Looking for a push in the right direction with my VPN.... (fw d)

DePriest, Jason R. jrdepriest at FTB.COM
Wed Aug 2 14:29:49 EDT 2000 

I have a similar issues that I would like some opinions on.

We are using PowerVPN 6.5 running on a Windows NT system.  The MTU at the
router is set to allow standard ethernet 1500.  And, of course, the client
operating systems (Windows 9x and Windows NT) automatically set the don't
fragment flag on the ESP traffic.

The problem is this, when using a dial-up connection with a default MTU 576,
I have no problems.  I can use Outlook 2000 to access my Exchange email, I
can NET USE to map to shared resources, I can use IE5.01SP1 to access the
Intranet, and I can use the SNA client to access mainframe sessions.
When trying to through Road Runner with my cable modem, however, things
change.  Name resolution has a tendency to fail.  My Outlook 2000 only stays
up for about 60 seconds and then it locks up.  NET USE says "The network
name is no longer available."  I can access the Intranet, but only by IP
address and not by regular URL.  SNA client tells me it cannot establish a
connection.

Any ideas?  Think this is also an MTU issue?  Or could it be something else?

Thank you!

Jason R DePriest, Network and Systems Administrator
First Tennessee National Corporation
InterActive Services Department
ph: 901/523-5777, fax: 901/523-5527
email: jrdepriest at ftb.com

Disclaimer:
The views expressed in this message, while not necessarily the views of
First Tennessee, are none-the-less confidential and not to be freely
distributed to external sources without explicit permission from the sender
of this message or from First Tennessee National Corporation.

"I have never let my schooling interfere with my education."
- Mark Twain
"The opposite of a correct statement is a false statement. But the opposite
of a profound truth may well be another profound truth."
- Niels Bohr


=> -----Original Message-----
=> From: Biggerstaff, Craig [mailto:Craig.Biggerstaff at CSOCONLINE.COM]
=> Sent: Wednesday, August 02, 2000 8:48 AM
=> To: VPN at SECURITYFOCUS.COM
=> Subject: Re: Looking for a push in the right direction with
=> my VPN....
=> (fw d)
=>
=>
=> Sounds like a MTU (Maximum Transmissible Unit) problem to
=> me.  Tunneling
=> VPNs encrypt the original packet contents and encapsulate
=> them in a new
=> packet with new headers for transport to the other end of
=> the tunnel.  This
=> process invariably increases the size of each packet transported.
=>
=> The default MTU on most systems for Ethernet LANs is 1500
=> bytes.  Routers
=> generally default to allow larger MTUs, but this is
=> configurable too.  If
=> your VPN is set to a 1500 byte MTU, it will fragment every
=> packet that
=> passes through it.  Up the MTU to, say, 1600, and see if
=> that fixes the
=> problem.  If it doesn't, check your routers to see if they
=> have been set to
=> limit the MTU allowed.
=>
=>
=> -- Craig
=>
=> > -----Original Message-----
=> > From: Tina Bird [mailto:tbird at PRECISION-GUESSWORK.COM]
=> > Sent: Tuesday, August 01, 2000 1:16 PM
=> > To: VPN at SECURITYFOCUS.COM
=> > Subject: Looking for a push in the right direction with my
=> > VPN.... (fwd)
=> >
=> >
=> > Hi all -- Any help with Tobin's problem greatly
=> > appreciated...
=> >
=> > ---------- Forwarded message ----------
=> > Date: Tue, 1 Aug 2000 14:20:45 -0400
=> > From: Tobin Craig <tcraig at Swales.com>
=> > To: tbird at precision-guesswork.com
=> > Subject: Looking for a push in the right direction with my VPN....
=> >
=> > Hi Tina,
=> >
=> > I'm wrestling with a fledgling VPN configuration on my
=> > network, and I hope
=> > you can help.
=> >
=> > We are experiencing a performance drop every time we try to
=> > use our VPN.  To
=> > illustrate this, we moved an 82 MB file directly over our
=> > LAN, taking 30
=> > seconds.  By connecting to our VPN server, again over the
=> > LAN, and moving
=> > the same file, the process took 5 minutes 30 seconds.
=> Dialing into an
=> > independent ISP and then establishing the VPN connection took
=> > even longer.
=> >
=> > Our VPN server is running NT, SP6, and Microsoft PPTP
=> > protocol.  We are
=> > connecting to it via a Pentium 450 Laptop running NT, SP 6,
=> > using RAS.  We
=> > have checked the processor loads on both machines, neither
=> > one is breaking a
=> > sweat during the copy process.
=> >
=> > Our VPN server is on its own node on our Checkpoint firewall.
=> >  All traffic
=> > destined for it passes through the firewall, is sent to the
=> > VPN server, is
=> > passed back through the firewall, and then is sent to its
=> > destination again.
=> > We have determined that the firewall is not posing a problem,
=> > since the
=> > performance degradation is consistent if the traffic is
=> generated from
=> > within or from outside the firewall.
=> >
=> > Do you have any suggestions about what I can do to improve
=> > the performance
=> > of this arrangement?  It is currently giving us the same level of
=> > performance as our 28.8 modems!
=> >
=> > Thanks for any help or advice you might have,
=> >
=> > Tobin Craig
=> >
=> > Network Security Administrator
=> > Swales Aerospace
=> > Beltsville, MD
=> > 20705
=> >
=> > http://www.swales.com
=> >
=>
=> VPN is sponsored by SecurityFocus.COM
=>

VPN is sponsored by SecurityFocus.COM

More information about the VPN mailing list