[ previous ] [ next ] [ threads ]
 From:  "Josh McAllister" <josh at bluehornet dot com>
 To:  "Elijah Savage" <esavage at digitalrage dot org>, "Claude Morin" <klodefactor at gmail dot com>
 Cc:  <m0n0wall at lists dot m0n0 dot ch>
 Subject:  RE: [m0n0wall] Monowall to Cisco VPN
 Date:  Tue, 1 Mar 2005 23:28:22 -0800
I may be stating the obvious, but it seems to me that if you took MTU
down to 576 with no relief, it's likely NOT an MTU issue. 

Check CPU stats on the PIX when you're experiencing the problem.

I don't have a solution, and not even a clearly defined problem as I
didn't spend much time on it, but I did have a problem with M0n0->Pix as
well in the recent past. CPU on the PIX was pegged. I just bailed and
setup FreeSwan on a box behind it... so again may be completely
unrelated, but it's worth a peek.

Josh McAllister

> -----Original Message-----
> From: Elijah Savage [mailto:esavage at digitalrage dot org]
> Sent: Tuesday, March 01, 2005 7:36 PM
> To: Claude Morin
> Cc: m0n0wall at lists dot m0n0 dot ch
> Subject: RE: [m0n0wall] Monowall to Cisco VPN
> Claude,
> I was trying to keep from having to change the MTU on each client. The
> other reason I say it is a MTU problem and possibly monowall not
> understanding, is because I can ping across the tunnel fine with
> size packets from XP I can ssh and telnet fine, it is when I try to
> outlook or map drives is the problem. But for kicks I did download
> this weekend and loaded it and took the mtu all the way down to 576
> it did not work. But like I said replace monowall with my pix and
> the mtu back to 1500 on the one XP client I am testing with and it all
> works great. Also this is not just between 2 sites I have 5 other
> tunnels on the monowall and pix which are lan to lan tunnels and when
> the monowall is in place all tunnels exhibit the same behavior they
> get to the monowall lan and do what ever they want but I can't get to
> their lans when monowall is in place.
> But thank you so much for taking the time to read the email and reply.
> -----Original Message-----
> From: Claude Morin [mailto:klodefactor at gmail dot com]
> Sent: Tuesday, March 01, 2005 8:29 PM
> To: Elijah Savage
> Cc: m0n0wall at lists dot m0n0 dot ch
> Subject: Re: [m0n0wall] Monowall to Cisco VPN
> Hi Elijah,
> I agree with you that you symptoms sound like an MTU problem; not two
> weeks gone, I had exactly the same problem with MS RDP, as well as
> problems with MS Outlook.
> I know you said you tried different MTUs, but how did you test?  The
> easiest way I've found is to use ping.  From an MS Windows box:
>         ping -f -l 1400 some.problem.ip.address
> From a recent Linux distribution:
>         ping -M do -s 1400 some.problem.ip.address
> Try reducing "1400" until it works.
> I don't know about BSD pings; sorry.  They're probably similar to
> (or vice versa :-)
> For the case I described at the top of this message, I had to drop the
> MTU to 990; that was for some hotel's broadband connection.
> BTW, for MS Windows boxes, this MTU changing utility is small & easy
> use:
>         http://www.dslreports.com/front/drtcp.html
> Or use the one that comes with the Cisco VPN client, if you have it.
> Lastly, regarding your checksum problems: I presume you were using
> sniffer software (Ethereal?) running on the box that was generating
> packets.  If so, what you saw is probably normal.  Many modern NICs
> offload IP checksumming to the NIC itself, so the packet built by the
> Windows networking layer (and seen by the sniffer software) is almost
> certain to have an incorrect checksum.
> -klode
> On Tue, 1 Mar 2005 17:47:44 -0500, Elijah Savage
> <esavage at digitalrage dot org> wrote:
> > > I put in my
> > > Cisco Pix and all problems go away I have even went as far as
> > > swapping
> >
> > > monowall on a completely different box. I am not trying to bash
> > > monowall I just wanted to know if it has been accomplished because
> > > have done everything possible on my side to try and correct this
> > > issue
> >
> > > with no luck.
> > >
> >
> > > Something I found in the archive that might work.  Change the
> > > default
> > LAN -> any rule to allow fragmented packets.
> >
> > > -Chris
> >
> > Tried that to Chris :)
> >
> >
> > To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> > For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch