Nortel VPN 4.1 problems with routing table 5

[joephilip]

I connect to my workplace through Nortel VPN client 4.1; I run Windows XP through a Linksys 4 port router (BEFSR41). I have a Verizon Business DSL with static IP address. My VPN always drops whenever I go to some web sites with an error saying "Routing Table can not be altered once the VPN connection is established."

I checked the routing table by: route print. It shows a new IP address just before the VPN disconnects. What should I do to fix this. I searched the internet and added some parameters to the Windows registry like HKEY_LOCAL_MACHINES->Services->TCPIP->Parameters and addred/mdified the following entries:Enable ICMP redirect and PerfromRouterDiscovery. I still do not have any luck to fix it?

What should I do so that my VPN does get dropped so often.

 

[CPUSmith]

This is a known problem with the Nortel Contivity client however Nortel has never admitted this until April 22, 2004. It's interesting to note that there is a Contivity VPN Client Release Notes [Version 4.91] PDF on their support site but no sign of a 4.91 client. In any case, there's a note in the PDF on a known anomaly that says:

DSL connection causes route update (Q00879554)DSL connections can periodically update the routing table. When the VPN connection is in “Split Tunnel” mode the client will monitor the routing table for security reasons. If the routing table is modified, the tunnel connection will be terminated.

This is not something new with version 4.91 as I've been experiencing this all the way up to version 4.86.

I find that the connection termination will occur consistently on certain web sites like msn.com so I just stay away from them while I'm on the VPN.

 

[joephilip]

Thanks much. Hopefully they will have a solution soon.

 

[netmanrick]

Why do you want to "surf" using your vpn??
We have not enabled split-tunneling so that our remote users
can only perform business-relatedfunctions.
if they want to surf do it on their own home network.
For what is's worth($.02)split-tunneling is a conduit to your core systems/network.







"You may fire when ready"

Rick Harris
SC Dept of Motor Vehicles
Network Operations

 

[CPUSmith]

joephilip,

Actually, since I replied to your post I discovered the solution. I have sent the solution with supporting information to a few poeple I know at Nortel and they have confirmed that they can reproduce the problem and the solution. They're running further tests on it and will let me know and, I imagine, the rest of the user community.

netmanrick,

I guess it all depends on the individual setup of the SOHO. If they have a business computer and only use it for work then it's possible that restricting the split-tunnelling may be convenient for everyone. But, in the case that the user utilizes thier own computer for work or they need access to the Internet to do thier job, it's quite inconvenient to disconnect from the VPN just to surf. Hence, the requirement for split-tunnelling and the currently inherint problems associated with DSL. It's a matter of convenience and seamlessness for the users.

 

[abkugu]

CPUSmith,

Is it possible for you to describe the solution you have discovered ? I would really appreciate it. This issue has been frustrating me no end.

Thanks,
Abkugu

 

[IA53]

Could CPUSmith please let me know the solution you came up with. I am attempting to set up a NT4.0 Server with Contivity 4.65 VPN software. I have 2 internal NIC's and I want to be able to direct where I want the VPN connection to go to.

 

[CPUSmith]

I've contacted Nortel Networks and they have fixed the problem with a new client release but I don't see it on thier web site yet. I've fixed it by applying the following solution but it involves some fairly technical alterations so you may want to wait for the client if it's being done by the average user.

Here's what I found. The standard MTU for an ethernet network is 1500. However, because of PPPoE, the MTU over DSL is 1492. On top of the that, the extra overhead caused by the VPN can lower the MTU even further.

Here's how to find the right MTU. While connected to the VPN, ping a server on your coporate network using the following command:
ping -f -l X a.b.c.d

To be clear the "-l" is a lowercase "L", not a number one. Replace the "a.b.c.d" with the IP address of your server. The "X" will be a number you will use to determine the MTU. For example, ping -f -l 1500 192.168.0.10. Start with 1500. If you get "Request timed out" or "Packet needs to be fragmented but DF set", try 1490. Keep decreasing the number by 10 until you get "Reply from a.b.c.d". Once you get replies, increase the number by 1 until you get a "timed out" or "fragement but DF set" error.

Take the highest number that got replies (in my case it was 1382) and add 28 to that to get the MTU (mine was 1410). Set the MTU in the registry.

HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\ (find your NIC interface)

Then add:

MTU="1500" (DWORD, valid range is from 68 to <MTU network of>). Set the MTU for your network card to the MTU you came up with.

Then disable automatic MTU discovery at:

HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters

Add:

EnablePMTUDiscovery="0" (DWORD - boolean, valid settings are 0-->False and 1-->True)

Reboot.

 

[kmorris67738]

I have been hacking this for 5 hours now and was about to have an aneurysm when I read the above post - seemed like plain vanilla to me like..."I ALREADY had set the MTU lower" BUT one important distinction was the EnablePMTUDiscovery="0".

WOOHOO! If I hadn't been so brain dead and walked through the pinging exercise I might have skipped over the thread since it seemed so similar.

Using Contivity 4_86.033 with DSL PPPoE, DSL is integrated DSL modem gateway. The key is secure websites wanting to open encrypted line on https: - i.e. banking website. Then you get 169.xxx.xxx.xxx APIPA adress and "WHAM" goodbye VPN. For the record, I disabled APIPA and this had NO EFFECT. Someone please explain. I also disabled Routing table auto-discovery and that had no effect. Only lowering the MTU and disabling rediscovery of MTU fixed it. So maybe all those who have issue can use MTU fix and those who tried and failed (initially was me too!) can disable the MTU aut discovery.

Finally, CPUSmith, you da MAN! And thanks to ALL who post here, your inputs are invaluable - newbs and pros alike - we all help each other in some way.

Cheers!

 

[netmanrick]

Checkout DSL reports web site. Lots of good info about MTU,
DSL vs Cable,window size,etc.
Several good tools to tune your network.

Rick Harris
SC Dept of Motor Vehicles
Network Operations