Re: [m0n0wall] RE: RE : [m0n0wall] outlook -> exchange problem

From:	Jeff Buehler <jeff at buehlertech dot com>
To:	Kristian Shaw <monowall at wealdclose dot co dot uk>
Cc:	m0n0wall at lists dot m0n0 dot ch
Subject:	Re: [m0n0wall] RE: RE : [m0n0wall] outlook -> exchange problem
Date:	Mon, 20 Feb 2006 09:20:31 -0800
Hi Kris -

I'm going to try the MTU just to see.  So far the timing changes to the 
IPSEC lifetime don't seem to be helping.

LAN A - LAN with Exchange Server, LAN B - remote LAN that has problems

There is one domain.  The domain controller for LAN B is on the same LAN 
as the workstations, so they see it via the LAN address on the switch 
they share, and this DC is what provides the LAN B workstations with DNS 
(via m0n0wall on that side).  The other DC on LAN A is also the Exchange 
Server (LAN A has another Win 2000 DC that provides file sharing, 
mostly, but also replicates and secondary DNS for LAN A).  This is seen 
LAN B via the IPSEC VPN.

As regards AD, there are two "sites" specified in "Sites and Services" 
with the server on each site correctly specified: LAN A -> Servers-> DC 
A (and DC A1 - the 2000 DC) and LAN B -> Servers-> DC B.  Under subnets 
each of the LANs and the WANs are identified, although replication is 
now only happening across the IPSEC VPN so the LANs would be adequate.  
under "Active Directory Users and Computers" there is one domain, and 
all of the users and workstations are defined under that domain 
(separated into logical "Organizational Units").

I would have to go back over the mail, but the entire issue of packet 
fragmentation came up on this mail list.  Someone had pointed out that 
RPC used a packet size of 2048 bytes.  I then assumed this was the case 
by the fact that I can ping between LANs on the VPN with a packet size 
of 1472 (1500 with headers) without any fragmentation, but that there 
*seemed* to be a problem with a size of 2048.  As I recall, you were the 
one who suggested a ping test at a size of 2048 as being required to 
verify that packets weren't being dropped - I may have incorrectly 
assumed that that was independent verification of RPC using that size.  
Does Microsoft's implementation of RPC NOT require a 2048 byte packet 
size?  If not, then who would be fragmenting packets in the first place 
requiring m0n0wall to handle them?  All of the clients are set to the 
default of MTU 1500, as are the servers, as is the T1, as are the 
m0n0wall devices.

Jeff

Kristian Shaw wrote:
> Hello,
>
> I would be surprised if MTU adjustments will fix things, given that 
> you have now established that large packets pass through OK.
>
> I am not sure about your description of the AD setup. I sounds like 
> you have one domain but I am not sure about your sites configuration.
>
> If you have sites connected together using slower links it is common 
> to create sites in AD, and then define a subnet to that site. Clients 
> will then use that information to locate the nearest DC/GC. Exchange 
> will also use that information to find a DC/GC. I wonder if perhaps 
> the clients/exchange aren't always locating the best DC to use?
>
> Can I ask, where you found that RPC packets are 2048 bytes?
>
> Regards,
>
> Kris.
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
>