MTU issue after Sonicwall Installation

We had 2 Cisco RV042's with a site to site VPN setup.  Everything was working great.  One of the Cisco's were swapped out with a Sonicwall TZ series with default MTU settings.  The VPN works.  The XP and only XP users have an issue accessing the file share over the VPN.  If I even open "My Computer" and the S: drive is listed, it freezes everything up.  If I use command prompt to unmap the drive, then it's fine, but then I have no access to the share obviously.  I've changed the MTU in the registry on the XP machines and for most it seems to be working ok.  I have 1 user that it still does not work for, but I've verified that the MTU is at 1500.  How can I troubleshoot this?  There are no managed switches, just the endpoints mentioned above.
Sean RhudyPresidentAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Blue Street TechLast KnightCommented:
Hi seanrhudy,

Are any of these Virtualized (you have included this in the VMWare Topic)?

Regarding your MTU sizing you can do this to achieve the optimal setting. Here is a step-by-step guide: http://www.experts-exchange.com/A_12615.html

Let me know how it goes!
0
Sean RhudyPresidentAuthor Commented:
Sorry, didn't mean to put it under VMWare.  I did the above, and have the same result.
0
Blue Street TechLast KnightCommented:
You mentioned that you have tried the MTU sizing...where exactly on the SonicWALL or the PCs or both?

Which TZ model (e.g. 170, 215, etc.)?

P.S. I'll correct the Topics for you!
0
Redefine Your Security with AI & Machine Learning

The implications of AI and machine learning in cyber security are massive and constantly growing, creating both efficiencies and new challenges across the board. Check out our on-demand webinar to learn more about how AI can help your organization!

Sean RhudyPresidentAuthor Commented:
The Sonicwall is set at 1500, which is default (TZ170).  The Cisco RV042 was set at 1500 as well.  I edited the registry on the PC and set it to 1500 and rebooted.  I could then access the share, but then a few days later, the same thing happened.  If I find the optimal setting using the instructions (1322) and set it as that, I cannot connect at all.
0
Blue Street TechLast KnightCommented:
Where are you plugging in the 1322, in the firewall or PC?
I cannot connect at all.
meaning what exactly? You cannot connect to the Internet, ...to the VPN, ...to the shares?
0
Sean RhudyPresidentAuthor Commented:
Sorry, I put the 1322 in the PC, and when I do, I can't access the share over the VPN. Through all of this, I never have internet issues, only file share over the VPN.  And this only started happening after we put the Sonicwall in.
0
Blue Street TechLast KnightCommented:
Set the firewall MTU to that and change the PC back to defaults. Then retest and let me know if anything changes.
0
Sean RhudyPresidentAuthor Commented:
But if I change the firewall to that, won't that cause issues for everyone else?  Also, the server and other endpoint are set to 1500, why wouldn't we stick with the default?
0
giltjrCommented:
My guess is that the old firewall was segmenting the traffic going over the VPN tunnel and the new firewall may not be.

Since the MTU is 1500 on your PC and  more than likely on the server also, they both want to use 1500.  This 1500 byte packet needs to fit inside the VPN packect, which is limited to 1500 bytes.  

Some firewalls will transparently fragment the packet to fit inside the VPN tunnel.  My guess is the old firewall did this and the new one does not.

I would check to see if the new firewall has an option to transparently fragment VPN traffic.
0
Sean RhudyPresidentAuthor Commented:
Here are the options I see on the WAN interface:

Fragment non-VPN outbound packets larger than this Interface's MTU (This is checked)
Ignore Don't Fragment (DF) Bit (unchecked)
Do Not send ICMP Fragmentation needed for outbound packets over the interface MTU (unchecked)

Then, under VPN advanced settings, I have:
Enable Fragmented Packet Handling (checked)
Ignore DF (Don't Fragment) Bit (unchecked)
0
Blue Street TechLast KnightCommented:
TZ 170 is a really old device and is EOL (End of Life). Regardless if we get it working or not I'd highly recommend replacing it in order to achieve better performance and security.

