Hi Kris -
I'm going to try the MTU just to see. So far the timing changes to the
IPSEC lifetime don't seem to be helping.
LAN A - LAN with Exchange Server, LAN B - remote LAN that has problems
There is one domain. The domain controller for LAN B is on the same LAN
as the workstations, so they see it via the LAN address on the switch
they share, and this DC is what provides the LAN B workstations with DNS
(via m0n0wall on that side). The other DC on LAN A is also the Exchange
Server (LAN A has another Win 2000 DC that provides file sharing,
mostly, but also replicates and secondary DNS for LAN A). This is seen
LAN B via the IPSEC VPN.
As regards AD, there are two "sites" specified in "Sites and Services"
with the server on each site correctly specified: LAN A -> Servers-> DC
A (and DC A1 - the 2000 DC) and LAN B -> Servers-> DC B. Under subnets
each of the LANs and the WANs are identified, although replication is
now only happening across the IPSEC VPN so the LANs would be adequate.
under "Active Directory Users and Computers" there is one domain, and
all of the users and workstations are defined under that domain
(separated into logical "Organizational Units").
I would have to go back over the mail, but the entire issue of packet
fragmentation came up on this mail list. Someone had pointed out that
RPC used a packet size of 2048 bytes. I then assumed this was the case
by the fact that I can ping between LANs on the VPN with a packet size
of 1472 (1500 with headers) without any fragmentation, but that there
*seemed* to be a problem with a size of 2048. As I recall, you were the
one who suggested a ping test at a size of 2048 as being required to
verify that packets weren't being dropped - I may have incorrectly
assumed that that was independent verification of RPC using that size.
Does Microsoft's implementation of RPC NOT require a 2048 byte packet
size? If not, then who would be fragmenting packets in the first place
requiring m0n0wall to handle them? All of the clients are set to the
default of MTU 1500, as are the servers, as is the T1, as are the
Kristian Shaw wrote:
> I would be surprised if MTU adjustments will fix things, given that
> you have now established that large packets pass through OK.
> I am not sure about your description of the AD setup. I sounds like
> you have one domain but I am not sure about your sites configuration.
> If you have sites connected together using slower links it is common
> to create sites in AD, and then define a subnet to that site. Clients
> will then use that information to locate the nearest DC/GC. Exchange
> will also use that information to find a DC/GC. I wonder if perhaps
> the clients/exchange aren't always locating the best DC to use?
> Can I ask, where you found that RPC packets are 2048 bytes?
> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch