VPN drops with ISAKMP packet Destination Unreachable

[Shay2501]

I am using a Nortel Contivity client to connect to a vendor network. Usually within a few minutes of connecting I get an error stating "Routing tables changes violate security policy". I have been running ethereal to see what is going on. At the moment the tunnel disconnects, the remote host sends me an ISAKMP packet to the destination port that I sent my last ISAKMP packet from. Then my pc sends an ICMP packet back with "Destination Unreachable (Port Unreachable)". It seems like after a variable amount of time the port becomes unavailable. This is happening on every pc I try on this network. I have setup a test pc and tried changing some registry parameters such as the MTU size and EnablePMTUDiscovery='0' but it still does not work.

Does anyone have any suggestions or run into this problem before?

 

[okiedockie]

I ran into this problem before. Even if it says Routing tables changed... it's not. It's actually because your TCP MSS value has changed.

You have your MTU set, but your MSS is MTU - TCP Header - IP header.

What does that mean. You're sending packets that have the DF bit set. Meaning, they can't be fragmented. They reach a certain router that will need to fragment your packet, so he will send you back a packet Destination Unreachable. In that same packet, he's sending you the Maximum Segment Size (MSS). Your computer will take it and will change his own MSS. This is where you get your Violation in your Security Policy.

Let me know if that helped.