So everything was working fine for a while, then all of the sudden, I
started having the same problems last night. Pings over 1408 would get
dropped or not make it through. This morning, it seems to be working
again. Very strange.
However, my VPN between two m0n0walls works fine with any size packets. The
problem seems to be with my m0n0wall to sonicwall VPN. Even over that alot
of stuff will work, its just certain MS stuff that has problems with
oversized UDP packets.
Anyone else run into this before or have any ideas?
On 4/3/07, Kristian Shaw <monowall at wealdclose dot co dot uk> wrote:
> If you have one of the later 1.2x versions there is an option in the
> Advanced System Config to allow fragmented packets from IPSEC connections.
> This will apply to inbound connections from the SonicWall.
> You also need to ensure that any outbound rules have the tickbox to allow
> fragmented packets too. This will apply to outbound connection from the
> m0n0wall to the SonicWall.
> ----- Original Message -----
> From: "Joe Lagreca" <lagreca at gmail dot com>
> To: <m0n0wall at lists dot m0n0 dot ch>
> Sent: Tuesday, April 03, 2007 11:07 PM
> Subject: [m0n0wall] Windows 2003 domain over VPN MTU issues...
> >I have a point to point IPSEC VPN between a Sonicwall and a m0n0wall,
> > and am having problems with workstations that are joined to the domain
> > over the VPN.
> > I found this: force Kerberos to use TCP instead of UDP in Windows
> > Server 2003
> > http://support.microsoft.com/default.aspx?scid=kb;en-us;244474
> > which helps with the login process, but other things are still giving
> > me problems, like processing the GPO, which still fails.
> > I have experimented with ping sizes, and the largest ping that can get
> > through is 1408. If I do ping -l 1409 192.168.2.2 it will fail.
> > However, the problem only seems to be in the direction of m0n0wall to
> > sonicwall. If I do a large ping the other way around (sonicwall to
> > m0n0wall), it will get through.
> > I think this is a MTU issue, but am not sure how to solve it. I was
> > hoping that someone else has already run into this, and has a
> > solution.
> > Thanks!
> > Joe
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> > For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch