RE: Telnet session traversing PIX are timingout [7:53490]

Tue, 17 Sep 2002 17:59:47 -0700 

Eddie,

There is no VPN involved. I don't think its a MTU problem.  I am trying to 
find a similar command to the IOS Firewall's "ip inspect name ..." 
(Inspection rule for CBAC) for the PIX.  I need to increase the idle timeout 
for the telnet application.

However, I found your MTU explaination very informative.  Someone mentioned 
to me about a VPN/MTU problem but did not go deeper into the cause.  How did 
you resolve this MTU problem?  Is there any writeups on this problem?

KR


>From: "Caballero, Eddie" 
>To: 'KM Reynolds' , [EMAIL PROTECTED]
>Subject: RE: Telnet session traversing PIX are timingout [7:53490]
>Date: Tue, 17 Sep 2002 11:26:07 -0700
>
>I've seen this issue before with SSH timing out over a perfectly good
>connection without packet loss.  The problem was with the MTU size being 
>too
>small and the packet was getting dropped.
>The packet was going through a VPN tunnel through the network to a VPN
>concentrator.
>Here's an example.
>The telnet packet was  1435 bytes in size including all the headers.
>The Router maximum MTU was  1456 for example.
>So far so good... Looks like it should get through, correct ports are open
>etc..
>Now the VPN encryption adds an extra  25 bytes for example ( I don't have
>exact numbers).
>Now you have a packet that is Encapsulated with encryption for a total size
>of 1460 bytes.
>Oh and what also happens is the VPN will put a DO NOT Fragment flag on the
>packet, because of the encryption.
>Whats going to happen once that packet hits the router with an MTU size of
>1456?
>It gets dropped because the packet is too large.   What happens to the
>telnet or SSH session, is it starts dropping packets and then times out.  
>It
>doesn't receive and ACK's from the other end and thinks it is timing out.
>
>So A.  Is there VPN involved?  If so, could be MTU issue.
>    B.  Check the MTU size.    Send some large sized pings over 1400 bytes 
>in
>size with the Do not Fragment Flag.  Find out if and where the MTU is set
>too low.
>    C.  Of course check for packet loss or extreme latency.
>
>
>Welp hopefully this helps from my experiences with this type of issue.
>
>
>Eddie
>Corio Inc.
>
>
>
>
>-----Original Message-----
>From: KM Reynolds [mailto:[EMAIL PROTECTED]]
>Sent: Tuesday, September 17, 2002 8:33 AM
>To: [EMAIL PROTECTED]
>Subject: Telnet session traversing PIX are timingout [7:53490]
>
>
>Hi,
>
>I have telnet sessions that orginate on the internal side of a PIX to a
>server on the external side that are timing out (after 60 seconds).  Is
>there a command to increase the timeout period for telnet? If there is what
>is the max?
>
>TIA
>KR
>
>
>
>_________________________________________________________________
>Join the worlds largest e-mail service with MSN Hotmail.
>http://www.hotmail.com
_________________________________________________________________
Join the worlds largest e-mail service with MSN Hotmail. 
http://www.hotmail.com




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=53522&t=53490
--------------------------------------------------
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Reply via email to