Looking for a push in the right direction with my VPN.... (fw d)

Stephen Hope shope at ENERGIS-EIS.CO.UK
Thu Aug 3 04:01:07 EDT 2000


Or reduce the MTU on the server / client to maybe 1400 bytes

that way you wont have oversize Ethernet packets via the firewall

(and it sometimes easier to only alter the test kit, rather than
a live firewall, router etc)

Stephen

Stephen Hope C. Eng, Network Consultant, shope at energis-eis.co.uk,
Energis Integration Services Ltd, WWW: http://www.energis-eis.co.uk
Carrington Business Park, Carrington, Manchester , UK. M31 4ZU
Tel: +44 (0)161 776 4190 Mob: +44 (0)7767 256 180 Fax: +44 (0)161 776
4189


> -----Original Message-----
> From: Biggerstaff, Craig [mailto:Craig.Biggerstaff at CSOCONLINE.COM]
> Sent: Wednesday, August 02, 2000 2:48 PM
> To: VPN at SECURITYFOCUS.COM
> Subject: Re: Looking for a push in the right direction with my VPN....
> (fw d)
>
>
> Sounds like a MTU (Maximum Transmissible Unit) problem to me.
>  Tunneling
> VPNs encrypt the original packet contents and encapsulate
> them in a new
> packet with new headers for transport to the other end of the
> tunnel.  This
> process invariably increases the size of each packet transported.
>
> The default MTU on most systems for Ethernet LANs is 1500
> bytes.  Routers
> generally default to allow larger MTUs, but this is
> configurable too.  If
> your VPN is set to a 1500 byte MTU, it will fragment every packet that
> passes through it.  Up the MTU to, say, 1600, and see if that
> fixes the
> problem.  If it doesn't, check your routers to see if they
> have been set to
> limit the MTU allowed.
>
>
> -- Craig
>
> > -----Original Message-----
> > From: Tina Bird [mailto:tbird at PRECISION-GUESSWORK.COM]
> > Sent: Tuesday, August 01, 2000 1:16 PM
> > To: VPN at SECURITYFOCUS.COM
> > Subject: Looking for a push in the right direction with my
> > VPN.... (fwd)
> >
> >
> > Hi all -- Any help with Tobin's problem greatly
> > appreciated...
> >
> > ---------- Forwarded message ----------
> > Date: Tue, 1 Aug 2000 14:20:45 -0400
> > From: Tobin Craig <tcraig at Swales.com>
> > To: tbird at precision-guesswork.com
> > Subject: Looking for a push in the right direction with my VPN....
> >
> > Hi Tina,
> >
> > I'm wrestling with a fledgling VPN configuration on my
> > network, and I hope
> > you can help.
> >
> > We are experiencing a performance drop every time we try to
> > use our VPN.  To
> > illustrate this, we moved an 82 MB file directly over our
> > LAN, taking 30
> > seconds.  By connecting to our VPN server, again over the
> > LAN, and moving
> > the same file, the process took 5 minutes 30 seconds.
> Dialing into an
> > independent ISP and then establishing the VPN connection took
> > even longer.
> >
> > Our VPN server is running NT, SP6, and Microsoft PPTP
> > protocol.  We are
> > connecting to it via a Pentium 450 Laptop running NT, SP 6,
> > using RAS.  We
> > have checked the processor loads on both machines, neither
> > one is breaking a
> > sweat during the copy process.
> >
> > Our VPN server is on its own node on our Checkpoint firewall.
> >  All traffic
> > destined for it passes through the firewall, is sent to the
> > VPN server, is
> > passed back through the firewall, and then is sent to its
> > destination again.
> > We have determined that the firewall is not posing a problem,
> > since the
> > performance degradation is consistent if the traffic is
> generated from
> > within or from outside the firewall.
> >
> > Do you have any suggestions about what I can do to improve
> > the performance
> > of this arrangement?  It is currently giving us the same level of
> > performance as our 28.8 modems!
> >
> > Thanks for any help or advice you might have,
> >
> > Tobin Craig
> >
> > Network Security Administrator
> > Swales Aerospace
> > Beltsville, MD
> > 20705
> >
> > http://www.swales.com
> >
>
> VPN is sponsored by SecurityFocus.COM
>

-----------------------------------------------------------------------------------------------------------

This email is confidential and intended solely for the use of the individual to
whom it is addressed. Any views or opinions presented are solely those of the
author and do not necessarily represent those of Energis Integration Services.
If you are not the intended recipient, be advised that you have received this
email in error and that any use, dissemination, forwarding, printing, or copying
of this email is strictly prohibited.

We have an anti-virus system installed on all our PC's and therefore any files
leaving us via e-mail will have been checked for known viruses.
Energis Integration Services accepts no responsibility once an e-mail
and any attachments leave us.

If you have received this email in error please notify Energis Integration Services Communications
IT department on +44 (0) 1494 476222..
-----------------------------------------------------------------------------------------------------------

VPN is sponsored by SecurityFocus.COM




More information about the VPN mailing list