[ previous ] [ next ] [ threads ]
 
 From:  Claude Morin <klodefactor at gmail dot com>
 To:  Elijah Savage <esavage at digitalrage dot org>
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] Monowall to Cisco VPN
 Date:  Tue, 1 Mar 2005 20:29:01 -0500
Hi Elijah,

I agree with you that you symptoms sound like an MTU problem; not two
weeks gone, I had exactly the same problem with MS RDP, as well as
problems with MS Outlook.

I know you said you tried different MTUs, but how did you test?  The
easiest way I've found is to use ping.  From an MS Windows box:
        ping -f -l 1400 some.problem.ip.address

From a recent Linux distribution:
        ping -M do -s 1400 some.problem.ip.address

Try reducing "1400" until it works.

I don't know about BSD pings; sorry.  They're probably similar to
Linux (or vice versa :-)

For the case I described at the top of this message, I had to drop the
MTU to 990; that was for some hotel's broadband connection.

BTW, for MS Windows boxes, this MTU changing utility is small & easy to use:
        http://www.dslreports.com/front/drtcp.html

Or use the one that comes with the Cisco VPN client, if you have it.

Lastly, regarding your checksum problems: I presume you were using
sniffer software (Ethereal?) running on the box that was generating
the packets.  If so, what you saw is probably normal.  Many modern
NICs offload IP checksumming to the NIC itself, so the packet built by
the MS Windows networking layer (and seen by the sniffer software) is
almost certain to have an incorrect checksum.

-klode

On Tue, 1 Mar 2005 17:47:44 -0500, Elijah Savage
<esavage at digitalrage dot org> wrote:
> > I put in my
> > Cisco Pix and all problems go away I have even went as far as swapping
> 
> > monowall on a completely different box. I am not trying to bash
> > monowall I just wanted to know if it has been accomplished because I
> > have done everything possible on my side to try and correct this issue
> 
> > with no luck.
> >
> 
> > Something I found in the archive that might work.  Change the default
> LAN -> any rule to allow fragmented packets.
> 
> > -Chris
> 
> Tried that to Chris :)
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch 
> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch