I actually ran into a similar problem with Cisco VPN clients. It is
explained in the following document (search for MTU).
Here's the interesting bit:
Adjusting the Maximum Transmission Unit (MTU) Value - Windows Only
VPN Encapsulation adds to the overall message length. To avoid
refragmentation of packets, the VPN Client must reduce the MTU settings.
The default MTU adjusted value is 1300 for all adapters. If the default
adjustments are not sufficient, you may experience problems sending and
receiving data. To avoid fragmented packets, you can change the MTU
size, usually to a lower value than the default....
The MTU is the largest number of bytes a frame can carry, not counting
the frame's header and trailer. A frame is a single unit of
transportation on the Data Link Layer. It consists of header data, plus
data that was passed down from the Network Layer, plus (sometimes)
trailer data. An Ethernet frame has an MTU of 1500 bytes, but the actual
size of the frame can be up to 1526 bytes (22-byte header, 4-byte CRC
Recognizing a Potential MTU Problem
If you can connect with the Cisco VPN Client but cannot send or receive
data, this is likely an MTU problem. Common failure indications include
*You can receive data, such as mail, but not send it.
*You can send small messages (about 10 lines), but larger ones time out.
*You cannot send attachments in email.
This sounds like a known issue with a resolution (work-around?) that is
a tad bit on the kludgy side, or perhaps it is the best resolution. I
have done several searches, but I don't seem to see any established
From: Martin Holst [mailto:mail at martinh dot dk]
Sent: Thursday, April 01, 2004 6:26 AM
To: 'Manuel Kasper'
Cc: m0n0wall at lists dot m0n0 dot ch
Subject: RE: [m0n0wall] Re: Beta version 1.1b1 available
Interesting... did you find the checksum problem through packet sniffing
on the WAN-interface?
I just received a mail from the MPD-list that confirms that 2003/XP uses
fixed a MTU of 1400 for VPN-connections:
"Microsoft Windows Server 2003, Microsoft Windows 2000, and Microsoft
Windows XP use a fixed MTU size of 1500 bytes for all PPP connections
and use a fixed MTU size of 1400 bytes for all VPN connections. This is
the default setting for PPP clients, for VPN clients, for PPP servers,
or for VPN servers that are running Routing and Remote Access."
(More on this link:
It seems to me that the easiest way is to "fix" MPD - even if it's not
Getting MS to fix anything is probably not easy at all.
Anyway, Michael Bretterklieber who is also an admin on the MPD project
has responded positively to my latter posts.
I will send him IPFILTER/Ethereal logs from m0n0wall/PPTP-client ASAP
and he will test the NdisWan MTU-setting on XP today himself and get
back to me.
So there might be light at the end of the tunnel ;o)
The information contained in this e-mail may be confidential and is intended solely for the use of
the named addressee.
Access, copying or re-use of the e-mail or any information contained therein by any other person is
If you are not the intended recipient please notify us immediately by returning the e-mail to the