Linux - NetworkingThis forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
that makes some sense to me as it would explain why it works using the wireless interface which doesn't come up at boot time. I;ll give it a try tomorrow.
I followed your instructions and it worked like a charm! The only issue that I had is that iptables is in /sbin on Fedora Core. I didn't have to prevent the cisco init at boot time, just restart it. I wonder if this is even necessary or just setting the MTU after connection is sufficient? Anyway, this should work for Fedora Core 3 users:
wankelrx8 : i am confirming that your workaround did work on my Gentoo 2.6.9 box. Thank you very much ...now we need to figure out if it's possible to set this value somewhere in the vpnclient settings. I've looked all over Cisco website and looks like you can only preconfigure it for WIndows only, and have to manually change for *nix os. Oh well..it's much better than using my VMvware Xp machine . Thanks again man.
Great find. works good for all remote login functions except NFS. I am still having the NFS mount problems. It usually takes about 20-30 seconds before the entire machine locks up. I have tried using a -o soft and using a bg but to no avail. Any Ideas?
Symptom:
The Cisco VPN traffic seems to top off at
1352 (IP datagram) which includes 1324 (ESP packet).
This happens even when the interface MTU is set
to 1400 or more (say 1460 or 1480).
Workaround:
No workaround.
Sound familiar?
They say it is fixed in version 4.0(3)C. I think this is the overall release version number rather than the specific version quoted above as 4.0 is the highest version listed. It looks like a bug where they are setting the physical mtu too low for no reason.
I am running Fedora Core 3 with kernel version 2.6.9-1.681_FC3 and Cisco VPN Client for Linux, release 4.6.00.0045. I have the firewall and SElinux enabled. After booting, I issue:
/etc/init.d/vpnclient_init start
/usr/local/bin/vpnclient connect "my vpn"
/sbin/ifconfig eth0 mtu 1500
I've got a Broadcom 570x NIC running under Fedora Core 3. The VPN client authenticates fine but I get the fragmentation/mtu problem:
This works:
ping -s 1000 remotehost
This fails:
ping -s 2000 remotehost
At home, using the workaround
/sbin/ifconfig eth0 mtu 1500
fixes that problem and all is good. However from work (remote site trying to connect to the home office), it does not help (I can still ping -s 1000, but not ping -s 1400 from the remote site). After STFW for a little while, I'm still not exactly sure why the workaround works at home - and why it might fail elsewhere.
by setting /sbin/ifconfig to 1500, there should be no chance that the network driver would drop the packet+ip-sec header (which was presumably happening when vpnclient set the eth0 mtu to 1352(?)).
For completeness, I'm including the Cisco known issue that seems to be at the heart of all this consternation.
Unresolved Issues
CSCee60154
Symptoms
After making a VPN Client connection, some traffic types no longer work.
Specifically applications that send large packets like SMTP, HTTP, and SSH.
Conditions
The 2.6.4 Kernel enabled a feature of certain ethernet cards that discards
packets larger than the configured MTU. Since the VPN Client lowers the MTU
visible to the applications in order to add it's overhead without exceeding
the original MTU, the resulting packets are bigger than the newly configured
MTU. Therefore the card throws out the large encrypted packets.
This can easily be tested with a ping.
ping -s 500 x.x.x.x should pass
ping -s 2600 x.x.x.x should fail
Workarounds
If an lsmod shows that the "e100" driver is in use for the network card, it
can be replaced with the "eepro100" driver.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.