Site to Site VPN and Microsoft Exchange 1

[nebula72]

I have a site to site vpn between a cisco 2600 and checkpoint firewall. From the internal network I can ping all machines across the VPN by hostname, netbiosname and ip (including my Exchange server). the thing is that outlook cannot connect to exchange. All ports are open on the firewall for the VPN. Any help would be GREATLY APPRECIATED.

Oh yea.. As a workaround I use a MSFT vpn server/local clients without any issue. I just would like to do it through the site to site tho.

thanks

tom

 

[The5500Lover]

Hi Tom,

your problem seems to be with the mtu size. The exchange server has the behavior to send packets at the full mtu 1500 bytes, the problem with vpn and mtu is that the encryption process of the packets adds an overhead of aprox. 60 bytes, so you need to decrease the max mtu in the private interface of your router in order to send packets lesser that 1500, with this command in interface config mode:

ip tcp adjust-mss 1400. This command will allow you to send packets for encryption which will not overpass the 1500 bytes and thus avoid packets drops.

Fernando Bardia
MCP, CCNA, CCSP

 

[rn4it]

We had a similar problem, remember with Checkpoint Any is not alway Any. It is only the Any defined by CheckPoint services installed by default, excluding UDP and TCP highports. With Exchange Server, you will want to look up the article on their knowledge base and hard set the port it uses (there's 3, RPC, and 2 others that'll need). Add these to the encrypt rule, along with any other services needed.