RE: Telnet session traversing PIX are timingout [7:53490]
KR, The resolution for the VPN MTU size is usually pretty simple. There should be an option within the VPN to lower the MTU size of the VPN encrypted packet. This can either be in the form of a VPN client used to connect, or within a Point to Point Tunnel endpoint configuration. You just need to lower the MTU size of the VPN enough so that it no longer gets dropped by any routers along the path. I don't know of any write ups on this particular issue, but I haven't really looked either. Eddie -Original Message- From: KM Reynolds [mailto:[EMAIL PROTECTED]] Sent: Tuesday, September 17, 2002 6:07 PM To: [EMAIL PROTECTED] Subject: RE: Telnet session traversing PIX are timingout [7:53490] Eddie, There is no VPN involved. I don't think its a MTU problem. I am trying to find a similar command to the IOS Firewall's "ip inspect name ..." (Inspection rule for CBAC) for the PIX. I need to increase the idle timeout for the telnet application. However, I found your MTU explaination very informative. Someone mentioned to me about a VPN/MTU problem but did not go deeper into the cause. How did you resolve this MTU problem? Is there any writeups on this problem? KR >From: "Caballero, Eddie" >To: 'KM Reynolds' , [EMAIL PROTECTED] >Subject: RE: Telnet session traversing PIX are timingout [7:53490] >Date: Tue, 17 Sep 2002 11:26:07 -0700 > >I've seen this issue before with SSH timing out over a perfectly good >connection without packet loss. The problem was with the MTU size being >too >small and the packet was getting dropped. >The packet was going through a VPN tunnel through the network to a VPN >concentrator. >Here's an example. >The telnet packet was 1435 bytes in size including all the headers. >The Router maximum MTU was 1456 for example. >So far so good... Looks like it should get through, correct ports are open >etc.. >Now the VPN encryption adds an extra 25 bytes for example ( I don't have >exact numbers). >Now you have a packet that is Encapsulated with encryption for a total size >of 1460 bytes. >Oh and what also happens is the VPN will put a DO NOT Fragment flag on the >packet, because of the encryption. >Whats going to happen once that packet hits the router with an MTU size of >1456? >It gets dropped because the packet is too large. What happens to the >telnet or SSH session, is it starts dropping packets and then times out. >It >doesn't receive and ACK's from the other end and thinks it is timing out. > >So A. Is there VPN involved? If so, could be MTU issue. >B. Check the MTU size.Send some large sized pings over 1400 bytes >in >size with the Do not Fragment Flag. Find out if and where the MTU is set >too low. >C. Of course check for packet loss or extreme latency. > > >Welp hopefully this helps from my experiences with this type of issue. > > >Eddie >Corio Inc. > > > > >-Original Message- >From: KM Reynolds [mailto:[EMAIL PROTECTED]] >Sent: Tuesday, September 17, 2002 8:33 AM >To: [EMAIL PROTECTED] >Subject: Telnet session traversing PIX are timingout [7:53490] > > >Hi, > >I have telnet sessions that orginate on the internal side of a PIX to a >server on the external side that are timing out (after 60 seconds). Is >there a command to increase the timeout period for telnet? If there is what >is the max? > >TIA >KR > > > >_ >Join the worlds largest e-mail service with MSN Hotmail. >http://www.hotmail.com _ Join the worlds largest e-mail service with MSN Hotmail. http://www.hotmail.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=53646&t=53490 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Telnet session traversing PIX are timingout [7:53490]
To telnet from a client to a host works fine. However, if you telnet to the host, walk away for 5 minutes and come back, the telnet session is disconnected (I think it is the PIX disconnecting the telnet session after a period of the connection being idle). It is this timeout of 5 minutes I would like to adjust to make the longer period. I think the "ip inspect tcp idle-time" may do the trick, however, I wonder if there is a more specific "ip inspect" command to focus just on telnet. KR Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=53543&t=53490 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Telnet session traversing PIX are timingout [7:53490]
What happens if you telnet from the pix to the external host...does it timeout then? Dain ""KM Reynolds"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > Hi, > > I have telnet sessions that orginate on the internal side of a PIX to a > server on the external side that are timing out (after 60 seconds). Is > there a command to increase the timeout period for telnet? If there is what > is the max? > > TIA > KR > > > > _ > Join the worlds largest e-mail service with MSN Hotmail. > http://www.hotmail.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=53534&t=53490 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Telnet session traversing PIX are timingout [7:53490]
