VPN fun

This might not be a VPN issue but Im researching a problem involving mail sent over a VPN. The maximum mail message size received is 1.5K. Im wondering if fragmentation and what have you may be an issue here. Any ideas will be well received.

Cheers

Find more posts tagged with

Save $250 on 2025 certification boot camps from Infosec!

Book now with code EOY2025

Button

Comments

mikej412

Turgon wrote: »

1.5K

Check MTU size along the path (and adjust if able)... or try reducing the size of packets going through the tunnel (to allow for the excess VPN header information) and see if the problem goes away (which ever is easier).

Turgon

mikej412 wrote: »

Check MTU size along the path (and adjust if able)... or try reducing the size of packets going through the tunnel (to allow for the excess VPN header information) and see if the problem goes away (which ever is easier).

Thanks for that. Yes I was wondering about MTU given the size of these messages. I think I will see what can be done about the packet size first as changes to MTU along end to end path may be difficult to get done.

gojericho0

If you are using tunnel interfaces you could also try adjusting the MSS size during the TCP 3-way handshake. Using ip tcp adjust-mss on one of the tunnel interfaces. I did this recently for a site-to-site fragmentation issue. The MTU path discovery would not work for me because the firewall were blocking ICMP

I also found this article that may help

Resolve IP Fragmentation, MTU, MSS, and PMTUD Issues with GRE and IPSEC - Cisco Systems

Ahriakin

What are you using as termination on either side of the tunnel? Is there something like an ASA in the mix that could be performing ESMTP inspection (it can drop Mail for a number of reasons including size/header inconsistencies etc).

Turgon

Different VPN vendors each side. I have no visibility of one end of the tunnel. I don't know if the DF bit is being set by a network device out there. Maybe, maybe not. I don't know if icmp type 3 code 4 is blocked from going back to the sender to get it to back off the window size. Have considered segment sizing (mss) on the firewall but would like to avoid changes there that may affect other VPNs. Looking into dropping the MTU of the server sending the messages to 1400 to see if that improves matters.