[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Web openvpn.net

Re: [Openvpn-users] Active Directory stuttering

  • Subject: Re: [Openvpn-users] Active Directory stuttering
  • From: Les Mikesell <lesmikesell@xxxxxxxxx>
  • Date: Thu, 01 Nov 2007 08:09:00 -0500

Gavin Hamill wrote:

> We've been using OpenVPN (from 1.99beta to 2.0.x) very successfully with
> Windows XP clients for a couple of years. Everyone was happy with the
> clicky-clicky GUI and ability to browse network drives without any extra
> work.
> Then the company grew, laptops stopped getting admin rights, and Active
> Directory came in with a proper file share system.
> Since that's happened, OpenVPN has been causing us a great headache that
> we've been unable to shift. I don't want to get involved at this early
> stage by posting huge wads of tcpdump output or configs, but suffice to
> say that connecting to network shares, or letting AD do it's
> 'Synchronisation' for roaming profiles is stuttery.
> Saving a file might take 5 minutes because Windows is trying to contact
> the server so it can populate the list of drives in 'My Computer'
> I've used tcpdump to see that packets are traversing both directions
> (from the AD server itself) and all seems well AFACIT.
> I just wondered if anyone had similar experiences?
> MS's own VPN solutions right now are IPSec and PPTP - both their own
> nightmare with NAT/firewalls, so we'd like to stick with OpenVPN if we
> can!

This could be an MTU problem.  MS likes to set the DF bit on just about 
everything and if you have firewalls blocking ICMP or you go through 
routers where the addresses on some of the connecting interfaces don't 
have full routing capability, automatic MTU discovery doesn't work.  I'm 
not sure what the best approach to fix this would be when using openvpn 
in a large network, though.  Tuning down the MTU on the servers is 
somewhat drastic but may be the only solution if they can't receive 
ICMPs from the openvpn server.

   Les Mikesell

Openvpn-users mailing list