Eddie, There is no VPN involved. I don't think its a MTU problem. I am trying to find a similar command to the IOS Firewall's "ip inspect name ..." (Inspection rule for CBAC) for the PIX. I need to increase the idle timeout for the telnet application.
However, I found your MTU explaination very informative. Someone mentioned to me about a VPN/MTU problem but did not go deeper into the cause. How did you resolve this MTU problem? Is there any writeups on this problem? KR >From: "Caballero, Eddie" >To: 'KM Reynolds' , [EMAIL PROTECTED] >Subject: RE: Telnet session traversing PIX are timingout [7:53490] >Date: Tue, 17 Sep 2002 11:26:07 -0700 > >I've seen this issue before with SSH timing out over a perfectly good >connection without packet loss. The problem was with the MTU size being >too >small and the packet was getting dropped. >The packet was going through a VPN tunnel through the network to a VPN >concentrator. >Here's an example. >The telnet packet was 1435 bytes in size including all the headers. >The Router maximum MTU was 1456 for example. >So far so good... Looks like it should get through, correct ports are open >etc.. >Now the VPN encryption adds an extra 25 bytes for example ( I don't have >exact numbers). >Now you have a packet that is Encapsulated with encryption for a total size >of 1460 bytes. >Oh and what also happens is the VPN will put a DO NOT Fragment flag on the >packet, because of the encryption. >Whats going to happen once that packet hits the router with an MTU size of >1456? >It gets dropped because the packet is too large. What happens to the >telnet or SSH session, is it starts dropping packets and then times out. >It >doesn't receive and ACK's from the other end and thinks it is timing out. > >So A. Is there VPN involved? If so, could be MTU issue. > B. Check the MTU size. Send some large sized pings over 1400 bytes >in >size with the Do not Fragment Flag. Find out if and where the MTU is set >too low. > C. Of course check for packet loss or extreme latency. > > >Welp hopefully this helps from my experiences with this type of issue. > > >Eddie >Corio Inc. > > > > >-----Original Message----- >From: KM Reynolds [mailto:[EMAIL PROTECTED]] >Sent: Tuesday, September 17, 2002 8:33 AM >To: [EMAIL PROTECTED] >Subject: Telnet session traversing PIX are timingout [7:53490] > > >Hi, > >I have telnet sessions that orginate on the internal side of a PIX to a >server on the external side that are timing out (after 60 seconds). Is >there a command to increase the timeout period for telnet? If there is what >is the max? > >TIA >KR > > > >_________________________________________________________________ >Join the worlds largest e-mail service with MSN Hotmail. >http://www.hotmail.com _________________________________________________________________ Join the worlds largest e-mail service with MSN Hotmail. http://www.hotmail.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=53522&t=53490 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]