Exchange issue with browsing accross IP Sec tunnel

I support a remote site lets call it site B. At site B we use sonicwall IP 
Sec tunnels to connect 25 or so pcs and 3 servers (2 of which are 2000 DC's), 
to site A.  The client machines and servers use this tunnel from a Site B 
(192.168.44.0) to connect Site A (192.168.1.0) which contains additional DC's 
and our primary and only exchange server. 

Up until about a month ago everything worked fine between the sites and we 
could replicate DNS etc client pcs could browse files on both sides using unc 
names or unc ip mappings.  Then it basically stopped working, our tunnel is 
up and connected and we can pint by name and IP address but are unable to go 
beyond that.

The critical issue is that our exchange server (Site A) is not at site B and 
now outlook clients cannot connect to exchange internally at Site B thus no 
email.  DNS replication is also failing as they sites cannot connect using AD 
synch either, so now AD is also not able to replicate changes from site to 
site.
Site B geographically is 2000 miles from Site A so we are trying to get this 
done remotely.  We do have remote access in using IP mapping.  

At this point we have spent countless hours on phone getting no good 
response from MS support as we are also a MS partner.  Additionally we have 
replaced the soncicwall appliance at site B, added host files on all pcs and 
several other steps with no good result.  We have basically hit the wall and 
have no idea what would be causing this issue.  If anyone has any suggestion 
or has experienced this before it would greatly help us if any suggestions 
could be made.  I actually think it could be something very simple but we are 
so far in we may not just see it.  

We are stumped on this so any suggestions would be great!

Thanks 
Mike

0
Mike1154 (1216)
11/27/2006 2:27:01 PM
exchange.admin 57650 articles. 2 followers. Follow

7 Replies
348 Views

Similar Articles

[PageSpeed] 41

what are you seeing in the event logs. we often see this because of VPN 
overhead on the TCP/IP Packets and authentication requirements. Microsoft 
uses UDP for it's authentication which means it does not handle lost packets 
very well. Also the packet size is very specific for authentication. If the 
packets are being fragmented on purpose because of the overhead on the 
tunnel and then not being reassembled correctly. We have had to set packet 
sizes on the firewalls down to around 1300 I will have to talk with my 
router team to gain more info but I know that this causes some major 
problems.

Let me know if you have any questions.
"Mike" <Mike@discussions.microsoft.com> wrote in message 
news:DD251576-4BA0-4F47-9177-EE5883E23349@microsoft.com...
>I support a remote site lets call it site B. At site B we use sonicwall IP
> Sec tunnels to connect 25 or so pcs and 3 servers (2 of which are 2000 
> DC's),
> to site A.  The client machines and servers use this tunnel from a Site B
> (192.168.44.0) to connect Site A (192.168.1.0) which contains additional 
> DC's
> and our primary and only exchange server.
>
> Up until about a month ago everything worked fine between the sites and we
> could replicate DNS etc client pcs could browse files on both sides using 
> unc
> names or unc ip mappings.  Then it basically stopped working, our tunnel 
> is
> up and connected and we can pint by name and IP address but are unable to 
> go
> beyond that.
>
> The critical issue is that our exchange server (Site A) is not at site B 
> and
> now outlook clients cannot connect to exchange internally at Site B thus 
> no
> email.  DNS replication is also failing as they sites cannot connect using 
> AD
> synch either, so now AD is also not able to replicate changes from site to
> site.
> Site B geographically is 2000 miles from Site A so we are trying to get 
> this
> done remotely.  We do have remote access in using IP mapping.
>
> At this point we have spent countless hours on phone getting no good
> response from MS support as we are also a MS partner.  Additionally we 
> have
> replaced the soncicwall appliance at site B, added host files on all pcs 
> and
> several other steps with no good result.  We have basically hit the wall 
> and
> have no idea what would be causing this issue.  If anyone has any 
> suggestion
> or has experienced this before it would greatly help us if any suggestions
> could be made.  I actually think it could be something very simple but we 
> are
> so far in we may not just see it.
>
> We are stumped on this so any suggestions would be great!
>
> Thanks
> Mike
> 


0
mitchr (6)
11/27/2006 2:41:56 PM
Mitch thanks for your response.  I am not sure how I would set packet sizes 
on a Sonicwall.  Besides this Microsoft already told us this.  Also since no 
changes have occured on either side or firewall and they had been operation 
for over 2 years with respect to no change any packet size I am confused at 
how this suddenly would change.  Let me know what your router team finds out 
if you can.'

