Greyscreen resolved - MTU of VPN tunnel

Wed, 28 Nov 2001 20:18:27 -0800 

Hi,
I wrote in October with an issue regarding VNC connecting but "hanging at 
the "Please wait, initial screen loading" prompt. Although it was suggested 
this might be because of virus checking software, in my case the problem 
was that I was connecting to the VNC host through a VPN tunnel.

My topology is as follows:

VNC 
Viewer:---------CiscoRouter-------Internet--------CiscoRouter---------VNC 
Host (NT 4.0 Server)
                                      <-----------VPN Tunnel----------->

The VPN tunnel has an MTU of 1500 bytes, as do all interfaces on all 
devices. However, because the VNC IP packets originated from the VNC viewer 
and hosts were built for 1500 byte MTU, they must have been fragmented by 
the Cisco Routers, in order to accommodate the IPSec headers for transport 
through the Internet over the VPN tunnel (the access to the internet was 
usually over ISDN, which defaults to a 1500 MTU).

The solution was to reduce the MTU of the VNC host. This can be done in the 
registry permanently with:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\<adapter>\Tcpip\Paramet 
ers\MTU

which should be set to 1400

The NT server can also be forced to discover the MTU of a path by setting:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Enable 
PMTUBHDetect

which is a REG_DWORD value. Setting it to 1 forces the NT server to 
discover the MTU of the path to the target system (in this case the VNC 
viewer). If you set the value to 0, it forces the MTU down to 576, and 
doesn't attempt to discover the MTU at all.

Diagnosing the problem in the first place was done by sending pings of 
various sizes with the DF bit set to true.

Having made this change, I have had no issues with connectivity through 
Internet VPN tunnels, and have run tunnel connections from Singapore and 
Taiwan to Sydney.

Hope this will help others facing similar problems.

Chris Jaecker

______________________________________________________
Chris Jaecker, Director              Illustrated Networks
tel: +61 (0)2 9418 4226 [EMAIL PROTECTED]
fax: +61 (0)2 9403 1188 www.in-training.net
______________________________________________________ 
---------------------------------------------------------------------
To unsubscribe, mail [EMAIL PROTECTED] with the line:
'unsubscribe vnc-list' in the message BODY
See also: http://www.uk.research.att.com/vnc/intouch.html
---------------------------------------------------------------------

Reply via email to