VPN MTU issue

Hello

I have a router 2901, building a private network to a dynamic virtual third party peripheral.  The VPN initially was hurt by the way some of the traffic.  Pings worked, would not HTTP.  So, I made a few captures of packets and saw that she needed to become fragmented.  So I put the external interface mtu around 1380, and the VPN began to work perfectly.  However, he "broke" regular web access.  Now a few other sites (on the Internet/non-VPN) attended the same behavior.

My topology is very simple hand-off ISP - router 2901 - internal Ethernet switch.

What is the correct design of MTU for this scenario?

Thank you

Edit: Here is a broad generalization

Unless you need to worry about protocols large datagram twist MSS instead of MTU.

Or adjust the MTU (and MSS) on logical interfaces (tunnel or VT)

M.

Tags: Cisco Security

Similar Questions

  • VPN and MTU issues

    Recently, I have set up a 1721 running IOS c1700-k9o3sy7 - mz.122 - 15.T5.bin

    This router terminated a VPN with another router, a 1721 with the exact same version of IOS. This router has initially been connected via a WAN link on eth0 wireless. We moved their on a t1 as the main interface with the wireless as a backup. Then we had to

    -Configure a loopback - its ip address device would end the vpn

    -make the source of the vpn packages come from the loop

    -Configure static routes w / higher administrative distance

    Do all this we tested VPN - they worked. Unplugged at t1 connection and traffic moves on the wireless. We checked the vpn clients could connect. Everything worked ok...

    Except when you move large files between hosts behind fa0 via the vpn to the guests at the bottom. To prove the vpn worked and routing was in place, we could telnet from a host behind fa0 via the vpn to a remote host and you connect... Then, we would try an ftp files more. We could connect to the ftp server BUT once a file transfer started things would hang.

    We opened a Cisco tac case and it turned out that the addition of

    IP tcp adjust-mss 1300

    the interface fa0 fixed all - file transfer worked.

    My question why would be reduced aid package size? The vpn add some packages generals cauing more large packages to remove?

    A clue was here, BUT it's PPPoE - no VPN...

    http://www.Cisco.com/univercd/CC/TD/doc/product/software/ios122/122newft/122tcr/122twr/wftbrda.htm#1064471

    I'm looking to explain why this reduced MTU size worked. I would of never figured this out on my own...

    Here's the running-config, we used. Don't forget that everything worked (switching between WAN, vpn, NAT connectivity link) except the transfer of files and when large amounts of data was pushed over the line as MS-sharing files/printers, emails with attachments (a few hundred k). The only change is a line at the fa0 interface.

    version 12.2

    horodateurs service debug uptime

    Log service timestamps uptime

    encryption password service

    !

    hostname HPARFD

    !

    queue logging limit 100

    logging buffered debugging 8192

    enable secret 5

    enable password 7

    !

    abc username password

    clock timezone CST - 6

    clock to summer time recurring CDT

    AAA new-model

    !

    !

    AAA authentication login userauthen local

    AAA authorization groupauthor LAN

    AAA - the id of the joint session

    IP subnet zero

    !

    !

    no ip domain search

    IP domain name blahblah.net

    IP-name server

    IP-name server

    !

    audit of IP notify Journal

    Max-events of po verification IP 100

    property intellectual ssh time 60

    !

    !

    !

    !

    crypto ISAKMP policy 1

    md5 hash

    preshared authentication

    !

    crypto ISAKMP policy 2

    md5 hash

    preshared authentication

    !

    crypto ISAKMP policy 3

    BA 3des

    preshared authentication

    Group 2

    !

    crypto ISAKMP policy 10

    md5 hash

    preshared authentication

    test3030 key crypto isakmp address No.-xauth

    ISAKMP crypto key address 0.0.0.0 test3131 0.0.0.0

    crypto ISAKMP client configuration address pool local ourpool

    !

    ISAKMP crypto client configuration group whatever

    key

    pool ourpool

    ACL 101

    !

    !

    Crypto ipsec transform-set esp - esp-md5-hmac rptset

    Crypto ipsec transform-set esp - esp-md5-hmac trans2

    Crypto ipsec transform-set esp-3des esp-md5-hmac v35clientset

    !

    Crypto-map dynamic dynmap 10

    Set transform-set v35clientset

    Crypto-map dynamic dynmap 20

    Set transform-set trans2

    !

    !

    card crypto rtp-address Loopback0

    crypto isakmp authorization list groupauthor rtp map

    client configuration address card crypto rtp initiate

    client configuration address card crypto rtp answer

    RTP 1 ipsec-isakmp crypto map

    defined by peers

    Set transform-set rptset

    match address 115

    map rtp 50-isakmp ipsec crypto dynamic dynmap

    !

    !

    !

    !

    interface Loopback0

    Description loopback address is NOT dependent on any physical interface

    IP 255.255.255.255

    no ip proxy-arp

    NAT outside IP

    No cutting of the ip horizon

    !

    interface Ethernet0

    secondary description - wireless WAN link

    255.255.255.252 IP address

    no ip proxy-arp

    NAT outside IP

    No cutting of the ip horizon

    Half duplex

    crypto rtp map

    !

    interface FastEthernet0

    Description connected to EthernetLAN

    IP 255.255.255.0

    no ip proxy-arp

    IP tcp adjust-mss 1300

    ^ ^ ^ Tac added cisco work around

    IP nat inside

    automatic speed

    !

    interface Serial0

    first link description WAN - t1

    255.255.255.252 IP address

    no ip proxy-arp

    NAT outside IP

    random detection

    crypto rtp map

    !

    router RIP

    version 2

    passive-interface Loopback0

    passive-interface Serial0

    passive-interface Ethernet0

    network

    No Auto-resume

    !

    IP local pool ourpool

    IP nat inside source overload map route sheep interface Loopback0

    IP classless

    IP route 0.0.0.0 0.0.0.0 Serial0

    IP route 0.0.0.0 0.0.0.0 Ethernet0

    IP route 255.255.255.0 Serial0

    IP route 255.255.255.0 Ethernet0 200

    IP route 255.255.255.0 Serial0

    IP route 255.255.255.0 Ethernet0 200

    IP route 255.255.255.0 Serial0

    IP route 255.255.255.0 Ethernet0 200

    no ip address of the http server

    no ip http secure server

    !

    !

    !

    remote_access extended IP access list

    permit tcp any any eq 22

    permit tcp 0.0.0.255 any eq telnet

    TCP refuse any any eq telnet

    allow an ip

    !

    access-list 1 permit 0.0.0.255

    access-list 100 permit ip 192.168.0.0 0.0.0.255 host

    access-list 100 permit ip 192.168.0.0 0.0.0.255 host

    access-list 100 permit ip 192.168.0.0 0.0.0.255 host

    access-list 101 permit ip 0.0.0.255 10.2.1.0 0.0.0.255

    access-list 101 permit ip 192.168.0.0 0.0.255.255 10.2.1.0 0.0.0.255

    access-list 199 permit tcp a whole Workbench

    access-list 199 permit udp any one

    access-list 199 permit esp a whole

    access-list 199 permit ip 192.168.0.0 0.0.0.255 0.0.0.255

    !

    sheep allowed 10 route map

    corresponds to the IP 110

    !

    Enable SNMP-Server intercepts ATS

    RADIUS server authorization allowed missing Type of service

    alias exec sv show version

    alias exec sr show running-config

    alias exec ss show startup-config

    alias con exec conf t

    top alias show proc exec

    alias exec br show ip brief inter

    !

    Line con 0

    exec-timeout 0 0

    password 7

    line to 0

    line vty 0 4

    exec-timeout 0 0

    password 7

    Synchronous recording

    transport input telnet ssh rlogin udptn stream

    !

    NTP-period clock 17180059

    NTP server

    end

    You can check the following site for more explanation:

    http://www.Cisco.com/en/us/Tech/tk827/tk369/technologies_tech_note09186a0080093f1f.shtml

    HTH...

  • VPN IPSec L2L between IOS and PIX 6.3 - MTU issue?

