Secure Shell
Question about SCP stalling over VPN Mar 09 2010 05:44PM
Matthew Case (mattcase specializedbusinesssoftware com) (2 replies)
RE: Question about SCP stalling over VPN Mar 12 2010 06:08PM
Robin, Robin (robinr muohio edu)
Re: Question about SCP stalling over VPN Mar 10 2010 03:04AM
Darren Tucker (dtucker zip com au) (1 replies)
Re: Question about SCP stalling over VPN Mar 12 2010 08:41AM
John Morrison (john morrison101 googlemail com) (1 replies)
Re: Question about SCP stalling over VPN Mar 12 2010 02:13PM
Matthew Case (mattcase specializedbusinesssoftware com) (2 replies)
Re: Question about SCP stalling over VPN Mar 22 2010 05:02PM
Dennis Nezic (dennisn dennisn dyndns org) (1 replies)
Re: Question about SCP stalling over VPN Mar 24 2010 01:23AM
Dennis Nezic (dennisn dennisn dyndns org) (1 replies)
Re: Question about SCP stalling over VPN Mar 24 2010 08:10PM
Dennis Nezic (dennisn dennisn dyndns org)
RE: Question about SCP stalling over VPN Mar 12 2010 06:03PM
Paul Ryland (paul transversal com)


As with all networks, you need to have a policy of either:

i) always performing fragmentation as required and clearing the DF (don't fragment) bit on packets; or

ii) always allowing Path-MTU discovery to work by allowing ICMP un-reachable (subtype fragmentation required) packets to flow freely from all points in your network and over the VPN.

Note that you need to do one (or both) of these policies consistently on both sides of your network. Also note that the second option will give you the best performance and inter-operability with the rest of the internet.

A technical document on why this is required can be found here:

<http://www.cisco.com/en/US/tech/tk827/tk369/technologies_white_paper091
86a00800d6979.shtml>

How to put all this into practice:

<http://www.cisco.com/en/US/tech/tk870/tk877/tk880/technologies_tech_not
e09186a008011a218.shtml>

--Paul

Matthew Case wrote:

> First and foremost, thank you to everyone for your responses. I checked

> the MTU on both sides and it's currently 1500 so I'm assuming it's not a

> mismatch. My VPN is a pair of old Netscreen 5xp boxes, and I can't find

> anything relating to MTU or packet size in the configuration, but I'm

> still looking.

>

> Secondly, to answer your question John, There is no persistent

> connection between the servers. I could feasibly set up an NFS share

> between the two but I have a sneaking suspicion that if the problem is

> some sort of packet mangling by the VPN during file transfers, the

> actual mechanism used to transfer the file will be irrelevant. However,

> I will set this up and test it and report back my results, most likely

> next Monday.

>

> On 3/12/2010 3:41 AM, John Morrison wrote:

> > Matt,

> >

> > If you are using ssh do you need to use scp as well? Or is just plain

> copy ok?

> >

> > On 10 March 2010 03:04, Darren Tucker<dtucker (at) zip.com (dot) au [email concealed]> wrote:

> >

> >> Matthew Case wrote:

> >> [...]

> >>

> >>> I've looked high and low and haven't really come up with anything

> >>> definitive. Someone somewhere had mentioned fiddling with MTU

> settings, but

> >>> I'm not really sure what that will accomplish as I am unfamiliar with

> what

> >>> MTU is and does. If this question has been answered previously, I

> apologize

> >>> ahead of time. Thanks!

> >>>

> >> This does sound like the MTU problem to which you refer. See

> >> http://www.snailbook.com/faq/mtu-mismatch.auto.html for details.

> >>

> >> --

> >> Darren Tucker (dtucker at zip.com.au)

> >> GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69

> >> Good judgement comes with experience. Unfortunately, the experience

> >> usually comes from bad judgement.

> >>

> >>

> >

> >

> >

>

> --

>

> Matthew Case

> Specialized Business Software

> Software Engineer

> SCJP 5 Certified

> Phone: 440-542-9145

> Fax: 440-542-9143

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus