MTU settings for VPN
I thought I will put this info on this here, so that everytime I answer a question, don’t have to type it all and just link to here;
Basically one of the biggest problems encountered with ExchangeServer and Outlook client when they are connected over a IPSec VPN, it doesn’t work very well. As a solution, this is what I’ve always suggested and proved to be of use too.
1. When you connect through VPN, first find out what is the best MTU size for you to talk to your corporate. How you can do this is simple; Connect to VPN and then,
ping -l 1400 -f <insideipofServer>
what we are doing here is to set the mtu to 1400 and also set ‘don’t fragment’. So if it is possible to send the packet without fragmenting then it would go through otherwise you’ll get a reply saying ‘don’t fragment bit set and so cannot proceed’. You are in-effect finding the Path MTU.
Then slow start reducing the 1400 to 1350, 1300 etc and see when you can ping without any problems and that should be your MTU.
2. Also make sure you add the servername to ip resolution in your hosts file.
That should take care of your problem in most of the scenarios. Now how to change the MTU size on the network adaptor?
The MTU for Windows 2000/XP/2003 network interfaces can be configured here:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{Interface GUID}\MTU
I have a pix 515e and SBS 2003, I configured the pix with VPN and I connect fine from outside to the intgernal network but when I run the outlook through the VPN as I’m in the network I can’t get any response from the exchange. and the outlook failed to send or receive any data.
should the pix got any more configuration or the exchange.
thanks
Mostafa
Were you able to connect fine ? Couple of questions..
1. Is your VPN Client local subnet same as your corporate subnet ? If so Change it.
2. Are you able to ping the ip address of exchange when vpn is connected. If no, then it is not configured properly.
3. Did you try out the comments from the blog post I had, if so let me know.
–
Cheers,
Rajesh T Sivanandan
You are running an older version of PIX OS? 6.3?
Try running the command “no fixup protocol smtp 25″
to fix this issue, configure your exchange server to play nice with PIX.
FYI, PIX 7.x SMTP Fixups are fixed-up so if you upgrade the software in the PIX 515 you should be able to send / rec email just fine… In the meantime, turning off application inspection will get you up and running.
Luck,
~c
After much googling, I found that Exchange, when sending data back (usually large packets)_ to the client, sets the DF bit to 1, which doesn’t allow packet fragmentation to occur. This doesn’t work too well with IPSec VPN tunnels. To fix this, you can have your IPSec VPN Server (Concentrator, Router, PIX) clear the DF bit on both the private and public interface. This should make things work better.
Hope this helps.
Hi rajeshji,
Hope you are doing well and enjoying life out there. i have an issue with my vpn setup. issue i have explained in expert-exchange.kindly look at the below url and help me to bring up the tunnel.
Thanks n advance
Shibu
http://www.experts-exchange.com/Software/System_Utilities/Remote_Access/VPN/Q_24104672.html