VPN fun
Turgon
Banned Posts: 6,308 ■■■■■■■■■□
This might not be a VPN issue but Im researching a problem involving mail sent over a VPN. The maximum mail message size received is 1.5K. Im wondering if fragmentation and what have you may be an issue here. Any ideas will be well received.
Cheers
Cheers
Comments
-
mikej412 Member Posts: 10,086 ■■■■■■■■■■1.5K:mike: Cisco Certifications -- Collect the Entire Set!
-
Turgon Banned Posts: 6,308 ■■■■■■■■■□Check MTU size along the path (and adjust if able)... or try reducing the size of packets going through the tunnel (to allow for the excess VPN header information) and see if the problem goes away (which ever is easier).
Thanks for that. Yes I was wondering about MTU given the size of these messages. I think I will see what can be done about the packet size first as changes to MTU along end to end path may be difficult to get done. -
gojericho0 Member Posts: 1,059 ■■■□□□□□□□If you are using tunnel interfaces you could also try adjusting the MSS size during the TCP 3-way handshake. Using ip tcp adjust-mss on one of the tunnel interfaces. I did this recently for a site-to-site fragmentation issue. The MTU path discovery would not work for me because the firewall were blocking ICMP
I also found this article that may help
Resolve IP Fragmentation, MTU, MSS, and PMTUD Issues with GRE and IPSEC - Cisco Systems -
Ahriakin Member Posts: 1,799 ■■■■■■■■□□What are you using as termination on either side of the tunnel? Is there something like an ASA in the mix that could be performing ESMTP inspection (it can drop Mail for a number of reasons including size/header inconsistencies etc).We responded to the Year 2000 issue with "Y2K" solutions...isn't this the kind of thinking that got us into trouble in the first place?
-
Turgon Banned Posts: 6,308 ■■■■■■■■■□Different VPN vendors each side. I have no visibility of one end of the tunnel. I don't know if the DF bit is being set by a network device out there. Maybe, maybe not. I don't know if icmp type 3 code 4 is blocked from going back to the sender to get it to back off the window size. Have considered segment sizing (mss) on the firewall but would like to avoid changes there that may affect other VPNs. Looking into dropping the MTU of the server sending the messages to 1400 to see if that improves matters.