RE: Telnet session traversing PIX are timingout [7:53490]

2002-09-19 Thread Caballero, Eddie 

KR,

The resolution for the VPN MTU size is usually pretty simple.  There should
be an option within the VPN to lower the MTU size of the VPN encrypted
packet.
This can either be in the form of a VPN client used to connect, or within a
Point to Point Tunnel endpoint configuration.
You just need to lower the MTU size of the VPN enough so that it no longer
gets dropped by any routers along the path. 
I don't know of any write ups on this particular issue, but I haven't really
looked either.  

Eddie



-Original Message-
From: KM Reynolds [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, September 17, 2002 6:07 PM
To: [EMAIL PROTECTED]
Subject: RE: Telnet session traversing PIX are timingout [7:53490]


Eddie,

There is no VPN involved. I don't think its a MTU problem.  I am trying to 
find a similar command to the IOS Firewall's ip inspect name ... 
(Inspection rule for CBAC) for the PIX.  I need to increase the idle timeout

for the telnet application.

However, I found your MTU explaination very informative.  Someone mentioned 
to me about a VPN/MTU problem but did not go deeper into the cause.  How did

you resolve this MTU problem?  Is there any writeups on this problem?

KR


From: Caballero, Eddie 
To: 'KM Reynolds' , [EMAIL PROTECTED]
Subject: RE: Telnet session traversing PIX are timingout [7:53490]
Date: Tue, 17 Sep 2002 11:26:07 -0700

I've seen this issue before with SSH timing out over a perfectly good
connection without packet loss.  The problem was with the MTU size being 
too
small and the packet was getting dropped.
The packet was going through a VPN tunnel through the network to a VPN
concentrator.
Here's an example.
The telnet packet was  1435 bytes in size including all the headers.
The Router maximum MTU was  1456 for example.
So far so good... Looks like it should get through, correct ports are open
etc..
Now the VPN encryption adds an extra  25 bytes for example ( I don't have
exact numbers).
Now you have a packet that is Encapsulated with encryption for a total size
of 1460 bytes.
Oh and what also happens is the VPN will put a DO NOT Fragment flag on the
packet, because of the encryption.
Whats going to happen once that packet hits the router with an MTU size of
1456?
It gets dropped because the packet is too large.   What happens to the
telnet or SSH session, is it starts dropping packets and then times out.  
It
doesn't receive and ACK's from the other end and thinks it is timing out.

So A.  Is there VPN involved?  If so, could be MTU issue.
B.  Check the MTU size.Send some large sized pings over 1400 bytes 
in
size with the Do not Fragment Flag.  Find out if and where the MTU is set
too low.
C.  Of course check for packet loss or extreme latency.


Welp hopefully this helps from my experiences with this type of issue.


Eddie
Corio Inc.




-Original Message-
From: KM Reynolds [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, September 17, 2002 8:33 AM
To: [EMAIL PROTECTED]
Subject: Telnet session traversing PIX are timingout [7:53490]


Hi,

I have telnet sessions that orginate on the internal side of a PIX to a
server on the external side that are timing out (after 60 seconds).  Is
there a command to increase the timeout period for telnet? If there is what
is the max?

TIA
KR



_
Join the worlds largest e-mail service with MSN Hotmail.
http://www.hotmail.com
_
Join the worlds largest e-mail service with MSN Hotmail. 
http://www.hotmail.com




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=53646t=53490
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Telnet session traversing PIX are timingout [7:53490]

2002-09-18 Thread Reynolds KM 

To telnet from a client to a host works fine.  However, if you telnet to the
host, walk away for 5 minutes and come back, the telnet session is
disconnected (I think it is the PIX disconnecting the telnet session after a
period of the connection being idle).

It is this timeout of 5 minutes I would like to adjust to make the longer
period.  I think the ip inspect tcp idle-time may do the trick, however, I
wonder if there is a more specific ip inspect command to focus just on
telnet.

KR


Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=53543t=53490
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Telnet session traversing PIX are timingout [7:53490]

2002-09-17 Thread KM Reynolds 

Hi,

I have telnet sessions that orginate on the internal side of a PIX to a 
server on the external side that are timing out (after 60 seconds).  Is 
there a command to increase the timeout period for telnet? If there is what 
is the max?

TIA
KR



_
Join the worlds largest e-mail service with MSN Hotmail. 
http://www.hotmail.com




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=53490t=53490
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Telnet session traversing PIX are timingout [7:53490]

2002-09-17 Thread Caballero, Eddie 

I've seen this issue before with SSH timing out over a perfectly good
connection without packet loss.  The problem was with the MTU size being too
small and the packet was getting dropped.  
The packet was going through a VPN tunnel through the network to a VPN
concentrator.
Here's an example.  
The telnet packet was  1435 bytes in size including all the headers.
The Router maximum MTU was  1456 for example. 
So far so good... Looks like it should get through, correct ports are open
etc..
Now the VPN encryption adds an extra  25 bytes for example ( I don't have
exact numbers).
Now you have a packet that is Encapsulated with encryption for a total size
of 1460 bytes.
Oh and what also happens is the VPN will put a DO NOT Fragment flag on the
packet, because of the encryption.
Whats going to happen once that packet hits the router with an MTU size of
1456?  
It gets dropped because the packet is too large.   What happens to the
telnet or SSH session, is it starts dropping packets and then times out.  It
doesn't receive and ACK's from the other end and thinks it is timing out.

So A.  Is there VPN involved?  If so, could be MTU issue.
   B.  Check the MTU size.Send some large sized pings over 1400 bytes in
size with the Do not Fragment Flag.  Find out if and where the MTU is set
too low.
   C.  Of course check for packet loss or extreme latency.


Welp hopefully this helps from my experiences with this type of issue.


Eddie
Corio Inc.
   



-Original Message-
From: KM Reynolds [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, September 17, 2002 8:33 AM
To: [EMAIL PROTECTED]
Subject: Telnet session traversing PIX are timingout [7:53490]


Hi,

I have telnet sessions that orginate on the internal side of a PIX to a 
server on the external side that are timing out (after 60 seconds).  Is 
there a command to increase the timeout period for telnet? If there is what 
is the max?

TIA
KR



_
Join the worlds largest e-mail service with MSN Hotmail. 
http://www.hotmail.com




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=53501t=53490
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Telnet session traversing PIX are timingout [7:53490]

2002-09-17 Thread KM Reynolds 

Eddie,

There is no VPN involved. I don't think its a MTU problem.  I am trying to 
find a similar command to the IOS Firewall's ip inspect name ... 
(Inspection rule for CBAC) for the PIX.  I need to increase the idle timeout 
for the telnet application.

However, I found your MTU explaination very informative.  Someone mentioned 
to me about a VPN/MTU problem but did not go deeper into the cause.  How did 
you resolve this MTU problem?  Is there any writeups on this problem?

KR


From: Caballero, Eddie 
To: 'KM Reynolds' , [EMAIL PROTECTED]
Subject: RE: Telnet session traversing PIX are timingout [7:53490]
Date: Tue, 17 Sep 2002 11:26:07 -0700

I've seen this issue before with SSH timing out over a perfectly good
connection without packet loss.  The problem was with the MTU size being 
too
small and the packet was getting dropped.
The packet was going through a VPN tunnel through the network to a VPN
concentrator.
Here's an example.
The telnet packet was  1435 bytes in size including all the headers.
The Router maximum MTU was  1456 for example.
So far so good... Looks like it should get through, correct ports are open
etc..
Now the VPN encryption adds an extra  25 bytes for example ( I don't have
exact numbers).
Now you have a packet that is Encapsulated with encryption for a total size
of 1460 bytes.
Oh and what also happens is the VPN will put a DO NOT Fragment flag on the
packet, because of the encryption.
Whats going to happen once that packet hits the router with an MTU size of
1456?
It gets dropped because the packet is too large.   What happens to the
telnet or SSH session, is it starts dropping packets and then times out.  
It
doesn't receive and ACK's from the other end and thinks it is timing out.

So A.  Is there VPN involved?  If so, could be MTU issue.
B.  Check the MTU size.Send some large sized pings over 1400 bytes 
in
size with the Do not Fragment Flag.  Find out if and where the MTU is set
too low.
C.  Of course check for packet loss or extreme latency.


Welp hopefully this helps from my experiences with this type of issue.


Eddie
Corio Inc.




-Original Message-
From: KM Reynolds [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, September 17, 2002 8:33 AM
To: [EMAIL PROTECTED]
Subject: Telnet session traversing PIX are timingout [7:53490]


Hi,

I have telnet sessions that orginate on the internal side of a PIX to a
server on the external side that are timing out (after 60 seconds).  Is
there a command to increase the timeout period for telnet? If there is what
is the max?

TIA
KR



_
Join the worlds largest e-mail service with MSN Hotmail.
http://www.hotmail.com
_
Join the worlds largest e-mail service with MSN Hotmail. 
http://www.hotmail.com




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=53522t=53490
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Telnet session traversing PIX are timingout [7:53490]

2002-09-17 Thread Dain Deutschman 

What happens if you telnet from the pix to the external host...does it
timeout then?

Dain
KM Reynolds  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
 Hi,

 I have telnet sessions that orginate on the internal side of a PIX to a
 server on the external side that are timing out (after 60 seconds).  Is
 there a command to increase the timeout period for telnet? If there is
what
 is the max?

 TIA
 KR



 _
 Join the worlds largest e-mail service with MSN Hotmail.
 http://www.hotmail.com




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=53534t=53490
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]