G
Guest
Greetings,
I have been troubleshooting a problem where a client PC tries to log in to a Windows 2000 domain controller over a site-site, Cisco-router, Cisco-router, GRE-IPSec 3DES VPN. The user experience is that the login process can take up to 15 minutes even though the VPN is over large pipes and has low latency.
After using a Sniffer to capture the traffic, what I see is that the client asks for a Kerberos Ticket, the server replies with enough Kerberos traffic (1800bytes) to warrant a UDP port 88 (Kerberos) packet of 1512 bytes and an IP fragment to pick up the rest of the traffic.
We had similar problems with TCP and large packets over the VPN as the GRE header and IPSec header create packets that are too large for the VPN. We solved that with a Cisco command, "ip tcp adjust-mss 1378" which basically adjusts the advertised MaxSegmentSize advertised in the initial TCP SYN packets of a connection. This works great for TCP.
Has anyone seen this logon issue before? Are there good, stable ways to solve it or do we need to go with the blunt tool of knocking down the Ethernet MTU on all domain controllers.
Can you force Kerberos to use TCP? If you force it on the DC's, do you need to set it on all clients as well or will they adjust during the login process and choose to use TCP?
Any and all responses desired.
thanks,
Mike Gutknecht
I have been troubleshooting a problem where a client PC tries to log in to a Windows 2000 domain controller over a site-site, Cisco-router, Cisco-router, GRE-IPSec 3DES VPN. The user experience is that the login process can take up to 15 minutes even though the VPN is over large pipes and has low latency.
After using a Sniffer to capture the traffic, what I see is that the client asks for a Kerberos Ticket, the server replies with enough Kerberos traffic (1800bytes) to warrant a UDP port 88 (Kerberos) packet of 1512 bytes and an IP fragment to pick up the rest of the traffic.
We had similar problems with TCP and large packets over the VPN as the GRE header and IPSec header create packets that are too large for the VPN. We solved that with a Cisco command, "ip tcp adjust-mss 1378" which basically adjusts the advertised MaxSegmentSize advertised in the initial TCP SYN packets of a connection. This works great for TCP.
Has anyone seen this logon issue before? Are there good, stable ways to solve it or do we need to go with the blunt tool of knocking down the Ethernet MTU on all domain controllers.
Can you force Kerberos to use TCP? If you force it on the DC's, do you need to set it on all clients as well or will they adjust during the login process and choose to use TCP?
Any and all responses desired.
thanks,
Mike Gutknecht