Thanks,
Mike

"mitch Roberson" wrote:

> what are you seeing in the event logs. we often see this because of VPN 
> overhead on the TCP/IP Packets and authentication requirements. Microsoft 
> uses UDP for it's authentication which means it does not handle lost packets 
> very well. Also the packet size is very specific for authentication. If the 
> packets are being fragmented on purpose because of the overhead on the 
> tunnel and then not being reassembled correctly. We have had to set packet 
> sizes on the firewalls down to around 1300 I will have to talk with my 
> router team to gain more info but I know that this causes some major 
> problems.
> 
> Let me know if you have any questions.
> "Mike" <Mike@discussions.microsoft.com> wrote in message 
> news:DD251576-4BA0-4F47-9177-EE5883E23349@microsoft.com...
> >I support a remote site lets call it site B. At site B we use sonicwall IP
> > Sec tunnels to connect 25 or so pcs and 3 servers (2 of which are 2000 
> > DC's),
> > to site A.  The client machines and servers use this tunnel from a Site B
> > (192.168.44.0) to connect Site A (192.168.1.0) which contains additional 
> > DC's
> > and our primary and only exchange server.
> >
> > Up until about a month ago everything worked fine between the sites and we
> > could replicate DNS etc client pcs could browse files on both sides using 
> > unc
> > names or unc ip mappings.  Then it basically stopped working, our tunnel 
> > is
> > up and connected and we can pint by name and IP address but are unable to 
> > go
> > beyond that.
> >
> > The critical issue is that our exchange server (Site A) is not at site B 
> > and
> > now outlook clients cannot connect to exchange internally at Site B thus 
> > no
> > email.  DNS replication is also failing as they sites cannot connect using 
> > AD
> > synch either, so now AD is also not able to replicate changes from site to
> > site.
> > Site B geographically is 2000 miles from Site A so we are trying to get 
> > this
> > done remotely.  We do have remote access in using IP mapping.
> >
> > At this point we have spent countless hours on phone getting no good
> > response from MS support as we are also a MS partner.  Additionally we 
> > have
> > replaced the soncicwall appliance at site B, added host files on all pcs 
> > and
> > several other steps with no good result.  We have basically hit the wall 
> > and
> > have no idea what would be causing this issue.  If anyone has any 
> > suggestion
> > or has experienced this before it would greatly help us if any suggestions
> > could be made.  I actually think it could be something very simple but we 
> > are
> > so far in we may not just see it.
> >
> > We are stumped on this so any suggestions would be great!
> >
> > Thanks
> > Mike
> > 
> 
> 
> 
0
Mike1154 (1216)
11/27/2006 4:33:02 PM
I know I am probably asking questions already asked however have you looked 
at DNS on both sides?

We also changed the clients to use TCP instead of UDP for authentication.

I am wondering if you firewall was updated with a new config or firmware?


"Mike" <Mike@discussions.microsoft.com> wrote in message 
news:6E5B0273-0FC0-4DA9-AA23-B7DBF9A61967@microsoft.com...
> Mitch thanks for your response.  I am not sure how I would set packet 
> sizes
> on a Sonicwall.  Besides this Microsoft already told us this.  Also since 
> no
> changes have occured on either side or firewall and they had been 
> operation
> for over 2 years with respect to no change any packet size I am confused 
> at
> how this suddenly would change.  Let me know what your router team finds 
> out
> if you can.'
>
> Thanks,
> Mike
>
> "mitch Roberson" wrote:
>
>> what are you seeing in the event logs. we often see this because of VPN
>> overhead on the TCP/IP Packets and authentication requirements. Microsoft
>> uses UDP for it's authentication which means it does not handle lost 
>> packets
>> very well. Also the packet size is very specific for authentication. If 
>> the
>> packets are being fragmented on purpose because of the overhead on the
>> tunnel and then not being reassembled correctly. We have had to set 
>> packet
>> sizes on the firewalls down to around 1300 I will have to talk with my
>> router team to gain more info but I know that this causes some major
>> problems.
>>
>> Let me know if you have any questions.
>> "Mike" <Mike@discussions.microsoft.com> wrote in message
>> news:DD251576-4BA0-4F47-9177-EE5883E23349@microsoft.com...
>> >I support a remote site lets call it site B. At site B we use sonicwall 
>> >IP
>> > Sec tunnels to connect 25 or so pcs and 3 servers (2 of which are 2000
>> > DC's),
>> > to site A.  The client machines and servers use this tunnel from a Site 
>> > B
>> > (192.168.44.0) to connect Site A (192.168.1.0) which contains 
>> > additional
>> > DC's
>> > and our primary and only exchange server.
>> >
>> > Up until about a month ago everything worked fine between the sites and 
>> > we
>> > could replicate DNS etc client pcs could browse files on both sides 
>> > using
>> > unc
>> > names or unc ip mappings.  Then it basically stopped working, our 
>> > tunnel
>> > is
>> > up and connected and we can pint by name and IP address but are unable 
>> > to
>> > go
>> > beyond that.
>> >
>> > The critical issue is that our exchange server (Site A) is not at site 
>> > B
>> > and
>> > now outlook clients cannot connect to exchange internally at Site B 
>> > thus
>> > no
>> > email.  DNS replication is also failing as they sites cannot connect 
>> > using
>> > AD
>> > synch either, so now AD is also not able to replicate changes from site 
>> > to
>> > site.
>> > Site B geographically is 2000 miles from Site A so we are trying to get
>> > this
>> > done remotely.  We do have remote access in using IP mapping.
>> >
>> > At this point we have spent countless hours on phone getting no good
>> > response from MS support as we are also a MS partner.  Additionally we
>> > have
>> > replaced the soncicwall appliance at site B, added host files on all 
>> > pcs
>> > and
>> > several other steps with no good result.  We have basically hit the 
>> > wall
>> > and
>> > have no idea what would be causing this issue.  If anyone has any
>> > suggestion
>> > or has experienced this before it would greatly help us if any 
>> > suggestions
>> > could be made.  I actually think it could be something very simple but 
>> > we
>> > are
>> > so far in we may not just see it.
>> >
>> > We are stumped on this so any suggestions would be great!
>> >
>> > Thanks
>> > Mike
>> >
>>
>>
>> 


0
mitchr (6)
11/27/2006 10:49:15 PM
Mike

I was just talking with our network team and they reminded me of something. 
We have occasionally seen a problem with IPSEC tunnels where the tunnel 
looks like it is up but it is not. the negotiation did not fully complete 
when it is debugged you will see the errors. this is one possibility

the other is delay on the tunnel when you do a continous ping with a packet 
size of 1400 what are the delay times in Milliseconds?
"Mike" <Mike@discussions.microsoft.com> wrote in message 
news:DD251576-4BA0-4F47-9177-EE5883E23349@microsoft.com...
>I support a remote site lets call it site B. At site B we use sonicwall IP
> Sec tunnels to connect 25 or so pcs and 3 servers (2 of which are 2000 
> DC's),
> to site A.  The client machines and servers use this tunnel from a Site B
> (192.168.44.0) to connect Site A (192.168.1.0) which contains additional 
> DC's
> and our primary and only exchange server.
>
> Up until about a month ago everything worked fine between the sites and we
> could replicate DNS etc client pcs could browse files on both sides using 
> unc
> names or unc ip mappings.  Then it basically stopped working, our tunnel 
> is
> up and connected and we can pint by name and IP address but are unable to 
> go
> beyond that.
>
> The critical issue is that our exchange server (Site A) is not at site B 
> and
> now outlook clients cannot connect to exchange internally at Site B thus 
> no
> email.  DNS replication is also failing as they sites cannot connect using 
> AD
> synch either, so now AD is also not able to replicate changes from site to
> site.
> Site B geographically is 2000 miles from Site A so we are trying to get 
> this
> done remotely.  We do have remote access in using IP mapping.
>
> At this point we have spent countless hours on phone getting no good
> response from MS support as we are also a MS partner.  Additionally we 
> have
> replaced the soncicwall appliance at site B, added host files on all pcs 
> and
> several other steps with no good result.  We have basically hit the wall 
> and
> have no idea what would be causing this issue.  If anyone has any 
> suggestion
> or has experienced this before it would greatly help us if any suggestions
> could be made.  I actually think it could be something very simple but we 
> are
> so far in we may not just see it.
>
> We are stumped on this so any suggestions would be great!
>
> Thanks
> Mike
> 


0
mitchr (6)
11/29/2006 12:24:08 PM
Mitch,
we can only use above 200mtu pings onto one of the networks the other ones 
wont pass and our sonicwalls seem fine.  Not sure where to go from here.  Is 
there a setting in Windows possibly causing this?

"mitch Roberson" wrote:

> Mike
> 
> I was just talking with our network team and they reminded me of something. 
> We have occasionally seen a problem with IPSEC tunnels where the tunnel 
> looks like it is up but it is not. the negotiation did not fully complete 
> when it is debugged you will see the errors. this is one possibility
> 
> the other is delay on the tunnel when you do a continous ping with a packet 
> size of 1400 what are the delay times in Milliseconds?
> "Mike" <Mike@discussions.microsoft.com> wrote in message 
> news:DD251576-4BA0-4F47-9177-EE5883E23349@microsoft.com...
> >I support a remote site lets call it site B. At site B we use sonicwall IP
> > Sec tunnels to connect 25 or so pcs and 3 servers (2 of which are 2000 
> > DC's),
> > to site A.  The client machines and servers use this tunnel from a Site B
> > (192.168.44.0) to connect Site A (192.168.1.0) which contains additional 
> > DC's
> > and our primary and only exchange server.
> >
> > Up until about a month ago everything worked fine between the sites and we
> > could replicate DNS etc client pcs could browse files on both sides using 
> > unc
> > names or unc ip mappings.  Then it basically stopped working, our tunnel 
> > is
> > up and connected and we can pint by name and IP address but are unable to 
> > go
> > beyond that.
> >
> > The critical issue is that our exchange server (Site A) is not at site B 
> > and
> > now outlook clients cannot connect to exchange internally at Site B thus 
> > no
> > email.  DNS replication is also failing as they sites cannot connect using 
> > AD
> > synch either, so now AD is also not able to replicate changes from site to
> > site.
> > Site B geographically is 2000 miles from Site A so we are trying to get 
> > this
> > done remotely.  We do have remote access in using IP mapping.
> >
> > At this point we have spent countless hours on phone getting no good
> > response from MS support as we are also a MS partner.  Additionally we 
> > have
> > replaced the soncicwall appliance at site B, added host files on all pcs 
> > and
> > several other steps with no good result.  We have basically hit the wall 
> > and
> > have no idea what would be causing this issue.  If anyone has any 
> > suggestion
> > or has experienced this before it would greatly help us if any suggestions
> > could be made.  I actually think it could be something very simple but we 
> > are
> > so far in we may not just see it.
> >
> > We are stumped on this so any suggestions would be great!
> >
> > Thanks
> > Mike
> > 
> 
> 
> 
0
Mike1154 (1216)
12/5/2006 6:19:00 AM
No windows does not cause this what are your ISP connections to each site? 
Often times the provider is not supplying enough bandwidth. This can cause 
this problem or they are having a problem with their circuit


"Mike" <Mike@discussions.microsoft.com> wrote in message 
news:41338674-11B5-464A-AB89-E191CC9CBCA6@microsoft.com...
> Mitch,
> we can only use above 200mtu pings onto one of the networks the other ones
> wont pass and our sonicwalls seem fine.  Not sure where to go from here. 
> Is
> there a setting in Windows possibly causing this?
>
> "mitch Roberson" wrote:
>
>> Mike
>>
>> I was just talking with our network team and they reminded me of 
>> something.
>> We have occasionally seen a problem with IPSEC tunnels where the tunnel
>> looks like it is up but it is not. the negotiation did not fully complete
>> when it is debugged you will see the errors. this is one possibility
>>
>> the other is delay on the tunnel when you do a continous ping with a 
>> packet
>> size of 1400 what are the delay times in Milliseconds?
>> "Mike" <Mike@discussions.microsoft.com> wrote in message
>> news:DD251576-4BA0-4F47-9177-EE5883E23349@microsoft.com...
>> >I support a remote site lets call it site B. At site B we use sonicwall 
>> >IP
>> > Sec tunnels to connect 25 or so pcs and 3 servers (2 of which are 2000
>> > DC's),
>> > to site A.  The client machines and servers use this tunnel from a Site 
>> > B
>> > (192.168.44.0) to connect Site A (192.168.1.0) which contains 
>> > additional
>> > DC's
>> > and our primary and only exchange server.
>> >
>> > Up until about a month ago everything worked fine between the sites and 
>> > we
>> > could replicate DNS etc client pcs could browse files on both sides 
>> > using
>> > unc
>> > names or unc ip mappings.  Then it basically stopped working, our 
>> > tunnel
>> > is
>> > up and connected and we can pint by name and IP address but are unable 
>> > to
>> > go
>> > beyond that.
>> >
>> > The critical issue is that our exchange server (Site A) is not at site 
>> > B
>> > and
>> > now outlook clients cannot connect to exchange internally at Site B 
>> > thus
>> > no
>> > email.  DNS replication is also failing as they sites cannot connect 
>> > using
>> > AD
>> > synch either, so now AD is also not able to replicate changes from site 
>> > to
>> > site.
>> > Site B geographically is 2000 miles from Site A so we are trying to get
>> > this
>> > done remotely.  We do have remote access in using IP mapping.
>> >
>> > At this point we have spent countless hours on phone getting no good
>> > response from MS support as we are also a MS partner.  Additionally we
>> > have
>> > replaced the soncicwall appliance at site B, added host files on all 
>> > pcs
>> > and
>> > several other steps with no good result.  We have basically hit the 
>> > wall
>> > and
>> > have no idea what would be causing this issue.  If anyone has any
>> > suggestion
>> > or has experienced this before it would greatly help us if any 
>> > suggestions
>> > could be made.  I actually think it could be something very simple but 
>> > we
>> > are
>> > so far in we may not just see it.
>> >
>> > We are stumped on this so any suggestions would be great!
>> >
>> > Thanks
>> > Mike
>> >
>>
>>
>> 


0
Mitch (67)
12/5/2006 2:15:16 PM
Mike have you found out anything. I see similar problems often with VPN 
tunnels and authentication some ways to get around this is to set windows 
authentication to use TCP instead of UDP. However in you case with the 
packet size and not even getting across one tunnel this will not be of any 
assistance. What needs to happen is Sonic wall and your ISP need to trouble 
shoot their lines and sonicwalls configuration.

Depending on the type of tunnel if you are being overwhelmed with traffic 
i.e. you pipe is full or your pipe is not big enough then this can happen in 
some cases. Also mis configuration of the connection can cause this.

do you have a router infront of the sonic wall devices or is the internet 
connection provided to you via ethernet?
"Mitch Roberson" <mitch@discussions.microsoft.com> wrote in message 
news:OfI0KfHGHHA.4580@TK2MSFTNGP05.phx.gbl...
> No windows does not cause this what are your ISP connections to each site? 
> Often times the provider is not supplying enough bandwidth. This can cause 
> this problem or they are having a problem with their circuit
>
>
> "Mike" <Mike@discussions.microsoft.com> wrote in message 
> news:41338674-11B5-464A-AB89-E191CC9CBCA6@microsoft.com...
>> Mitch,
>> we can only use above 200mtu pings onto one of the networks the other 
>> ones
>> wont pass and our sonicwalls seem fine.  Not sure where to go from here. 
>> Is
>> there a setting in Windows possibly causing this?
>>
>> "mitch Roberson" wrote:
>>
>>> Mike
>>>
>>> I was just talking with our network team and they reminded me of 
>>> something.
>>> We have occasionally seen a problem with IPSEC tunnels where the tunnel
>>> looks like it is up but it is not. the negotiation did not fully 
>>> complete
>>> when it is debugged you will see the errors. this is one possibility
>>>
>>> the other is delay on the tunnel when you do a continous ping with a 
>>> packet
>>> size of 1400 what are the delay times in Milliseconds?
>>> "Mike" <Mike@discussions.microsoft.com> wrote in message
>>> news:DD251576-4BA0-4F47-9177-EE5883E23349@microsoft.com...
>>> >I support a remote site lets call it site B. At site B we use sonicwall 
>>> >IP
>>> > Sec tunnels to connect 25 or so pcs and 3 servers (2 of which are 2000
>>> > DC's),
>>> > to site A.  The client machines and servers use this tunnel from a 
>>> > Site B
>>> > (192.168.44.0) to connect Site A (192.168.1.0) which contains 
>>> > additional
>>> > DC's
>>> > and our primary and only exchange server.
>>> >
>>> > Up until about a month ago everything worked fine between the sites 
>>> > and we
>>> > could replicate DNS etc client pcs could browse files on both sides 
>>> > using
>>> > unc
>>> > names or unc ip mappings.  Then it basically stopped working, our 
>>> > tunnel
>>> > is
>>> > up and connected and we can pint by name and IP address but are unable 
>>> > to
>>> > go
>>> > beyond that.
>>> >
>>> > The critical issue is that our exchange server (Site A) is not at site 
>>> > B
>>> > and
>>> > now outlook clients cannot connect to exchange internally at Site B 
>>> > thus
>>> > no
>>> > email.  DNS replication is also failing as they sites cannot connect 
>>> > using
>>> > AD
>>> > synch either, so now AD is also not able to replicate changes from 
>>> > site to
>>> > site.
>>> > Site B geographically is 2000 miles from Site A so we are trying to 
>>> > get
>>> > this
>>> > done remotely.  We do have remote access in using IP mapping.
>>> >
>>> > At this point we have spent countless hours on phone getting no good
>>> > response from MS support as we are also a MS partner.  Additionally we
>>> > have
>>> > replaced the soncicwall appliance at site B, added host files on all 
>>> > pcs
>>> > and
>>> > several other steps with no good result.  We have basically hit the 
>>> > wall
>>> > and
>>> > have no idea what would be causing this issue.  If anyone has any
>>> > suggestion
>>> > or has experienced this before it would greatly help us if any 
>>> > suggestions
>>> > could be made.  I actually think it could be something very simple but 
>>> > we
>>> > are
>>> > so far in we may not just see it.
>>> >
>>> > We are stumped on this so any suggestions would be great!
>>> >
>>> > Thanks
>>> > Mike
>>> >
>>>
>>>
>>>
>
> 


0
Mitch (67)
12/6/2006 2:04:53 PM
Reply:

Similar Artilces: