Paulosullivan
Technical User
Hi,
I've seen previous posts about MUVPN problems with W2K and I guess a few of you have had the standard response "lower the MTU, it's a Microsoft issue". As some of you might have discovered, this doesn't really fix the problem. Another "fix" is to have the remote users not be in the domain - fine whilever the users are never coming onsite, or if core apps don't required users to be a member of a domain.
The fault appears to be with the MUVPN client software and the way it interacts (or rather doesn't) with the firewall. The MUVPN client software cannot/will not accept packets larger than 1358 bytes, yet when used in conjunction with Windows 2000 Active Directory (W2KAD) the Firebox sends packets with a size of 1372 bytes. When the client receives packets larger than 1358, it is discarding them as opposed to sending a response back to the Firebox requesting a smaller packet size - which is totally at odds with RFC's in general.
We spent quite some time testing several firewalls with W2KAD and found no problems. We tried WG with NT4 and then W2K domains and whilst NT4 is fine, W2K isn't (unless you revert to NT authentication - as suggested by WG!)
We have found the fortinet client to be extremely stable and very fast (5 times faster than Safenet) - plus it works seamlessly with W2K/AD - unlike safenet:
So don't drop the MTU, drop Safenet and get this little fella.
Hope this helps.
Paul
Paul O
______________________________________
I've seen previous posts about MUVPN problems with W2K and I guess a few of you have had the standard response "lower the MTU, it's a Microsoft issue". As some of you might have discovered, this doesn't really fix the problem. Another "fix" is to have the remote users not be in the domain - fine whilever the users are never coming onsite, or if core apps don't required users to be a member of a domain.
The fault appears to be with the MUVPN client software and the way it interacts (or rather doesn't) with the firewall. The MUVPN client software cannot/will not accept packets larger than 1358 bytes, yet when used in conjunction with Windows 2000 Active Directory (W2KAD) the Firebox sends packets with a size of 1372 bytes. When the client receives packets larger than 1358, it is discarding them as opposed to sending a response back to the Firebox requesting a smaller packet size - which is totally at odds with RFC's in general.
We spent quite some time testing several firewalls with W2KAD and found no problems. We tried WG with NT4 and then W2K domains and whilst NT4 is fine, W2K isn't (unless you revert to NT authentication - as suggested by WG!)
We have found the fortinet client to be extremely stable and very fast (5 times faster than Safenet) - plus it works seamlessly with W2K/AD - unlike safenet:
So don't drop the MTU, drop Safenet and get this little fella.
Hope this helps.
Paul
Paul O
______________________________________