<meta http-equiv="content-type" content="text/html; charset=utf-8"><a href="http://support.microsoft.com/kb/898060">http://support.microsoft.com/kb/898060</a><div><br></div><div><a href="http://support.microsoft.com/kb/898060"></a>If you're really having these problems, then it's something unique to your setup. I've never seen RDP/Windows have issues like that in large ipsec environments. You may want to clamp MSS in iptables.</div>
<div><br></div><div>Scott</div><div><br><div class="gmail_quote">On Mon, Mar 14, 2011 at 10:45 AM, Greg Scott <span dir="ltr"><<a href="mailto:GregScott@infrasupport.com">GregScott@infrasupport.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;"><div lang="EN-US" link="blue" vlink="purple"><div><p><span style="font-family:Wingdings"><span>Ø<span style="font:7.0pt "Times New Roman""> </span></span></span>That's a problem with Windows, and most likely the bug around the number of routes with </p>
<p><span style="font-family:Wingdings"><span>Ø<span style="font:7.0pt "Times New Roman""> </span></span></span>non-default MTU routes incrementing but never decrementing. Over time, this caused Windows </p><p>
<span style="font-family:Wingdings"><span>Ø<span style="font:7.0pt "Times New Roman""> </span></span></span>machines to become unresponsive over the network.</p><p class="MsoNormal"><span style="font-size:11.0pt;color:#1F497D"> </span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;color:#1F497D">No. This behavior was different. I was apparently advertising the default MTU size of 1500. So Windows believed me and sent 1500 byte packets over the tunnel to the other end of the RDP session. But with the IPSEC overhead, the highest I could support was 1440 or something like that. Somewhere along the line those 1500 byte packets would get fragmented and then never reconnected back together on the other end. So the RDP tunnel would crash. This happened to lots of PCs. Not all, but lots. The first workaround was to reduce the MTU size in one of the offending PCs. This worked, but of course only for that PC. The best workaround we could come up with at the time was to just lower the MTU size I advertised. Thus the updown script. </span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;color:#1F497D"> </span></p><p class="MsoNormal"><span style="font-size:11.0pt;color:#1F497D">So now, with no traditional looking routes over the tunnel, what am I advertising for MTU and will some apps that send large packets break as before?</span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;color:#1F497D"> </span></p><font color="#888888"><p><span style="font-size:11.0pt;color:#1F497D"><span>-<span style="font:7.0pt "Times New Roman""> </span></span></span><span style="font-size:11.0pt;color:#1F497D">Greg</span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;color:#1F497D"> </span></p><div><p class="MsoNormal"> </p></div></font></div></div></blockquote></div><br></div>