Here are some links for setting TCP/IP parameters on Windows machines. I have experienced many issues related to MTU when working with Ipsec (Very PMTU unfriendly). The sysmptoms you describe are consistent with a smaller MTU setting somewhere along the path from you to the server, especially if other web and related internet activites are unaffected. Performing a "tracert -d <www.affectedhost.com>" should show you A) The full path to the server B) show you the point at which ICMP is being filtered C) the device (probably router/load balancer) causing the problems. If a firewall is filtering your ICMP you will never get the information and the above symptoms may appear. The easiest way I have found is to set the MTU (temporarily to the lowest practical value 576 (X.25) If you find it works 100% of the time then increment it up by 250 or so and test again. It may be you need to set it to something like 1492 instead of the ethernet default 1500. HTH Ken (Watch for Wrap in Links)
http://support.microsoft.com/support/kb/articles/q120/6/42.asp?LN=EN-US&SD=t ech&FR=1&qry=mtu&rnk=1&src=DHCS_MSPSS_tech_SRCH&SPR=WIN2000 Default MTUs for diferent topolgies http://support.microsoft.com/support/kb/articles/Q140/3/75.asp?LN=EN-US&SD=t ech&FR=1&qry=mtu&rnk=3&src=DHCS_MSPSS_tech_SRCH&SPR=WIN2000 -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of joe volk Sent: Friday, October 26, 2001 2:03 PM To: [EMAIL PROTECTED] Subject: MTU, DNS, Both or None? Sitting behind a Cisco 7206 perimeter router and 2 load balanced Gauntlet FWs on Solaris, internal client browsers cannot access a few distinct, unrelated web sites. Either 403 errors (Netscape) or blank page (IE) returned. Our upstream provider is unable to access these particular sites as well. >From an unadvertized host in our DMZ (directly off the perimeter router) I am able to access the sites 80% of the time. Had a similar problem a while back when it was determined that a device hosting the remote web server was limiting MTU size. Our upstream provider put in place a workaround to match max MTU size between us and remote site. 1) Does this sound like an MTU-related problem or more a DNS issue if remote site is attempting to do resolution to determine if we are coming from a particular domain? 2) Is there anything we can do at our site either on router or firewalls to at least give us the same, albeit less-than-stellar, results we get from our DMZ? If more info is needed I will attempt to supply, but cannot give too many specifics. Any thoughts appreciated. Joe Volk __________________________________________________ Do You Yahoo!? Make a great connection at Yahoo! Personals. http://personals.yahoo.com _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
