[ previous ] [ next ] [ threads ]
 From:  edward mzj <edward dot mzj at gmail dot com>
 To:  Mat Murdock <mmurdock underscore lists at kimballequipment dot com>
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] Ping Size Windows GPO
 Date:  Sat, 2 Jul 2005 00:29:41 +0800
try to allow fragmented icmp echo-request and echo reply packets. i'm not sure

On 7/2/05, Mat Murdock <mmurdock underscore lists at kimballequipment dot com> wrote:
> I was wondering if there was a way to increase the allowed ping size
> over a m0n0 to m0n0 ipsec vpn. The reason is as follows:
>    When running a M$ based network with a central location and numerous
>    satellite locations, you may encounter a rather nasty problem.
>    Windows 2000's method for locating a domain controller is not
>    exactly flawless. When a workstation checks connectivity with the DC
>    it first uses a normal icmp ping.  If the normal ping succeeds it
>    then tests the connection speed with an oversized ping.
>    Specifically the size is 2048k* which puts the total packet size
>    over 2k due to headers.  This isn't a problem when you are on a
>    local network with nothing between you and the DC but a switch.
>    However, if you are at a satellite location and you must traverse a
>    VPN to speak to the DC there may be trouble.  This functionality is
>    designed to prevent ye-old ping flood among other things.  Because
>    of this behavior workstations at satellite sites succeed with the
>    first normal ping but fail on the oversized one.
> Any help would be appreciated.
> Thanks,
> Mat Murdock