (WAN) side, but the problem is with the DFS. I have preseeded the HQ server with the data on the remote server and setup the DFS and now on the HQ server I continually get the 5004 & 5014 event errors (DFS connect & DFS disconnected) and when running the health report get a message saying that initial replication has yet to complete. Staging folder on the HQ server is up to 3.5 GB

Following are the details of troubleshooting I have attempted




4. Site-Site VPN tunnel allows everything from source Public IP to Destination Public IP therefore the doubts of ports being blocked fades out as well.

I can setup a small DFS of around 500mb and it appears to work fine but trying to get the 15GB to work is not having a much luck. Any help would be appreciated.


Who is Participating?
Craig BeckConnect With a Mentor Commented:
You should be able to change the MTU on any Ethernet or FastEthernet interface with the MTU command.

Anyhow, if you can't change it it's probably set at 1500.

You can check by using the show interface fa0 command (or whatever interface you've configured).
Craig BeckCommented:
Try the following from a CMD window on the HQ server...

ping <remoteserverip> -f -l 1472

If you get a normal ping response I would check this article...

If you get something like "Packet needs to be fragmented but DF bit set" you probably have an MTU issue on the Cisco routers.
You could try setting the MTU and TCP MSS values to something lower than 1500 and 1472 respectively by looking at this...

lakeofafricaAuthor Commented:

Thanks a million, you have given me a new avenue to troubleshoot, completed the ping with packet size 1472 and it does come back saying "Packet needs to be fragmented but DF bit set"  currently both the remote site and HQ have this in there config

 ip tcp adjust-mss 1350

and when I ping with that packet size I get a reply but higher than expected retunr on that packet.
C:\>ping -f -l 1350

Pinging with 1350 bytes of data:
Reply from bytes=1350 time=1063ms TTL=126
Request timed out.
Reply from bytes=1350 time=3570ms TTL=126
Reply from bytes=1350 time=3291ms TTL=126

I have been troubleshootting with the knowledge that the link itself is not the problem but it might be that packets are not arriving correctly.

The satellite link is 512/512 on a 10:1 contention, testing has shown that we get more than the minimum 51KB (if the line was busy) and testing with the satellite company confirms we are getting around 100KBps upload (see attached)  I am just editing the schedule to run at its min of 16KBps but with this new information did you have any further advice.

Worried about phishing attacks?

90% of attacks start with a phish. It’s critical that IT admins and MSSPs have the right security in place to protect their end users from these phishing attacks. Check out our latest feature brief for tips and tricks to keep your employees off a hackers line!

Craig BeckCommented:
You should be able to increase the TCP MSS to around 1452 if the MTU has not been configured on the interface on the router.
lakeofafricaAuthor Commented:
excuse my ignorance but isn't moving it up from the current config

 ip tcp adjust-mss 1350 #this is current on both ciscos

going to cause more issues or is thinking wrong.
Craig BeckCommented:
The TCP MSS is a value usually 40-less than the MTU.  If the MTU is set to 1500 the MSS value can be around 1460.

Changing this is usually only to take into account the size of the header during encapsulation, so if you use PPPoE the MTU is set to 1492 and the TCP MSS is set to 1452.

As you are using a satellite link you should ask the ISP what the ideal MTU is for the link, then configure both the MTU and TCP MSS values accordingly, but providing the MTU is 1500 changing the TCP MSS to something closer to the MTU shouldn't have an adverse effect.

lakeofafricaAuthor Commented:
hi craigbeck,

sorry for taking so long to respond and really appreciate your help, I got stuck with getting the VPN back up...silly cisco debug commands didn't work until you type "terminal monitor" a little annyoing but anyway back up now.

I don't have any commands in the routers that pertain to the MTU, just the MSS do you think I need to add this as well?
lakeofafricaAuthor Commented:
And I thought I better add that the server on the remote site is not a domain controller but merely a member server. dcdiag on the remote server works and its using the domain controller at head office without a problem but I wasn't sure if maybe promoting it to a DC would be required? your thoughts.
lakeofafricaConnect With a Mentor Author Commented:
Thanks for all your help CraigBeck, I have been compiling an exhaustive list of articles and blogs related to DFS issues, will post something shortly. MTU didnt' resolve issue, still getting the problem. Raised the remote server to a DC without a problem and still no luck

running out of patience and about to try a robocopy script out of desperation.
lakeofafricaAuthor Commented:
unfortunately client has left and so was not able to resolve the issue in time, thanks to Craigbeck for assistance in a difficult problem to troubleshoot.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.