[ previous ] [ next ] [ threads ]
 From:  "Richard Parvass" <Richard dot Parvass at aaland dot co dot uk>
 To:  <m0n0wall at lists dot m0n0 dot ch>
 Cc:  "Mat Murdock" <mmurdock underscore lists at kimballequipment dot com>
 Subject:  RE: [m0n0wall] Ping Size Windows GPO
 Date:  Wed, 8 Mar 2006 18:02:25 -0000
As I've not seen anything that looks like a fix on the list, here's my

Instead of increasing the allowed ping size on m0n0, get a copy of the
KB816045 hotfix (http://support.microsoft.com/?id=816045), which has
fixes for XPSP1 and XPSP2 (W2K was fixed in SP4 and W2K3 in SP1, but you
still need the registry key).

Create HKLM\Software\Microsoft\Windows
NT\CurrentVersion\Winlogon\PingBufferSize as a DWORD with a value of

I've used a value of 500 and it works like a charm, but make sure you
get the v3 hotfix with the file versions listed; the first version I
obtained from MS was v2 and only had the SP1 update in it and the wrong
file version (although it does work!).

Be careful though - you'll need to disable the slow link detection too,
and applying group policies over a slow link can be *painfully* slow
especially if you have software installation settings and apply the gpo
synchronously - we're talking hours here!


-----Original Message-----
From: Mat Murdock [mailto:mmurdock underscore lists at kimballequipment dot com] 
Sent: Friday, July 01, 2005 5:00 PM
To: m0n0wall at lists dot m0n0 dot ch
Subject: [m0n0wall] Ping Size Windows GPO

I was wondering if there was a way to increase the allowed ping size 
over a m0n0 to m0n0 ipsec vpn. The reason is as follows:

    When running a M$ based network with a central location and numerous
    satellite locations, you may encounter a rather nasty problem. 
    Windows 2000's method for locating a domain controller is not
    exactly flawless. When a workstation checks connectivity with the DC
    it first uses a normal icmp ping.  If the normal ping succeeds it
    then tests the connection speed with an oversized ping. 
    Specifically the size is 2048k* which puts the total packet size
    over 2k due to headers.  This isn't a problem when you are on a
    local network with nothing between you and the DC but a switch. 
    However, if you are at a satellite location and you must traverse a
    VPN to speak to the DC there may be trouble.  This functionality is
    designed to prevent ye-old ping flood among other things.  Because
    of this behavior workstations at satellite sites succeed with the
    first normal ping but fail on the oversized one.

Any help would be appreciated.


Mat Murdock

The information in this e-mail and any files transmitted with it is confidential
and may be legally privileged. It is intended solely for the addressee and
others authorised to receive it. If you are not the intended recipient, any
disclosure, copying, distribution or action taken in reliance on its contents
is prohibited and may be unlawful.

The opinions expressed in this message are that of the sender and not
necessarily those of Aaland Limited. If you have received this e-mail in
error please notify postmaster at aaland dot co dot uk