We have a large network provided by BT, we have 3 small satellite sites that we had to get up and running quickly, due to the very lengthily time to get a leased line put in by BT we opted to go for business broadband at each site and a Cisco ASA 5505 and create a site to site VPN back to our main firewalls, we have done this before without issues. two of the sites could only get standard broadband whilst the 3rd site was able to get FTTC fibre broadband.
We noticed that when the users started using their laptops at the two sites with the standard broadband even though we could ping IP addresses at our main office they were not able to access websites that did not go via the proxy (they use a couple of web portals that cannot go via our proxy servers so are set as proxy exceptions) After a lot of investigation it seemed that when we were pinging the websites and specifying the packet size of 1500 we got an error “Packet needs to be fragmented but DF set”, we dropped it by increments of 10 until it started working which it did at 1390, we then manually modified a windows 7 machine to set their MTU at 1390 and everything worked.
Although this workaround works it does not scale very well, my question is can we do anything with the ASA firewall that is on the two satellite sites to resolve this rather than modifying all of the Windows 7 devices as I would rather change it at one location rather than on lots of workstations. How do other people get on when running a site to site VPN over broadband?