RE: Telnet session traversing PIX are timingout [7:53490]

[Caballero, Eddie]

KR,

The resolution for the VPN MTU size is usually pretty simple.  There should
be an option within the VPN to lower the MTU size of the VPN encrypted
packet.
This can either be in the form of a VPN client used to connect, or within a
Point to Point Tunnel endpoint configuration.
You just need to lower the MTU size of the VPN enough so that it no longer
gets dropped by any routers along the path. 
I don't know of any write ups on this particular issue, but I haven't really
looked either.  

Eddie



-----Original Message-----
From: KM Reynolds [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, September 17, 2002 6:07 PM
To: [EMAIL PROTECTED]
Subject: RE: Telnet session traversing PIX are timingout [7:53490]


Eddie,

There is no VPN involved. I don't think its a MTU problem.  I am trying to 
find a similar command to the IOS Firewall's "ip inspect name ..." 
(Inspection rule for CBAC) for the PIX.  I need to increase the idle timeout

for the telnet application.

However, I found your MTU explaination very informative.  Someone mentioned 
to me about a VPN/MTU problem but did not go deeper into the cause.  How did

you resolve this MTU problem?  Is there any writeups on this problem?

KR


>From: "Caballero, Eddie" 
>To: 'KM Reynolds' , [EMAIL PROTECTED]
>Subject: RE: Telnet session traversing PIX are timingout [7:53490]
>Date: Tue, 17 Sep 2002 11:26:07 -0700
>
>I've seen this issue before with SSH timing out over a perfectly good
>connection without packet loss.  The problem was with the MTU size being 
>too
>small and the packet was getting dropped.
>The packet was going through a VPN tunnel through the network to a VPN
>concentrator.
>Here's an example.
>The telnet packet was  1435 bytes in size including all the headers.
>The Router maximum MTU was  1456 for example.
>So far so good... Looks like it should get through, correct ports are open
>etc..
>Now the VPN encryption adds an extra  25 bytes for example ( I don't have
>exact numbers).
>Now you have a packet that is Encapsulated with encryption for a total size
>of 1460 bytes.
>Oh and what also happens is the VPN will put a DO NOT Fragment flag on the
>packet, because of the encryption.
>Whats going to happen once that packet hits the router with an MTU size of
>1456?
>It gets dropped because the packet is too large.   What happens to the
>telnet or SSH session, is it starts dropping packets and then times out.  
>It
>doesn't receive and ACK's from the other end and thinks it is timing out.
>
>So A.  Is there VPN involved?  If so, could be MTU issue.
>    B.  Check the MTU size.    Send some large sized pings over 1400 bytes 
>in
>size with the Do not Fragment Flag.  Find out if and where the MTU is set
>too low.
>    C.  Of course check for packet loss or extreme latency.
>
>
>Welp hopefully this helps from my experiences with this type of issue.
>
>
>Eddie
>Corio Inc.
>
>
>
>
>-----Original Message-----
>From: KM Reynolds [mailto:[EMAIL PROTECTED]]
>Sent: Tuesday, September 17, 2002 8:33 AM
>To: [EMAIL PROTECTED]
>Subject: Telnet session traversing PIX are timingout [7:53490]
>
>
>Hi,
>
>I have telnet sessions that orginate on the internal side of a PIX to a
>server on the external side that are timing out (after 60 seconds).  Is
>there a command to increase the timeout period for telnet? If there is what
>is the max?
>
>TIA
>KR
>
>
>
>_________________________________________________________________
>Join the worlds largest e-mail service with MSN Hotmail.
>http://www.hotmail.com
_________________________________________________________________
Join the worlds largest e-mail service with MSN Hotmail. 
http://www.hotmail.com




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=53646&t=53490
--------------------------------------------------
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]