Everybody, I would have to agree with Chuck. I work on TAC for there VPN support and deal with these issues everyday. If the tunnel establishes and the traffic does not pass then look at the MTU. MTU can cause a lot of problems!!!!
Thanks, Robert Raver Cisco Systems Inc. [EMAIL PROTECTED] ----- Original Message ----- From: "Chuck's Long Road" To: Sent: Tuesday, October 01, 2002 3:21 PM Subject: Re: VPN tunnel with IPSec over GRE [7:54634] > some other folks had some good things to say in response. I just wanted to > add an experience I had that I was pretty much able to verify in my lab as > well as on a customer network. > > Customer ran IPX on their network. For particular locations, the cost of > frame relay was hideous, so we proposed a VPN. We tunneled IPX through a GRE > tunnel with IPSEC 3DES. Connectivity was fine. I saw all routes. We could > ping the routers throughout the network ( IP was enabled on all routers for > remote management ) I saw all IP routes and all IPX routes. IPX pings and IP > pings router to router worked fine. > > But the customer workstations could not log on to the IPX servers, let alone > do any work. > > Drove me nuts. We had TAC cases open, we had some vendor involvement for > Novell and for PCAnywhere, which the customer used to distribute their > application. I believe I even had a thread going here on the issue. > > When I did some testing in my home lab, mimicking the customer network, I > found a number of problems when I would do IPX and IP pings using a 1500 > byte packet, but the problems disappeared when I used a 1499 byte packet > size. Go figure. > > I also know that using my employer's VPN ( Cisco VPN client connecting to a > CVPN box ) that there was a problem with a particular application ( it would > not work over the VPN, but worked fine when I was in the office ) that was > solved by reducing the MTU for the VPN connection ( setting on the Cisco VPN > client software ) from the default to about 600 bytes. > > So, whether it is logical or not, it would seem that connections over IPSEC > tunnels can be positively or adversely effected by MTU size. > > There is probably a good reason for this. Maybe counting on my fingers, all > the headers, payloads, etc would yield an answer. > > But MTU definitely can contribute to problems over IPSEC. > > > Chuck > -- > > www.chuckslongroad.info > like my web site? > take the survey! > > > > ""Thomas N."" wrote in message > [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > > Hi All, > > > > I am setting up a site-to-site VPN between 2 LANs using Cisco IOS VPN > (Cisco > > 2600 routers). I could get the tunnel up and running between the two LANs > > with IPSec over GRE so that I can run EIGRP. Data transfer between 2 LANs > > across the tunnel looks OK, and all dynamic routes learned with EIGRP. > > However, a problem come up when I put a Proxy Server on the first LAN and > > force Internet traffic from workstations from the second LAN to go out > with > > this Proxy server. Workstations from the second LAN could browse Internet > > across the tunnel to reach the Proxy server then hit the Internet; > however, > > the performance is very poor (seem like browsing over a 56k modem). I am > > thinking this may be because of fragmentation on the 2 routers. Is there > > any work around for this issue? If MTU size needs to be adjusted, what > > would be the ideal MTU size for IPSec over GRE tunnel in "tunnel" mode? > > Again, thank you All for the help! > > > > Thomas N. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=54670&t=54634 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
