[ previous ] [ next ] [ threads ]
 
 From:  "Thomas Bianco" <TBianco at informs dot com>
 To:  <m0n0wall at lists dot m0n0 dot ch>
 Subject:  Kerberos over PPTP through Monowall
 Date:  Tue, 2 May 2006 13:08:04 -0500
I've got an interesting issue with PPTP, perhaps someone has a resolution?

Some of my users are complaining about PPTP connections from their work
laptops. when a domain* member laptop connects to the PPTP vpn they can use
web services, telnet, ping, RDP, and do almost everything except browse file
shares. When attempting to use a file share, the laptop stalls for long
periods and will eventually pop up a dialog asking for a username and
password, and reporting that logon through Kerberos failed. 

By looking at a packet trace, I was able to see that the Kerberos requests
are being fragmented and parts dropped somewhere. The server responds to
each ticket request with an ICMP type 11 code 1, which is Fragment
reassembly timeout. 

Microsoft seems to think it has something to do with this:
http://support.microsoft.com/kb/292788 but the domain controller is 2003,
and the client is XP, so that hotfix does not apply. 

I'm thinking the monowall might be the blocking entity here. Suggestions?



*yes, this is a Microsoft Active Directory. now is the part of the show
where you shoot at me for using Microsoft. 
___________________________________________________________________________
Thomas M. Bianco
Sr. Network Operations Technician