Netscreen Remote behind NAT 1

[dawsomi]

We have recently implmeneted the Netscreen-204 and have implemented Netscreen Remote for VPN and everthing seems to be working properly except when the remote user is using NAT. We have enabled NAT Traversal and are able to Ping devices through the tunnel; however Outlook synchronization and shared folder access only works sometimes and when it does it is extremely slow. We tested a machine via dial-up and it worked great all day, then tested the same machine via broadband using NAT behind a Linksys and were only able to Ping. Any help you can provide would be greatly appreciated. We plan to begin rolling out Netscreens to our other offices, but need to get this VPN issued worked out first.

Thanks,
Mike

 

[Packet7]

Hello,

Usually, IPSEC traffic is fragmented across a VPN link due to the extra overhead involved in Auth and Encryption. It's normally never picked up until you debug the NS and run into issue like yours.

Connect to the 204 via Telnet or a Console connection. From the CLI, type:

set flow tcp-mss 1400
save

Once the setting has been applied, test your issue. This should resolve the problem and will keep the MTU under the max amount (15xx) even with IPSEC.

Hope this helps.

Rgds,

John

 

[dawsomi]

Thanks, I will make the changes and test it out. Juniper\Netcreen CSO gave me the same answer except they suggested:

set flow tcp-mss 1200
set flow max-frag-pkt-size 1140
The max frag must be 60 bytes less than the mss value

Question though, is this issue specific to NAT Traversal? The reason I ask is because I tested on dial-up (before making any set flow changes) at 56Kbps with no NAT and it worked great.

Mike

 

[Packet7]

Hello,

Yeah, Netscreen CSO doesn't like to push the envelope. I took the INSG and NMTP courses, and they recommend 1400. NAT Traversal allows for the encapsulation of UDP during NAT usage on the remote end.

Does your dial-up connection traverse your Netscreen?

Rgds,

John

 

[dawsomi]

Yes, Dial-up is traversing the Netscreen. Tested Netscreen Remote client from both dial-up into ISP (No NAT) and Broadband with NAT. I will test tonight after making the set flow changes.

Thanks,
Mike

 

[Packet7]

Cool. Yeah, the flow settings wouldn't come close to causing issues with a dial-up connection. Let me know how you make out with your test.

Rgds,

John

 

[zzyzxZzyzx]

I'm having similar problem with setting up VPN behind a SMC 2404 WBR router, I tried to open port 500, 1701, 1723 in NAT configuration. I'm not a network expert, not sure if I'm doing the right thing.
I was able to connect to our VPN server by connecting directly to DSL modem though.
Any suggestion or tips? Thanks in advance!

David

 

[dawsomi]

Thanks John! We set ours to 1350 and all appears to be working great.

Thanks Again!

Mike

 

[Packet7]

Nice job Mike. Glad you got it working.

Rgds,

John