[nsp] VPN Trouble
Dan Hopkins
hop at nexthop.net
Thu Jan 9 18:30:15 EST 2003
Diego,
likely diagnosis:
once the large ( > 1460 Byte ) packets are ecapsulated into the VPN,
they will be too large for the MTU of the physical interface.
if you can sniff the packets on the hosts and or LAN on each end
you will probably see that there are packets with the DF bit set.
you may find some good info here:
http://www.cisco.com/en/US/tech/tk801/tk703/technologies_tech_note09186a0080094c4f.shtml#mtu
particulary:
* the 'Black Holes' caused by parts of the path filtering *ALL* ICMP
which breaks path MTU discovery
* 'ip tcp adjust-mss <mss>' section which i have seen work to alleviate
this type of problem. (interface command)
(bleeding edge IOS required and may be CPU intensive on older platforms.)
* using a policy route-map to clear the DF bit.
i havel also seen this in action and it works.
hope this helps.
-dan
on Thursday in the PM, Diego Costa wrote:
> I have a customer (2 sites) connected with a vpn (tunnel gre) without
> encript. And when he want to transmit a big volume of information (for
> example a ls of a big directory) it gives timeout.
>
> I have 300ms between site A to B.
>
>
> Somebody has an idea that can be happening?
>
> Thanks
> Diego
>
--
dan hopkins hop at nexthop.net
More information about the cisco-nsp
mailing list