Pleae someone help: Router to accept the ICMP packet size more then 2048k

[ngtri]

Hello everyone

I have 5 different offices. 2 main offices (where all my servers are) and 3 small offices just have user computers. We are all connected VPN via Cisco Router.

I am trying to apply group policies to users and computers at the small offices over the slow link but whenever they try to logon they are getting Windows cannot obtain the domain controller name for your computer network return value(1054) in the event viewer, and no GPs are being applied. However they are able to logon to the domain and browse to the sysvol at the main offices with the dns name without any problems!

Ping the Domain controller from workstation with –l switch

ping test.domain.com -l 1300 is okping test.domain.com -l 2048 is no ok

I want to configure the Router to accept the ICMP packet size more then 2048k

What is the cisco command to configure the Router to accept the ICMP packet size more then 2048k?

Do I need to configure the Router to accept the ICMP packet size more then 2048k at the main offices Cisco Router too?



Please someone help. Thanks

 

[VinceWhirlwind]

Has their subnet been added to "Sites and Services" in AD?

What difference is a big packet going to make? What do you mean by "no ok"? the large ping should be fragmented and the return ping be only a fraction slower than the normal sized ping.

 

[ngtri]

Hello
Has their subnet been added to "Sites and Services" in AD?
No, I did not add subnet to "Sites and Services" in AD
What should I do here? Plese explane more details

ping from computers at the small offices
For example
ping ad1.domain.com -l 1300 is succeeded (ok)
ping ad1.domain.com -l between 1400 and 2048 is no succeeded(no ok)

http://www.windowstricks.in/2009/07/gpo-update-failed-in-slow-link-vpn-site.html

The above link tells me how to solve problem at Solution one

 

[baddos]

This would be a fragmented ICMP echo request. Your router may have a firewall or something enabled that specifically drops those packets. Please tell us what router and operating system version the router is.

 

[VinceWhirlwind]

1/ If AD doesn't know their subnet, then authentication requests are going to do all sorts of strange things, causing their applications to hang while authentication attempts to the wrong places time out.

2/ Do you mean you get "Request timed out"? Are you sure this occurs at -l 1400, but not at -l 1399? It can be useful to know exactly which size is "too big". What if you add the switch -f, so "ping host -l 1600 -f", what do you get back?
BADDOS sounds like he's onto it.

 

[ngtri]

Hello
Thanks for your help
To baddos (MIS)
Ciscro router at the small offices is Cisco 800 series with os
Cisco IOS Software, C880 Software (C880DATA-UNIVERSALK9-M), Version 15.0(1)M8, RELEASE SOFTWARE (fc1)

----------------------------------------
To VinceWhirlwind (TechnicalUser)
Yes, I meat "Request timed out"
ping ad1.domain.com -l 1400 is no succeeded "Request timed out"

ping ad1.domain.com -l 1388 is succeded "got 4 reply packets"
ping ad1.domain.com -l 1388 -f is succeded "got 4 reply packets"

ping ad1.domain.com -l 1389 is no succeded "Request timed out"
ping ad1.domain.com -l 1389 -f is no succeded "Packets needs to be fragmentet but DF set"

ping ad1.domain.com -l 1600 -f is no succeded "Packets needs to be fragmentet but DF set"
-------------------------------------

I don't undertand. Why did the problem happen right after the changing, not before?
Is the optical fibre caused to the problem?

Below is the changing description

BEFORE CHANING OF NETWORK INFRASTRUCTURE BETWEEN MAIN OFFICES
2 main offices: HUB A and B: (HUB is a Cisco Router 2900 )
DMVPN encrypted tunnel and Cisco DHCP on each.
For example: when HUB A is down and only the clients from the HUB A are down or opposite

HUB A: speed up 15 mb and speed down 15 mb
192.168.0.0/23
Primary DC/ADC/DNS Windows Server 2008 R2
IP: 192.168.0.2
Sub:255.255.253.0
GW: IP: 192.168.0.1
DNS: 192.168.0.2 and 192.168.2.2

HUB B: speed up 10 mb and speed down 10 mb
192.168.2.0/23
Secondary DC/ADC/DNS Windows Server 2008 R2
IP: 192.168.2.2
Sub:255.255.253.0
GW: IP: 192.168.2.1
DNS: 192.168.0.2 and 192.168.2.2

3 small offices(Cisco Router 880 )
DMVPN encrypted tunnel to HUBs and Cisco DHCP on each location.
When HUB A is down and the clients from 3 branches will talk HUB B