    The side of the remote control (customer) is behind the 6.3 (5) PIX. And the side of the head end (server) is 2911 IOS on 15.0.

    The IPSec tunnel rises very well and passes traffic. However, there is a server which are not fully accessible. Note, it is mainly the web traffic.

    Client initiates a connection to the http://server:8000. They receive a redirect to go to http://server:8000 / somepage.jspa. Package caps show the customer acknowledges the redirect with a SYN - ACK response, but then the connection just hangs. And no other packets are received in return. I noticed that the redirected page is a .jsp and other pages that work OK are not. I also noticed that some MTU and TCP MSS configurations on the side of the head that are in place for another GRE VPN tunnel with another site. So I got in the way of the fragmentation of packets. The side PIX has all the standard configurations of IPSec as well as default MTU on the interface of the inside and outside.

    When the MTU is set manually on the client computer to 1400, the access to the works of http://server:8000 / somepage.jspa very well. So I need to tweak the settings of PIX. I tried to adjust the MTU size on and abroad the interface as well as the parameter "sysopt connection tcp - mss. I don't know what else to do here.

    Here is a summary of the MTU settings on the head of line:

    End of the head:

    int tunnel0 (it's the GRE tunnel)

    IP mtu 1420

    source of tunnel G0/0

    dest X.X.X.X

    tunnel path-mtu-discovery

    card crypto vpn 1

    tunnel GRE Description

    blah blah blah

    card crypto vpn 2

    Description IPSec tunnel

    blah blah blah

    int g0/0 (external interface)

    no ip redirection

    no ip unreachable

    no ip proxy-arp

    Check IP unicast reverse

    NAT outside IP

    IP virtual-reassembly

    vpn crypto card

    int g0/1 (this is the interface to the server in question)

    no ip redirection

    no ip unreachable

    no ip proxy-arp

    IP nat inside

    IP virtual-reassembly

    IP tcp adjust-mss 1452

    HA, sorry my bad. Read the previous post wrong.

    (Note: Yes, the SMS on the tunnel interface should be 40 bytes less than MTU).

    Do not twist the MTU, not for TCP problems (not as the first step), it is safer to play with the MSS. MTU may depend on other things (OSPF for example).

    Make a sweep of a ping with DF bit set with the size (from 1300 bytes for example). By doing this, you want to check what is the maximum size of the package, which you can test through the IPsec tunnel. Once you have this value consider - subtract 40 and this defined as value MSS of the LAN interface (and adjust the value of PIX if you can).

    M.

  • WRVS4400N VPN Passthrough issues

    I had a WRVS4400N router for 8-9 months. When it is connected to a remote VPN, the PC will go down intermittently to connect to the remote VPN server. Anything running on the connection, such as distance or vSphere client or network file browsing, office will be temporarily unusable, then the connection is re-established. Usually one drop lasts several seconds and varies in frequency.

    A few notes:

    -I can reproduce the problem with more than one PC.

    -Both wired and wireless connections are affected.

    -If I use an old Linksys WRT router or connect directly to the internet modem, I don't see the problem.

    -J' have tried disabling UPnP, firewall and IPS without success.

    I tried using wireshark, but can't identify something specific. The traffic seems to just stop for 5-10 seconds before resuming.

    Any suggestions/help would be appreciated.

    Mr Champion,


    Have you tried just the quickvpn client and the view if your always get disconnected?


    If it is stable and pull-out decision still does not work, maybe try to download a fresh firmware of cisco.com, then reflash the router with firmware then reset factory of the router and manually reconfigure your settings and see if your seeing the same issue.


    I would like to know how it works.

  • Path MTU issue when VPNed in of ASA5510 8.0 (4)

    I have a new ASA just configure VPN access like any other ASA I ever install.

    The VPN client connects fine, obtains an IP address, is capable of devices of ping on the corporate network.

    I compared it to the other ASA I installed that work.  I don't see the problem.

    3 things:

    I can't make a ping to the ASA LAN interface when VPN'ed in.

    When I do a mturoute.exe to an IP inside it shows only a MTU of 196 when I use Cisco VPN dialer.

