Re: Site-tosite VPN Issue

Tech-Archive recommends: Speed Up your PC by fixing your registry

From: rpaz61 (rpaz61_at_discussions.microsoft.com)
Date: 01/06/05 

Date: Thu, 6 Jan 2005 09:15:06 -0800

OK. Outside of suggesting using a Terminal Server and changing the MTU
settings (which is currently set to 1404), does any one have any other
suggestions?

Thanks,

Rob

"Eugene Taylor" wrote:

> Also you might want to look at TS as an alternative.
> "Robert L [MS-MVP]" <noreply@hotmail.com> wrote in message
> news:ux6Yt348EHA.2676@TK2MSFTNGP12.phx.gbl...
> > we have seen many slow issue on DSL VPN. Adjusting mtu may or may not fix
> > the issues. you may try windows demand-dial VPN.
> >
> > --
> > For more and other information, go to http://www.ChicagoTech.net
> >
> > Don't send e-mail or reply to me except you need consulting services.
> > Posting on MS newsgroup will benefit all readers and you may get more
> help.
> >
> > Bob Lin, MS-MVP, MCSE & CNE
> > Networking, Internet, Routing, VPN, Anti-Virus, Tips & Troubleshooting on
> > http://www.ChicagoTech.net
> > Networking Solutions, http://www.chicagotech.net/networksolutions.htm
> > VPN Solutions, http://www.chicagotech.net/vpnsolutions.htm
> > VPN Process and Error Analysis,
> http://www.chicagotech.net/VPN%20process.htm
> > VPN Troubleshooting, http://www.chicagotech.net/vpn.htm
> > This posting is provided "AS IS" with no warranties.
> > "rpaz61" <rpaz61@discussions.microsoft.com> wrote in message
> > news:B92A0900-A8EC-4CE2-A384-4479D25DC738@microsoft.com...
> > > Here's the setup:
> > >
> > > Main Office
> > >
> > > Server:
> > > Windows Server 2003 domain controller
> > > IP address: 192.168.1.10
> > > Subnet mask: 255.255.255.0
> > > Gateway: 192.168.1.1
> > > Services: Active Directory, DNS, DHCP
> > >
> > > Clients:
> > > Mixture of PCs running Windows 2000 Profressional with SP3 and Windows
> XP
> > > Professional with SP2
> > >
> > > Network:
> > > Dell 16-port switch
> > > SBC 768K SDSL
> > >
> > > Firewall:
> > > Sonicwall TZ170 Internet Security Appliance
> > > LAN IP = 192.168.1.1
> > > LAN Subnet Mask = 255.255.255.0
> > > Firmware version: SonicOS Standard 2.2.0.1
> > > Revision: 2.2.0_pp_8s $
> > > ROM version 2.0.0.3
> > > Previous firmware version: 2.0.0.2
> > > Fragment outbound packets larger than WAN MTU: 1
> > > WAN MTU: 1404
> > > CP Wan MTU: 1404
> > > WAN Ignore DF Bit for non-VPN traffic: 1
> > >
> > > Site-to-site VPN:
> > > Encrypt/Auth - ESP DES HMAC MD5
> > > Key Exchange: Manual Keys
> > > VPN Terminated at: LAN
> > > netbios off, ApplyNatAndRules off, ForwardPacketsToRemoteVPNs off
> > > TunnelForAllOutboundTraffic off
> > > Authentication of local users off, Authentication of remote users off
> > > remote subnet for netbios 255.255.255.0
> > > destIP begin 192.168.2.1, end 192.168.2.254
> > >
> > >
> > >
> > > Remote Office
> > >
> > > Clients:
> > > 4 Dell PCs running Windows XP Professional with SP2
> > >
> > > Network:
> > > Belkin 8-port 10/100 hub
> > > Choice One 768K SDSL
> > >
> > > Firewall:
> > > Sonicwall TZ170 Internet Security Appliance
> > > LAN IP = 192.168.2.1
> > > LAN Subnet Mask = 255.255.255.0
> > > Firmware version: SonicOS Standard 2.2.0.1
> > > Revision: 2.2.0_pp_8s $
> > > ROM version 2.0.0.3
> > > Previous firmware version: 2.0.0.2
> > > Fragment outbound packets larger than WAN MTU: 1
> > > WAN MTU: 1404
> > > CP Wan MTU: 1404
> > > WAN Ignore DF Bit for non-VPN traffic: 1
> > > DHCP Server:
> > > Enable DHCP = 1
> > > Lease Period = 1440 minutes
> > > Range Start = 192.168.2.100
> > > Range End = 192.168.2.110
> > > Interface = LAN
> > > Default Gateway = 192.168.2.1
> > > Subnet Mask = 255.255.255.0
> > > Domain Name = <NULL>
> > > DNS Servers = 192.168.1.10
> > >
> > > Site-to-site VPN:
> > > Encrypt/Auth - ESP DES HMAC MD5
> > > Key Exchange: Manual Keys
> > > VPN Terminated at: LAN
> > > netbios off, ApplyNatAndRules off, ForwardPacketsToRemoteVPNs off
> > > TunnelForAllOutboundTraffic off
> > > Authentication of local users off, Authentication of remote users off
> > > remote subnet for netbios 255.255.255.0
> > > destIP begin 192.168.2.1, end 192.168.2.254
> > >
> > > A site-to-site VPN between both Sonicwall TZ170 connects the Remote
> Office
> > > to the Main Office. All four PCs at the Remote Office authenticate
> across
> > > the VPN to the Windows Server 2003 domain controller. At the Remote
> > > Office,
> > > DNS is resolving to the domain controller across the VPN.
> > >
> > > Issue:
> > >
> > > All users use a Windows-based application that connects to a database on
> > > the
> > > Windows Server 2003 domain controller.
> > >
> > > There are not any performance issues in the Main Office. There are
> > > performance issues with clients accessing the database and
> copying/opening
> > > files from the server to the client PC over the VPN from the Remote
> > > Office.
> > > We ran a packet trace (netcap.exe on a Windows XP SP2 PC at the Remote
> > > Office
> > > and netmon.exe on the Windows Server 2003 domain controller) while
> copying
> > > a
> > > 12.7MB file from the server to the client PC. What we found is that the
> > > client PC at the Remote Office is repeatedly sending ACKs across the VPN
> > > tunnel to the domain controller and the domain controller is yet the
> > > domain
> > > controller is repeatedly sending ACKs across the VPN tunnel to the
> client
> > > PC.
> > >
> > >
> > > We do not know what's causing this issue. Sonicwall states that there's
> > > nothing wrong with their hardware or the VPN tunnel itself.
> > >
> > > Does anyone have any ideas?
> > >
> > > Thanks in advance!!
> > >
> > > Rob
> > >
> > > PS - I can send the packet trace capture files if needed. Just let me
> > > know.
> >
> >
>
>
>