Is your SonicOS version Standard or Enhanced?
But if I change the firewall to that, won't that cause issues for everyone else?  Also, the server and other endpoint are set to 1500, why wouldn't we stick with the default?
No, MTU is supposed to be set at the firewall then at the PCs or Servers. Ethernet (PCs/Servers) default is 1500. The Internet feed's MTU depends on the type of connection you have. This can obviously change but here are some common values: 1492 SDSL / 1460 ADSL / 1404 Cable.

Does that make sense?

Here are some other items to consider:
1. On the WAN Interface put a check mark next to Fragment non-VPN outbound packets larger than this Interface’s MTU. This works in tandem with MTU for the primary WAN and is considered a best practice to have it enabled.

2. All Interfaces Link Speed should be set to Auto Negotiate. However, in certain throughput issues, the link speed settings should be manually set according to the device connected to the interface. Incorrect duplex settings of your WAN, for instance, would have the following deleterious effects:
    • Unable to negotiate a connection with ISP
    • Dropping internet connection
    • Dropped packets
    • Slow throughput

3. In VPN Advanced settings check Enable Fragmented Packet Handling.
Enabling fragmentation would help SonicWALL handle fragmented IPsec packets.

4. Leave the Ignore DF Bit option unchecked.

Let me know how it goes.
0
giltjrCommented:
I think is the problem may be Ignore DF Bit under the Advanced VPN setting.  CIFS packets have the DF bit set.  Checking this will allow the TZ to fragment packets that are sent over the VPN tunnel.  Now, this could cause other problems, but it is worth a try.

If you still have the old router I would check its settings to see if it was setup to ingore the DF bit.
0
Sean RhudyPresidentAuthor Commented:
Hi, this location is in a different country, so I need to be careful about what settings I change.  Could setting the Ignore DF Bit take the VPN or internet down?
0
giltjrCommented:
As long as there are no bugs in the firmware there should be no problems.

It will NOT take down the Internet.  It could interrupt the VPN tunnel for a short time period.

What enabling this does.  Your WAN MTU is 1500 and the MTU you are trying to use through the VPN tunnel is also 1500.  Will a 1500 byte packet can't fit inside a 1500 byte packet.

So anything that goes over the VPN that is too large to fit inside a 1500 byte packet and has the DF bit set is getting dropped.  Either just plain dropped or rejected with "too big" ICMP message.

By setting "Ignore the DF bit" on the VPN these will now get fragemented.  Since you have "Enable Fragmented Packet Handling" enabled, the firewall will be able to handle this.

Now, all of this assumes that your old router,  the RV042, was doing the same thing.  If it was not, I have no idea if this will work or not.

You need to check the configuration of the RV042 to see if it is fragmenting things going over the VPN tunnel even if the DF bit is set.
0
Sean RhudyPresidentAuthor Commented:
I logged into the other RV042 and there are no advanced settings regarding MTU or fragmenting.  The only setting I see related to MTU on the RV042 is the normal MTU size setting, but nothing else.  Maybe I can try it tonight when nobody is using the VPN.
0
giltjrCommented:
Could be that the RV042 does this automatically.  Some devices that support VPN now do this automatically to prevent the headaches of trying to change MTU's.
0
Sean RhudyPresidentAuthor Commented:
Sorry, it's a TZ205
0
Sean RhudyPresidentAuthor Commented:
I tried enable the ingnore DF option, but still have an issue.  When I double click on the mapped drive on my test machine, it just freezes explorer.
0
giltjrCommented:
What is the level of firmware?
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Sean RhudyPresidentAuthor Commented:
The SW firmware was up to date, I updated the RV120W's firmware and that fixed the issue.
0
giltjrCommented:
Did you leave the "Ignore DF bit" option on or off?
0
Sean RhudyPresidentAuthor Commented:
Off
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
VPN

From novice to tech pro — start learning today.