    When I use the client VPN Shrewsoft I can set the MTU to 1380.  When I do a mturoute.exe to an IP inside it shows 1380.

    I think because it is not responding to a Ping on the local network of the SAA, which does not have the path MTU discovery.

    Any help would be appreciated.

    Thank you

    Bert

    My apologies for repeated postings but that's what you need to do

    From a Windows device use this: C:\ > ping-f-l packet_size_in_bytes destination_IP_address.

    The -f option is used to specify that the package cannot be fragmented. The -l option is used to specify the length of the packet. First try this with a packet of 1500 size. For example, ping -f - l 1500 192.168.100. If the fragmentation is required but cannot be performed, you receive a message like this: packages need to be fragmented but DF parameter.

    suspended f in my last post

    # You can try your command prompt

    ping f-l 1380

    so he sends a ping of 1380 bytes

    then you should see something like this, if it does not receive through

    C:\Documents and Settings\jathaval > ping 4.2.2.2 f-l 1380

    4.2.2.2 ping with 1380 bytes of data:

    Packet needs to be fragmented but DF parameter.
    Packet needs to be fragmented but DF parameter.
    Packet needs to be fragmented but DF parameter.
    Packet needs to be fragmented but DF parameter.

  • Site to site VPN MTU reco

    We will deploy a site to another using two ASA5505 VPN. I'll go through has a 1320 max MTU. I determined this by experimenting with pings of different sizes.

    How can I configure the MTU on my ASAs?

    I'm using these two commands, but I don't know if there are implications to this...

    outdoor IP MTU, 1320

    IP MTU inside 1280

    Your comments are appreciated.

    You need not change the MTU itself interfaces. But note that you need to prevent traffic ICMP do the work of PMTUD mechanism. If your correct mtu setting will be established on remote hosts that acts via VPN.

    HTH. Please rate if this was helpful. Thank you.

  • Client VPN routing issue

    I am trying to configure client vpn software ver 5.0 for remote to connect to the local network behind a 1801 users.

    I can get the client saying its connected but traffic is not circulate outside in:

    When I try to ping an address 192.168.2.x behind the 1801 I get a response from the public ip address but then when I try to ping to another address I have no answer.

    I guess the question is associated with NAT.

    Here is my config, your help is apprecited

    horodateurs service debug datetime msec

    Log service timestamps datetime msec

    encryption password service

    !

    host name C#.

    !

    boot-start-marker

    boot-end-marker

    !

    enable password 7 #.

    !

    AAA new-model

    !

    AAA authentication login userauthen local

    AAA authorization groupauthor LAN

    !

    AAA - the id of the joint session

    !

    IP cef

    !

    IP domain name # .local

    property intellectual auth-proxy max-nodata-& 3

    property intellectual admission max-nodata-& 3

    !

    Authenticated MultiLink bundle-name Panel

    !

    username password admin privilege 15 7 #.

    !

    crypto ISAKMP policy 3

    BA 3des

    preshared authentication

    Group 2

    !

    ISAKMP crypto client configuration group 1801Client

    key ##############

    DNS 192.168.2.251

    win 192.168.2.251

    field # .local

    pool VpnPool

    ACL 121

    !

    Crypto ipsec transform-set esp-3des esp-sha-hmac RIGHT

    !

    Crypto-map dynamic dynmap 10

    Set transform-set RIGHT

    !

    map clientmap client to authenticate crypto list userauthen

    card crypto clientmap isakmp authorization list groupauthor

    client configuration address map clientmap throwing crypto

    client configuration address map clientmap crypto answer

    10 ipsec-isakmp crypto map clientmap Dynamics dynmap

    !

    Archives

    The config log

    hidekeys

    !

    property intellectual ssh time 60

    property intellectual ssh authentication-2 retries

    !

    interface FastEthernet0

    address IP 87. #. #. # 255.255.255.252

    IP access-group 113 to

    NAT outside IP

    IP virtual-reassembly

    automatic duplex

    automatic speed

    clientmap card crypto

    !

    interface BRI0

    no ip address

    encapsulation hdlc

    Shutdown

    !

    interface FastEthernet1

    interface FastEthernet8

    !