Eddie, There is no VPN involved. I don't think its a MTU problem. I am trying to find a similar command to the IOS Firewall's "ip inspect name ..." (Inspection rule for CBAC) for the PIX. I need to increase the idle timeout for the telnet application. However, I found your MTU explaination very informative. Someone mentioned to me about a VPN/MTU problem but did not go deeper into the cause. How did you resolve this MTU problem? Is there any writeups on this problem? KR >From: "Caballero, Eddie" >To: 'KM Reynolds' , [EMAIL PROTECTED] >Subject: RE: Telnet session traversing PIX are timingout [7:53490] >Date: Tue, 17 Sep 2002 11:26:07 -0700 > >I've seen this issue before with SSH timing out over a perfectly good >connection without packet loss. The problem was with the MTU size being >too >small and the packet was getting dropped. >The packet was going through a VPN tunnel through the network to a VPN >concentrator. >Here's an example. >The telnet packet was 1435 bytes in size including all the headers. >The Router maximum MTU was 1456 for example. >So far so good... Looks like it should get through, correct ports are open >etc.. >Now the VPN encryption adds an extra 25 bytes for example ( I don't have >exact numbers). >Now you have a packet that is Encapsulated with encryption for a total size >of 1460 bytes. >Oh and what also happens is the VPN will put a DO NOT Fragment flag on the >packet, because of the encryption. >Whats going to happen once that packet hits the router with an MTU size of >1456? >It gets dropped because the packet is too large. What happens to the >telnet or SSH session, is it starts dropping packets and then times out. >It >doesn't receive and ACK's from the other end and thinks it is timing out. > >So A. Is there VPN involved? If so, could be MTU issue. >B. Check the MTU size.Send some large sized pings over 1400 bytes >in >size with the Do not Fragment Flag. Find out if and where the MTU is set >too low. >C. Of course check for packet loss or extreme latency. > > >Welp hopefully this helps from my experiences with this type of issue. > > >Eddie >Corio Inc. > > > > >-Original Message- >From: KM Reynolds [mailto:[EMAIL PROTECTED]] >Sent: Tuesday, September 17, 2002 8:33 AM >To: [EMAIL PROTECTED] >Subject: Telnet session traversing PIX are timingout [7:53490] > > >Hi, > >I have telnet sessions that orginate on the internal side of a PIX to a >server on the external side that are timing out (after 60 seconds). Is >there a command to increase the timeout period for telnet? If there is what >is the max? > >TIA >KR > > > >_ >Join the worlds largest e-mail service with MSN Hotmail. >http://www.hotmail.com _ Join the worlds largest e-mail service with MSN Hotmail. http://www.hotmail.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=53522&t=53490 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Telnet session traversing PIX are timingout [7:53490]
I've seen this issue before with SSH timing out over a perfectly good connection without packet loss. The problem was with the MTU size being too small and the packet was getting dropped. The packet was going through a VPN tunnel through the network to a VPN concentrator. Here's an example. The telnet packet was 1435 bytes in size including all the headers. The Router maximum MTU was 1456 for example. So far so good... Looks like it should get through, correct ports are open etc.. Now the VPN encryption adds an extra 25 bytes for example ( I don't have exact numbers). Now you have a packet that is Encapsulated with encryption for a total size of 1460 bytes. Oh and what also happens is the VPN will put a DO NOT Fragment flag on the packet, because of the encryption. Whats going to happen once that packet hits the router with an MTU size of 1456? It gets dropped because the packet is too large. What happens to the telnet or SSH session, is it starts dropping packets and then times out. It doesn't receive and ACK's from the other end and thinks it is timing out. So A. Is there VPN involved? If so, could be MTU issue. B. Check the MTU size.Send some large sized pings over 1400 bytes in size with the Do not Fragment Flag. Find out if and where the MTU is set too low. C. Of course check for packet loss or extreme latency. Welp hopefully this helps from my experiences with this type of issue. Eddie Corio Inc. -Original Message- From: KM Reynolds [mailto:[EMAIL PROTECTED]] Sent: Tuesday, September 17, 2002 8:33 AM To: [EMAIL PROTECTED] Subject: Telnet session traversing PIX are timingout [7:53490] Hi, I have telnet sessions that orginate on the internal side of a PIX to a server on the external side that are timing out (after 60 seconds). Is there a command to increase the timeout period for telnet? If there is what is the max? TIA KR _ Join the worlds largest e-mail service with MSN Hotmail. http://www.hotmail.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=53501&t=53490 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]