WinGate Forums

[mpeter]

Hi there...

we already did several successful VPN installations for our customers, but this time we were experiencing severe problems, which we couldn't solve for three days now...

Perhaps someone got an idea, otherwise I just seek some relief by putting my anger down... :-)

The customer has a Windows 2000 Professional computer as Wingate VPN server. Of course we are using the newest versions...
The customer's network also has a NT4 Server with PC Anywhere, which we want to remote-control via the VPN from a Windows 2000 Professional remote PC.

The VPN tunnel builds up without any problems also routes seem to be correct, as we were able to ping all computers in every possible combination...

When we try to establish a remote control session, PC Anywhere on the remote PC obviously gets some data from the Server's PC Anywhere Host, as it correctly verifies passwords and starts to show a remote control window.
But then windows shows a black remote screen, while it is possible to move the mouse pointer, while movements being correctly reproduced on the server. But there is absolutely NO CHANCE to get a picture of the server's desktop, the PC Anywhere screen stays black ALL THE TIME!!
We also tried this with VNC with the same results!!

It seems that after a few transferred data packages (for the session handshake) no more data is received from the server.

Now for a few details, that are EVEN MORE surprising.

1.
In our customer's local network (without using the VPN) we are able to remote control the server with PC Anywhere or VNC without any problems! Obviously the remote control software is working fine, but not over the VPN.

2.
What's even more surprising, is that we can also remote control any other Windows 2000 PC in the customers LAN trouble-free over the VPN!!

3.
To verify this we also installed PC Anywhere and VNC on another NT4 (Workstation) machine in the customer's network with the same results:
- no problem remote controlling it in the local network
- correct session handshake (thus correct routing!!) over the VPN, but then just a black screen from the remote control software!!



So my question has to be:
Why can't we get a sustaining data transfer from NT4 PCs over the VPN???



Any ideas appreciated...
I hope someone can help or I have to think about taking Wingate VPN out of our portfolio (after years of successfull Wingate selling) to avoid any incalculabe, further problems...


bye
Matthias

[adrien]

this sounds like an MTU issue.

I would imagine that screen updates send maximum sized packets, since there will be a lot of data, and mouse updates would be small packets.

With VPN there is a reduction in the maximum size packet that can go through.

This is because of the encryption and wrapping the packet in a tunnel header - the reduction is about 60 bytes per packet.

Most applications deal with this by a method known as Path MTU discovery, which relies on ICMP error messages sent by gateways when a packet is sent that is too big to be forwarded without being fragmented, and a field has been set in the IP header stating that fragmentation is not permitted on this packet.

WinGate fully supports this, including sending such ICMP errors up to the local machine if an outbound packet from the host machine is too big for the VPN.

However, there is one other option now, with WinGate VPN 1.2 we now also reduce the MSS value in TCP SYN and SYN ACK packets. This in most cases obviates the need for software to do Path MTU discovery (PMTUD).

The odd thing is that windows does PMTUD itself by default.

So, it could be worth while trying the latest version 1.2

Adrien