[c-nsp] Windows IPSEC VPN Client MTU issues when connecting to IOS
Larry Smith
lesmith at ecsis.net
Fri Sep 3 12:03:53 EDT 2010
On Fri September 3 2010 09:44, Marc Haber wrote:
> Hi,
>
> my windows clients have MTU issues when they're connecting to the
> corporate VPN using the windows IPSEC VPN Client. By corporate
> decision, the default route points into the VPN tunnel which reduces
> the MTU for connections to the Internet.
>
> When the client tries to surf to a site with dumb admins that are
> filtering ICMP and thus breaking PMTUD, they - of course - experience
> timeouts, a phenomenon I myself have not experienced in years.
>
> The gateway the clients are connecting to is an 1841 with IOS.
>
> Do I have a possibility to reduce the MTU used by the client and/or to
> clamp the MSS to MTU on the IOS device (or by configuration passed
> from the IOS device to the client when the connection is being built),
> or do the Windows people have to reduce the client's MTU altogether?
>
> Any hints will be appreciated.
>
> Greetings
> Marc
Is the problem the MTU, or is it really the DF bit being set on
websites (that most likely don't need it, don't know their doing it,
and don't know how to fix it)... You might try clearing the DF bit
on packets to the VPN tunnel and see if that "fixes" the problem
(or bypasses it at least)... See this quite often on DSL and VPN
connections.
--
Larry Smith
lesmith at ecsis.net
More information about the cisco-nsp
mailing list