Office 1: speed up 15 mb and speed down 10 mb
192.168.4.0/24
Sub: 255.255.255.0
GW: 192.168.4.1
DNS: 192.168.0.2 and 192.168.2.2

Office 2: speed up 4 mb and speed down 0,5 mb
192.168.5.0/24
Sub: 255.255.255.0
GW: 192.168.5.1
DNS: 192.168.0.2 and 192.168.2.2

Office 3: speed up 2 mb and speed down 0,6 mb
192.168.6.0/24
Sub: 255.255.255.0
GW: 192.168.5.1
DNS: 192.168.0.2 and 192.168.2.2

Roaming profile, shared folders, background image, bookmarks of the Internet Explorer worked
GPOs, login, internet access.... worked very good

AFTER CHANING OF NETWORK INFRASTRUCTURE BETWEEN 2 HUB MAIN OFFICES
2 HUB main offices have been changed: (HUB is a Cisco Router 2900 )
Now it is a optical fibre between HUBsDMVPN encrypted tunnel.
When HUB A is down and the clients on the HUB A will talk to HUB B or opposite

Cisco DHCP on main offices: 192.168.0.0/22
All clients from both HUBs have internet access via HUB A with speed up/down 100 Mb
Default gateway for HUBs and the clients: 192.168.3.254 and subnet: 255.255.252.0
Now all clients get IP from both HUBs, new subnet "255.255.252.0" and new gateway "192.168.3.254"


HUB A: speed up 15 mb and speed down 15 mb
192.168.0.0/22 and excluded 192.168.1.255-192.168.3.253

Primary DC/ADC/DNS Windows Server 2008 R2
IP: 192.168.0.2
Sub:255.255.252.0
GW: IP: 192.168.3.254
DNS: 192.168.0.2 and 192.168.2.2

HUB B: speed up 10 mb and speed down 10 mb
192.168.0.0/22 excluded 192.168.0.1-192.168.2.1

Secondary DC/ADC/DNS Windows Server 2008 R2
IP: 192.168.2.2
Sub:255.255.253.0
GW: IP: 192.168.3.254
DNS: 192.168.0.2 and 192.168.2.2

NOT CHANGING ON CISCO ROUTER AT 3 small offices.

Roaming profile, shared folders, background image, bookmarks of the Internet Explorer worked
GPOs, login, internet access....

The clients from HUBs and Branch 1 "speed 15/10 mb" can get such things, but the clients from Branch 2 "speed 4/0,5 mb" and 3 "speed 2/0,6 mb",
can login, see the shared folders, access to internet and CAN GOT get GPOs and background image WHY??

It is slow wlan link on the Branch 2 and 3. That is why Branch 2 and 3 clients could not get GPOs and background image???.

 

[baddos]

I beleive you are experiencing group policy slow link detection. Would the clients that aren't applying their group policy settings happen to be Windows XP or some of the domain controllers be 2003 or older?

Group policy slow link detection if enabled (it is by default) will attempt to send a large ICMP echo request (2048 bytes) to determine if the connection between the client and server is slow. This only occurs if the client or server is 2003/XP or older.

You can decide to either disable slow link detection or enable your Cisco 800 series router to forward those large icmp packets. Without seeing your configuration, the router could either be refusing to fragment the large ICMP packets or just dropping them or a combination of the two.

As a test, you could go onto one of the client computers having this issue and edit the "LOCAL" group policy. Edit the following:
Computer Configuration\Administrative Templates\System\Group Policy\Group Policy slow link detection policy
and

User Configuration\Administrative Templates\System\Group Policy\Group Policy slow link detection policy

Set the threshold to 0.

I would do a couple reboots to be sure the local group policy is applied and then check to see if it successfully applies the domain's group policy.

 

[ngtri]

Hello
yes, I tried to turn off "slow link detection and value=0" on GPO and Local policy on user computers. It did not work.

I also tried below. It did not work either.
GPO and Local policy on user computers:


--------------------------------------------
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"GpNetworkStartTimeoutPolicyValue"=dword:0000003c
"GroupPolicyMinTransferRate"=dword:00000000
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System]
"GpNetworkStartTimeoutPolicyValue"=dword:0000003c
"GroupPolicyMinTransferRate"=dword:00000000
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"GroupPolicyMinTransferRate"=dword:00000000
-----------------------------------------------------------------

 

[ngtri]

Hello

Here is a configuration of the cisco router at the office 3
----------------------------------------------------------


ip dhcp excluded-address 192.168.6.1 - 192.168.6.50
!
ip dhcp pool OFFICE3
network 192.168.6.0 255.255.255.0
default-router 192.168.6.1
dns-server 192.168.0.2 192.168.2.2 (IPs to AD1 and AD2 at the main offices)
!
!
ip cef
no ip domain lookup
ip domain name yourdomain.com
no ipv6 cef
!
!
multilink bundle-name authenticated
license udi pid CISCO-SEC-K9 sn TYZ1539C0FK
!
!
username Username privilege 15 secret 5 9fklagfklj2kvnpfkljfdf.
!
!
!
class-map type inspect match-any inside-outside-cmap
match protocol tcp
match protocol udp
match protocol icmp
!
!
policy-map type inspect inside-outside-pmap
class type inspect inside-outside-cmap
inspect
class class-default
drop
!
zone security outside
zone security inside
zone-pair security inside-outside source inside destination outside
service-policy type inspect inside-outside-pmap
!
!
crypto isakmp policy 10
hash md5
authentication pre-share
crypto isakmp key password_of_main_router address 0.0.0.0 0.0.0.0
!
!
crypto ipsec transform-set strong esp-3des esp-md5-hmac
!
crypto ipsec profile OFFICE3
set security-association lifetime seconds 900
set transform-set strong
!
!
!
!
!
!
interface Tunnel0
description OFFICE3
ip address 192.160.1.3 255.255.255.0
no ip redirects
ip mtu 1416
ip nhrp authentication password_of_main_router
ip nhrp map multicast dynamic
ip nhrp map multicast 95.200.200.123
ip nhrp map 192.160.1.1 95.200.200.123 (WAN IP at the HUB A)
ip nhrp map multicast 110.123.34.10
ip nhrp map 192.160.1.2 110.123.34.10 (WAN IP at the HUB B)
ip nhrp network-id 1
ip nhrp holdtime 300
ip nhrp nhs 192.160.1.1
ip nhrp nhs 192.160.1.2
zone-member security inside
no ip route-cache cef
no ip split-horizon
ip ospf network broadcast
ip ospf priority 0
delay 1000
tunnel source FastEthernet4
tunnel mode gre multipoint
tunnel key 100000
tunnel protection ipsec profile OFFICE3
!
!
interface FastEthernet0
!
!
interface FastEthernet1
!
!
interface FastEthernet2
!
!
interface FastEthernet3
!
!
interface FastEthernet4
description ***Outside***
ip address 95.120.29.13 255.255.255.248 (WAN IP and subnet at the office 3)
ip nat outside
ip virtual-reassembly
zone-member security outside
duplex auto
speed auto
!
!
interface Vlan1
description ***Inside***
ip address 192.168.6.1 255.255.255.0
ip nat inside
ip virtual-reassembly
zone-member security inside
ip tcp adjust-mss 1452
!
!
router ospf 1
router-id 192.160.1.3
log-adjacency-changes
area 1 stub no-summary
network 192.168.6.0 0.0.0.255 area 1
network 192.160.1.0 0.0.0.255 area 1
!
ip forward-protocol nd
no ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
!
ip nat inside source list 101 interface FastEthernet4 overload
ip route 0.0.0.0 0.0.0.0 95.120.29.14 (Gateway at the office 3)
!
access-list 23 permit 192.0.0.0 0.255.255.255
access-list 23 permit 192.160.1.0 0.0.0.255
access-list 101 permit ip 192.168.6.0 0.0.0.255 any
no cdp run

!


-----------------------------------------------------------------------

 

[baddos]

Try putting this in:

!Disable fragmented ICMP signature
ip audit signature 2150 disable
!Disable Large ICMP signature
ip audit signature 2151 disable

Also make sure the routers at the other ends of your tunnel also aren't filtering large or fragmented icmp packets.

 

[ngtri]

Hello
It showed "% Invalid input detected at '^' marker." when I run "ip audit signature 2150 disable" and "ip audit signature 2151 disable"

It showed the same error with the below command:
show ip audit attack
show ip audit info
show ip audit interface
show ip audit name [name [info | attack]]
show ip audit signature [signature_number]

I dont know why. Could you please explain? Thanks

 

[ngtri]

The problem is solved with Open Shortest Path First at the HUBs