Relevant Pages

  • RE: VPN MTU Question
    ... I understand that you want to change the MTU settings. ... Based on my research, Microsoft Windows Server 2003, Microsoft Windows ... Are the registry settings the same for Windows 2000 as they are for XP? ...
    (microsoft.public.win2000.ras_routing)
  • Re: Sending larger emails is slow, then stops
    ... It's a matter of getting a combination of compatible MTU settings ... your Router and the ISP. ... The article I listed talks about setting the MTU on your PC. ... I don't know if it is the program, my computer, DSL or my ISP ...
    (microsoft.public.windows.inetexplorer.ie6_outlookexpress)
  • Re: Cant access web pages
    ... Microsoft's site is notorious for not rendering with inconsistent MTU settings. ... I then tried visiting Microsoft.com on the server and 1st time it failed. ... I think that latest windows update must have changed something beacuse it is now unuseable for browsing. ... If the settings are mis-matched on your NIC, Firewall, and within Windows, you can get these kind of errors. ...
    (microsoft.public.windows.server.sbs)
  • Re: Why 1 PC fast; other drags?
    ... Retransmitted data packets: 0 ... Max packet size you received (MTU): ... Don't know if these settings are right or not. ... > Tiscali - dialup speeds at Broadband prices, ...
    (uk.telecom.broadband)
  • Re: problems with tiscali broadband
    ... 50% of web accesses appear ok it is just some that some appear to hang/don't display the page ... a router I had would accept a command line input to set the MTU to 1500 bytes without complaint. ... If your friend is suffering from the same issue, ask him to try setting the router MTU to 1492 bytes, or perhaps even less to one of the many different optimisation settings I've seen recommended around here. ...
    (uk.telecom.broadband)