871 vpn problem

[srv1strat]

Hi,
2 871 routers.
static public addresses
site to site vpn configured
web access is working - no dropped packets.
i can ping across the vpn but i'm dropping packets.
as part of the troubleshooting we discovered the following
ping -l 1474 to remote lan ip address
100% successful
if we drop the packet size to anything below 1474 the ping fails.
does this suggest anything to anyone?
we have client vpn configured & working on the same routers with no problems.

thanks for any help

 

[boymarty24]

Sounds like MTU issues. I had similiar problems and the ios was the problem in that case. If you are using 124t6 i suggest upgrading ( that release is crap )

What does your ping tell you if you insert a -f ( fragment information )

ping -f -l "mtu" "ip

 

[burtsbees]

Is it dsl? If so, do you have the MTU set for 1492? Here's how on newer IOS's (like 12.0 and newer, I think).
router(config)#ip tcp adjust-mss 1452
It needs to be 1452 here to adjust the actual mtu to 1492---40 bytes for something I cannot remember...anyway, try this.

Burt

 

[srv1strat]

thanks for the quick replies

burstbees
its not dsl

boymarty24
it is 12.4.t6
do you have a release to recommend?
i'll get back to you when i test the -f on the ping test

regards

 

[boymarty24]

This one is the best,

advipservicesk9-mz.124-9.T2.bin

 

[NettableWalker]

It's IPSEC adding overhead which makes the packet size too large and introduces fragmentation, which is not good with VPNs.


Set your MTU as follows on your external interfaces:

ip mtu 1300

That should do the trick.



HTH

 

[srv1strat]

Hi,

sorry about the delay in replying.
we've tried all the suggestions & we're still getting the same result. the only time we get 100% replies across the vpn is if we set the packet size to 1474 or larger.

any more thoughts

regards