    ATM0 interface

    no ip address

    Shutdown

    No atm ilmi-keepalive

    DSL-automatic operation mode

    !

    interface Vlan1

    IP 192.168.2.245 255.255.255.0

    IP nat inside

    IP virtual-reassembly

    !

    IP pool local VpnPool 192.168.3.200 192.168.3.210

    no ip forward-Protocol nd

    IP route 0.0.0.0 0.0.0.0 87. #. #. #

    !

    !

    no ip address of the http server

    no ip http secure server

    the IP nat inside source 1 interface FastEthernet0 overload list

    IP nat inside source static tcp 192.168.2.251 25 87. #. #. # 25 expandable

    Several similar to the threshold with different ports

    !

    access-list 1 permit 192.168.2.0 0.0.0.255

    access-list 113 allow host tcp 82. #. #. # host 87. #. #. # eq 22

    access-list 113 permit tcp 84. #. #. # 0.0.0.3 host 87. #. #. # eq 22

    access-list 113 allow host tcp 79. #. #. # host 87. #. #. # eq 22

    access-list 113 tcp refuse any any eq 22

    access-list 113 allow host tcp 82. #. #. # host 87. #. #. # eq telnet

    access-list 113 permit tcp 84. #. #. # 0.0.0.3 host 87. #. #. # eq telnet

    access-list 113 allow host tcp 79. #. #. # host 87. #. #. # eq telnet

    access-list 113 tcp refuse any any eq telnet

    113 ip access list allow a whole

    access-list 121 permit ip 192.168.2.0 0.0.0.255 192.168.3.0 0.0.0.255

    access-list 121 allow ip 192.168.3.0 0.0.0.255 192.168.2.0 0.0.0.255

    !

    control plan

    !

    Line con 0

    line to 0

    line vty 0 4

    transport input telnet ssh

    !

    end

    you have ruled out the IP address of the customer the NAT pool

    either denying them in access list 1

    or do road map that point to the loopback address as a next hop for any destent package for your pool to avoid nat

    first try to put this article in your access-lst 110

    access-list 110 deny 192.168.2.0 0.0.0.255 192.168.3.0 0.0.0.255

    access-list 110 permit 192.168.2.0 0.0.0.255 any

    sheep allow 10 route map

    corresponds to the IP 110

    remove your old nat and type following one

    IP nat inside source overload map route interface fastethernet0 sheep

    rate if useful

    and let me know, good luck

  • Anyconnect VPN migration issues

    Hi, I do Anyconnect VPN from an ASA ASA migration another. I need your suggestion. Migration must transfer customization and anyconnect vpn configuration. After that I reviewed some documents, looks like the configuration and customization are not the only thing that needs to be transferred. Everything can give some suggestion exactly what needs to be transferred in addition to customization and configuration vpn? Thank you

    Hello

    Although the copy of the configuration of one firewall to another will get all the anyconnect rules and the installation program completed, but the flash content (IE anyconnect programs, profiles anyconnect, customizations anyconnect, bookmarks, and dap profiles) is not transferred to the other ASA. They must be downloaded manually to the ASA again.

    Another way to do this is through ASDM,

    Go to tools > configuration backup:

    Select the components of the VPN you want to create a backup for.

    NOTE *.
    This backup will be restored as a whole via ASDM and substitute another configuration.
    So, you might want to restore the backup to a fresh firewall and then import the configuration and the images of the SAA.

    Otherwise, you can go the ususal path, the anyconnect first configuration copy and then manually transfer components anyconnect flash of one ASA to another.

    **********

    Kind regards
    Dinesh Moudgil

    PS Please rate helpful messages.

  • RVS4000 / WRVS4400 VPN routing issue.

    I would like to simplify my installation a bit, but unfortunately I do not know how to do this.

    I have a triangle of CSB RVS, 2 RVS4000, 1 WRVS4400 devices

    each router has a VPN gateway to gateway with 2 others, to any one of the 3 sites, you can access resources on the other 2.

    It also works well, if for some reason, one of the legs of the VPN breaks down, it passes through the other router.  at least it seems to work that way when it is tested.

    Now enter my problem.  I have 2 laptops that go around, Mine and at the office.  If any of these are off site and connect to a router via the QuickVPN client.  they can see the resources on the router, to which they connect.

    How would I be able to connect to the Router 1 and be able to access resources on other VPN routers ' ed?

    It is not so much a problem on the router because it is on the QuickVPN. When you go to an IP address that is not on the local network from the router, the QuickVPN does not and it that the request is sent to the internet.

    The only way to access the other site and resources would be to unplug the first router and connect to each other.

  • Any concerns of connection VPN security issue.

    Hi guys,.

    I set up a VPN on Cisco ASA & our mobility users are able to connect VPN successfully and access my LAN environment but our senior management says there provide less security & any hacker can hack easily.

    Someone can help me on this point, how can provide more security in Anyconnect VPN, I think on the Anyconnect host control features, but I think it works only with the secure desktop.

    Kind regards

    Nafis Ashique

    In short, you have just a few steps:

    1. enroll the certificate root of your PKI to customers and to the ASA (if not already done).
    2. enroll certificates from the client to the customers. It will be easier if they are in the user store. As far as I know, you cannot use the certificates stored in the IPsec VPN client store.
    3. reconfigure the ASA to use certificate authentication

    In a little more detail found in this document.

  • Easy vpn server issues of Cisco 800 series.

    Hello.

    I want to deploy the easy vpn server on cisco 876 and 877 10 routers and access from a remote location (company headquarters). When I leave the firewall of the router off the vpn server works. When I turn it on it doesn't.

    Although I allow all traffic to my ip for example 80.76.61.158 I can't access the vpn server.

    I tried a place to let the firewall off and it worked fine.

    I use SDM to configure the vpn server. Any ideas what I can do with the cause of firewall I really can't leave it "open."

    Thanks in advance.

    It would be a good idea to paste the configuration of the VPN server to the firewall.

    Kind regards

    Kamal

  • Remote vpn routing issue

    Hi, please find the attachment.

    I want remote access client vpn server that connect you to my ASA 5510 outside interface.

    Is this possible via the static route set or something else?

    Thank you very much!!!

    Hello

    There is not enough information to give a good answer. This should be possible, but your level ASA software firewall and VPN Client configurations factor in this also.

    If you have a customer VPN Split Tunnel configuration, then you must add a rule to the existing ACL and say the IP address of the server. If you use Client VPN full Tunnel while you don't have to worry about the same thing only with Split Tunnel.

    Then you will probably need the configuration "permit same-security-traffic intra-interface" so that traffic can enter the 'outside' and leave 'outside' to the server. It won't work without the mentioned order.

    You will also need a PAT Dynamics example

    If you use a software 8.2 or below and have this dynamic PAT defect for LAN users

    Global 1 interface (outside)

    NAT (1 x.x.x.x y.y.y.y inside)

    Then for the Pool of Client VPN you can add this

    NAT (outside) 1 20.20.20.0 255.255.255.0

    More often, this should be sufficient to allow the traffic to arrive on the VPN Client user ASA and out of 'outside' interface and head to the server.

    Hope this helps

    Don't forget to mark the reply as the answer if it answered your question.

    -Jouni

  • VPN / Natting issue - connectivity to 3rd Party Partner Site

    Hello

    I received a request to provide a connectivity solution between our private server 10.102.x.y and a3rd advantage partner server. 10.247.x.y solution of VPN site to site. I want to hide our real IP of 10.102.x.y and replace 10.160.x.y (using Natting).

    The configuration is the following:

    3rd party partner server->

    		 3rd party ASA FW-> Tunnel VPN IPSec Internet-> Our ASA FW-> Our server private
    10.247.x.y

    10.102.x.y private IP

    NAT'd IP10.160.xy

    My dogs entered so far (still awaiting 3rd party to set up their ASA)

    name 10.160.x.y OurNat'dServer

    crypto ISAKMP policy 6
    preshared authentication
    aes-256 encryption
    sha hash
    Group 5
    lifetime 28800

    Crypto ipsec transform-set 3rd Party esp-aes-256 esp-sha-hmac

    3rd party ip host 10.160.x.y host 10.247.x.y allowed extended access list

    tunnel-group 80.x.x.x type ipsec-l2l
    80.x.x.x group of tunnel ipsec-attributes
    pre-shared key xxxxxxxxx

    football match 117 card crypto vpnmap address 3rd party

    card crypto vpnmap 117 counterpart set 80.x.x.x

    card crypto vpnmap 117 the transform-set 3rd Party value

    public static 10.160.x.y (Interior, exterior) 10.102.x.y netmask 255.255.255.255

    The config goes to meet my requirements and the solution envisaged, or is my inaccurate understanding?

    Any help on this would be appreciated.

    Thanks in advance,

    Select this option.

    Hello

    Who will break actually internet traffic with this server because the external address that is sent over the internet is considered to be a 10.160.x.y.  In the past, I did something like this:

    public static 10.160.x.y (Interior, exterior), list-dest-3rdParty access policy

    policy-dest-3rdParty of the ip host 10.102.x.y host 10.247.x.y allowed extended access list

    Who will ONLY perform NAT traffic on this server if traffic is coming from the 10.247.x.y.

  • VPN routing issues...

    Here's my problem, with a bit of luck can someone help...

    I use the Cisco client to establish a connection with a client.  Once the connection is established that I can navigate is more on my local network.  Here are the results of the command ipconfig for the local card and the VPN adapter.

    Any help would be greatly appreciated.

    Windows IP configuration

    Name of the host...: nvcadmin06

    Primary Dns suffix...:

    ... Node type: unknown

    Active... IP routing: No.

    Active... proxy WINS: No.

    Ethernet connection to the Local network card:

    The connection-specific DNS suffix. :

    ... Description: Broadcom NetXtreme 57xx Gigabit Controller

    Physical address.... : 00-18-8B-00-5C-B1

    DHCP active...: No.

    ... The IP address: 10.20.0.5

    ... Subnet mask: 255.0.0.0.

    ... Default gateway. : 10.0.0.1.

    DNS servers...: 10.0.0.1.

    208.67.222.222

    Ethernet connection to the network space 2 card:

    The connection-specific DNS suffix. :

    ... Description: Cisco Systems VPN card

    Physical address.... : 00-05-9A-3C-78-00

    DHCP active...: No.

    ... The IP address: 10.10.10.197

    ... Subnet mask: 255.0.0.0.

    ... Default gateway. :

    DNS servers...: 192.168.2.19

    Thank you in advance.

    Hi Eric,.

    Unfortunately not, this is controlled by the VPN server.

    You can try changing the routing on your machine by using static routes, but it is not supported, because it is considered a security risk.

    I would recommend you to communicate with the remote administrator and explain that you must "split tunneling" instead of "tunnelall".

    Thank you.

    Portu.

    Please note all useful posts

  • RV042 VPN connection issues

    Hello

    I've successfully connected two RV042s to establish a VPN gateway to connect to a VPN gateway. I have follow up questions, please comment:

    1. I want to keep the time of indefinite VPN tunnel connection. Is it enough by ticking the 'Keep-Alive' on the VPN-> gateway-to-gateway-> page in advance? Or, I ping the RV042 periodically?

    2. the "Phase 1/Phase 2 times of HIS life" (on-> page from gateway to gateway VPN) settings have no impact on the maintenance of indefinite time of VPN connection? What are the optimal values for them?

    3. is there an API, command or a script to replace a manual by clicking on the button "CONNECT" to establish the VPN to VPN tunnel-> summary page? Or, is there a way to achieve the power upward?

    4. is there a way to establish a VPN tunnel bypassing the connection and clicking on the button "CONNECT"? (Auto connect to power up)?

    Thank you in advance for the comments.

    Steve

    Hello Stephen

    I have a question as well. We have a RV042 that does not restore the connection

    unless we hit the Connect button. Then everything is fine - after a while he gave up the connection

    Yet once and we have to connect and log in again

    Still having the problem?

    Mike

Maybe you are looking for