I was trying to keep from having to change the MTU on each client. The
other reason I say it is a MTU problem and possibly monowall not
understanding, is because I can ping across the tunnel fine with regular
size packets from XP I can ssh and telnet fine, it is when I try to use
outlook or map drives is the problem. But for kicks I did download drtcp
this weekend and loaded it and took the mtu all the way down to 576 and
it did not work. But like I said replace monowall with my pix and change
the mtu back to 1500 on the one XP client I am testing with and it all
works great. Also this is not just between 2 sites I have 5 other
tunnels on the monowall and pix which are lan to lan tunnels and when
the monowall is in place all tunnels exhibit the same behavior they can
get to the monowall lan and do what ever they want but I can't get to
their lans when monowall is in place.
But thank you so much for taking the time to read the email and reply.
From: Claude Morin [mailto:klodefactor at gmail dot com]
Sent: Tuesday, March 01, 2005 8:29 PM
To: Elijah Savage
Cc: m0n0wall at lists dot m0n0 dot ch
Subject: Re: [m0n0wall] Monowall to Cisco VPN
I agree with you that you symptoms sound like an MTU problem; not two
weeks gone, I had exactly the same problem with MS RDP, as well as
problems with MS Outlook.
I know you said you tried different MTUs, but how did you test? The
easiest way I've found is to use ping. From an MS Windows box:
ping -f -l 1400 some.problem.ip.address
From a recent Linux distribution:
ping -M do -s 1400 some.problem.ip.address
Try reducing "1400" until it works.
I don't know about BSD pings; sorry. They're probably similar to Linux
(or vice versa :-)
For the case I described at the top of this message, I had to drop the
MTU to 990; that was for some hotel's broadband connection.
BTW, for MS Windows boxes, this MTU changing utility is small & easy to
Or use the one that comes with the Cisco VPN client, if you have it.
Lastly, regarding your checksum problems: I presume you were using
sniffer software (Ethereal?) running on the box that was generating the
packets. If so, what you saw is probably normal. Many modern NICs
offload IP checksumming to the NIC itself, so the packet built by the MS
Windows networking layer (and seen by the sniffer software) is almost
certain to have an incorrect checksum.
On Tue, 1 Mar 2005 17:47:44 -0500, Elijah Savage
<esavage at digitalrage dot org> wrote:
> > I put in my
> > Cisco Pix and all problems go away I have even went as far as
> > swapping
> > monowall on a completely different box. I am not trying to bash
> > monowall I just wanted to know if it has been accomplished because I
> > have done everything possible on my side to try and correct this
> > issue
> > with no luck.
> > Something I found in the archive that might work. Change the
> > default
> LAN -> any rule to allow fragmented packets.
> > -Chris
> Tried that to Chris :)
> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch