Black hole routers and MTU size

Discussion in 'Windows Small Business Server' started by Keith, Jul 20, 2007.

  1. Keith

    Keith Guest

    I have been fighting a problem for several weeks after our server at a remote
    office decided to quite synchronizing with the SBS server at the main office.
    After many hours with Microsoft support it wa finally determined that RPC
    traffic was having problems. It turned out to be the NetGear VPN router will
    not pass RPC packets of 1472 bytes without fragmenting them as they go thru
    the IPSEC tunnel.

    I found that If I set the MTU size on the servers to 1416, that RPC's now
    succeed and we are not replicating Active Directory and DFS files.
    However, we are having problems with workstations at the remote sites. They
    seem to login OK but shares on the main SBS server (on the other end of the
    VPN tunnel) don't even show up. If one does a \\SBSservername, the only
    thing you see is a "users" folder. This is the same behavior you get if
    you disconnect a workstation from the network and do the same test...

    I am suspecting this is related to the MTU limitation. We set the MTU size
    on the workstation to 1416 as well, but it didn't seem to help.

    I beleive the best thing to do it to junk the NetGear boxes and replace them
    with another brand. I've seen some postings mentioned Netopia. Does
    anyone know if they indeed will pass the default RPC packet size of 1472 (KB
    article 314825)?

    Or, Is there something else that needs to be modified on workstaitons. I
    also experienced a similar behavior when I did a remote VPN (Connect to Small
    Business Server). The VPN connected OK, but I can't see shares, nor can I
    get to Exchange.

    thanks for any and all pointers
     
    Keith, Jul 20, 2007
    #1
    1. Advertisements

  2. The problem is not the Netgears (which model? FVS? decent model but note, it
    is not a firewall).

    You state "that RPC's now succeed and we are not replicating Active
    Directory and DFS files." which I take is a typo, the 'not' should be
    another 'now'.

    I'd try dropping the MTU significantly, you can fine tune it should it work
    but try dropping down to, say, 11-1200. Facing similar problems recently I
    set the Cyberguard SG300 to 1200 and remote workstations to 1100, haven't
    gotten around to tuning it yet.
     
    SuperGumby [SBS MVP], Jul 21, 2007
    #2
    1. Advertisements

  3. Keith

    Keith Guest

    The two servers were indeed working fine after setting the MTU to 1416. They
    immediately started replicating after the change:)

    I set the servers down to 1200 per your suggestion to see if that make a
    difference. I can do a ping between the two servers with a max packet size
    of 1172 (which is correct for the MTU of 1200). In the morning when I can
    get someone to make the registry changes to the workstations at the remote
    site, we'll test to see if they will start working.

    Does anyone have any ideas what made things start to fail? We had been
    working flawlessly for about 9 months, when out of the blue we started having
    a problem with the RPC's. The VPN boxes had no changes to configuration or
    firmware. And the servers hadn't been upgraded to newer major releases.
    Just the typical Microsoft updates... I suspect the rules of engagement for
    RPC communication was changed. Just a guess though.
     
    Keith, Jul 21, 2007
    #3
  4. something changed on the path between the router and the server. This type
    of MTU change is not about local network conditions but the WAN transport.
     
    SuperGumby [SBS MVP], Jul 21, 2007
    #4
  5. Keith

    Teneo Guest

    Typical Microsoft updates... Does that include 2003 Server SP2 ?, When was
    this applied?
     
    Teneo, Jul 21, 2007
    #5
  6. Keith

    Keith Guest

    The problem occured prior to SP2 updates. After the problem started
    occuring, I upgraded the Win 2003 box to SP2 (thinking just maybe that might
    help, but the SBS box is still SP1).

    I have been troubleshooting the three workstations (out of 7) that are not
    communicating properly after this ordeal. One thing I noticed that all three
    have in common is that I cannot Ping them. All seven workstations get their
    IP addresses via the Win 2003 server's DHCP server. All workstations can
    ping out, but the three boxes with problems and they won't respond when
    pinged... All seven workstations have identical IP configurations with the
    exception of their IP addresses which are unique to each machine. We've
    tried switching ports with working systems, but no improvement.

    Even stranger is that I had three of the workstations at the main office
    last week and they all worked fine but only one of the three work when
    relocated to the remote office.
     
    Keith, Jul 21, 2007
    #6
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.