[ previous ] [ next ] [ threads ]
 
 From:  "Thomas Bianco" <TBianco at informs dot com>
 To:  <m0n0wall at lists dot m0n0 dot ch>
 Subject:  RE: [m0n0wall] Kerberos over PPTP through Monowall
 Date:  Tue, 2 May 2006 14:25:39 -0500
That was it. All I had to do was modify the default PPTP -> any rule on the
firewall to allow fragments. Thanks!

-----Original Message-----
From: Tech Terapies [mailto:tech at terapies dot org] 
Sent: Tuesday, May 02, 2006 1:36 PM
To: 'Thomas Bianco'; m0n0wall at lists dot m0n0 dot ch
Subject: RE: [m0n0wall] Kerberos over PPTP through Monowall


Allow fragmented packets on the rule. Is working for me. But the server and
wks is w2k

-----Original Message-----
From: Thomas Bianco [mailto:TBianco at informs dot com]
Sent: Tuesday, May 02, 2006 8:08 PM
To: m0n0wall at lists dot m0n0 dot ch
Subject: [m0n0wall] Kerberos over PPTP through Monowall

I've got an interesting issue with PPTP, perhaps someone has a resolution?

Some of my users are complaining about PPTP connections from their work
laptops. when a domain* member laptop connects to the PPTP vpn they can use
web services, telnet, ping, RDP, and do almost everything except browse file
shares. When attempting to use a file share, the laptop stalls for long
periods and will eventually pop up a dialog asking for a username and
password, and reporting that logon through Kerberos failed.

By looking at a packet trace, I was able to see that the Kerberos requests
are being fragmented and parts dropped somewhere. The server responds to
each ticket request with an ICMP type 11 code 1, which is Fragment
reassembly timeout.

Microsoft seems to think it has something to do with this:
http://support.microsoft.com/kb/292788 but the domain controller is 2003,
and the client is XP, so that hotfix does not apply.

I'm thinking the monowall might be the blocking entity here. Suggestions?



*yes, this is a Microsoft Active Directory. now is the part of the show
where you shoot at me for using Microsoft.
___________________________________________________________________________
Thomas M. Bianco
Sr. Network Operations Technician


---------------------------------------------------------------------
To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch



---------------------------------------------------------------------
To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch