RE: Question about SCP stalling over VPN

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



As with all networks, you need to have a policy of either:

i) always performing fragmentation as required and clearing the DF (don't fragment) bit on packets; or

ii) always allowing Path-MTU discovery to work by allowing ICMP un-reachable (subtype fragmentation required) packets to flow freely from all points in your network and over the VPN.

Note that you need to do one (or both) of these policies consistently on both sides of your network.  Also note that the second option will give you the best performance and inter-operability with the rest of the internet.

A technical document on why this is required can be found here:

<http://www.cisco.com/en/US/tech/tk827/tk369/technologies_white_paper09186a00800d6979.shtml>

How to put all this into practice:

<http://www.cisco.com/en/US/tech/tk870/tk877/tk880/technologies_tech_note09186a008011a218.shtml>


--Paul


Matthew Case wrote:
> First and foremost, thank you to everyone for your responses. I checked
> the MTU on both sides and it's currently 1500 so I'm assuming it's not a
> mismatch. My VPN is a pair of old Netscreen 5xp boxes, and I can't find
> anything relating to MTU or packet size in the configuration, but I'm
> still looking.
> 
> Secondly, to answer your question John, There is no persistent
> connection between the servers. I could feasibly set up an NFS share
> between the two but I have a sneaking suspicion that if the problem is
> some sort of packet mangling by the VPN during file transfers, the
> actual mechanism used to transfer the file will be irrelevant.  However,
> I will set this up and test it and report back my results, most likely
> next Monday.
> 
> On 3/12/2010 3:41 AM, John Morrison wrote:
> > Matt,
> >
> > If you are using ssh do you need to use scp as well? Or is just plain
> copy ok?
> >
> > On 10 March 2010 03:04, Darren Tucker<dtucker@xxxxxxxxxx>  wrote:
> >
> >> Matthew Case wrote:
> >> [...]
> >>
> >>> I've looked high and low and haven't really come up with anything
> >>> definitive. Someone somewhere had mentioned fiddling with MTU
> settings, but
> >>> I'm not really sure what that will accomplish as I am unfamiliar with
> what
> >>> MTU is and does. If this question has been answered previously, I
> apologize
> >>> ahead of time. Thanks!
> >>>
> >> This does sound like the MTU problem to which you refer.  See
> >> http://www.snailbook.com/faq/mtu-mismatch.auto.html for details.
> >>
> >> --
> >> Darren Tucker (dtucker at zip.com.au)
> >> GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
> >>     Good judgement comes with experience. Unfortunately, the experience
> >> usually comes from bad judgement.
> >>
> >>
> >
> >
> >
> 
> --
> 
> Matthew Case
> Specialized Business Software
> Software Engineer
> SCJP 5 Certified
> Phone: 440-542-9145
> Fax: 440-542-9143



[Index of Archives]     [Open SSH Unix Development]     [Fedora Users]     [Fedora Desktop]     [Yosemite Backpacking]     [KDE Users]     [Gnome Users]

  Powered by Linux