As I've not seen anything that looks like a fix on the list, here's my
Instead of increasing the allowed ping size on m0n0, get a copy of the
KB816045 hotfix (http://support.microsoft.com/?id=816045), which has
fixes for XPSP1 and XPSP2 (W2K was fixed in SP4 and W2K3 in SP1, but you
still need the registry key).
NT\CurrentVersion\Winlogon\PingBufferSize as a DWORD with a value of
I've used a value of 500 and it works like a charm, but make sure you
get the v3 hotfix with the file versions listed; the first version I
obtained from MS was v2 and only had the SP1 update in it and the wrong
file version (although it does work!).
Be careful though - you'll need to disable the slow link detection too,
and applying group policies over a slow link can be *painfully* slow
especially if you have software installation settings and apply the gpo
synchronously - we're talking hours here!
From: Mat Murdock [mailto:mmurdock underscore lists at kimballequipment dot com]
Sent: Friday, July 01, 2005 5:00 PM
To: m0n0wall at lists dot m0n0 dot ch
Subject: [m0n0wall] Ping Size Windows GPO
I was wondering if there was a way to increase the allowed ping size
over a m0n0 to m0n0 ipsec vpn. The reason is as follows:
When running a M$ based network with a central location and numerous
satellite locations, you may encounter a rather nasty problem.
Windows 2000's method for locating a domain controller is not
exactly flawless. When a workstation checks connectivity with the DC
it first uses a normal icmp ping. If the normal ping succeeds it
then tests the connection speed with an oversized ping.
Specifically the size is 2048k* which puts the total packet size
over 2k due to headers. This isn't a problem when you are on a
local network with nothing between you and the DC but a switch.
However, if you are at a satellite location and you must traverse a
VPN to speak to the DC there may be trouble. This functionality is
designed to prevent ye-old ping flood among other things. Because
of this behavior workstations at satellite sites succeed with the
first normal ping but fail on the oversized one.
Any help would be appreciated.
The information in this e-mail and any files transmitted with it is confidential
and may be legally privileged. It is intended solely for the addressee and
others authorised to receive it. If you are not the intended recipient, any
disclosure, copying, distribution or action taken in reliance on its contents
is prohibited and may be unlawful.
The opinions expressed in this message are that of the sender and not
necessarily those of Aaland Limited. If you have received this e-mail in
error please notify postmaster at aaland dot co dot uk