site-to-site MTU issues???

[zbadone]

I have set up a Debian OpenVPN server at the main office and another identical box in another office located across town, both using RoadRunner Hi-speed network, 10/2m.

Each office has 8 XP Windows boxes, the Main Office has a W2003 file server which I share folders across the tunnel. I can ping across the tunnel without issues. The problem that I am having is when more than one XP machine transfers files across the tunnel, I get lost shared folders, I believe this to be an MTU problem, the symptoms point to this.

My question is, when I adjust my MTU settings, am I to change the MTU on the tun0, the eth0 or both interfaces on both openvpn machines?

Do I need to adjust all the XP machine in each office to the best MTU setting I can set?

I have run the main office openvpn server with the mtu-test option, I have also played around with these options as well, mssfit, fragment, tun-mtu, etc...

Thanks.

[krzee]

http://secure-computing.net/wiki/index. ... leshooting
does that help?
missing shared folders doesnt sound like a symptom of mtu issues to me, but maybe i misunderstand what you tried to say

[zbadone]

http://secure-computing.net/wiki/index. ... leshooting
does that help?
missing shared folders doesnt sound like a symptom of mtu issues to me, but maybe i misunderstand what you tried to say

Thank you for the link, very interesting article. That article explains what I am experiencing.
When I try and cp/mv large files around using the "Shared folders" across the tunnel, the computer doing the transfer loses (drops) it connection, but the vpn tunnel remains up.

I hope you understand what I'm trying to say(?)

Back to my problem, do I need to set a lower MTU on the tun0 device at each end of the site-to-site tunnel, or at each XP machine behind each vpn server, or perhaps at each of the routers that sit in front of each vpn machine.

This is what it looks like: site-to-site vpn setup.

5-XP boxes -> vpn svr-> router/gw--->internet---> router/gw --> vpn svr -->win2003 server-->shared folder.

I will look at testing the mtu setting with tcpdump soon.

Thanks.

[zbadone]

I was reading that article and had a few questions on how this MTU issue works within Openvpn.

Since both the eth0 and the tun0 interfaces have MTU's, does the dialog dealing with MTU size happen before the package leaves the Openvpn server on eth0?

Let me try and see if I understand this:

A packet comes in from a XP machine, lets say max MTU size is 1500, we are transferring a large file, it arrives on the eth0 of the openvpn server, get encrypted and the packet is now larger due to the overhead, etc. Now Openvpn send this larger packet to tun0 --> eth0 and out on the wire to the other openserver. Is there a icmp dialog, of sorts, inside the openvpn server as to the MAX MTU eth0 will handle even before the packet has left the openvpn server?

Is this where the openvpn option "mssfix" comes into play? Dealing with the MTU before packets entering tun0/eth0?

I wonder if iptables on the Debian/Openvpn is blocking icmp messages?

I hope I am making some sense here, I'm sure my words are not 100% on target, but I'm sure you can understand the overall concept I'm trying to explain.