FTP over VPN

Hello experts. Please advise! (Sorry for the long winded
explenation, but I want to make sure you have all of the information)

The company I work for has about 30 laptops (all are IBM ThinkPad -
Windows XP Professional) belonging to sales reps that work out of the
office. They must connect to the VPN or RRAS servers while "on the
road" in order to send orders and receive updates. The problem I am
experiencing is as follows:

ONLY a handful of machines are unable to ONLY download files using FTP
(active or passive) while connected to the VPN unless the data fits
into a single packet (If all of the data fits into a single packet,
the transmission works perfectly; and when sending orders over this
same connection, no matter the size of the transmission, it works
perfectly) (Most computers are have no problems with downloading
multiple packet transmissions, even when using the exact same internet
connection at the same time; side-by-side). This problem appears to
occur if the
data being received needs to be fragmented into multiple packets. The
computers that APPEAR to be affected are all of the machines that have
been, at one time or another, restored (although I have not verified
this completely using the restore partition on the hard drive)

I know the problem is not with the VPN, as most machines CAN use this
feature to receive updates in the mornings, and I know the problem is
not with the server as, as this issue happens EVERY time on certain
machines. That limits the issue to the individual computer, and some
setting that I am missing. Here is one thought, however I don't know
if this has anything to do with the issue I am experiencing:

I believe the problem may be a result of the MTU or MSS. The MTU on
the computers that are experiencing this problem seem to be larger
than that of the computers that are functioning properly. I have
found a way to change the MTU to a smaller size, but this doesn't seem
to resolve the issue. When using Ethereal on both client and server
machines, it shows the server stating that it will be sending packets
of a certain size (ie 1020 or so) and the client machine replies with
a confirmation that this size is acceptable. But when the server
sends the data, it is sent with larger size packets (ie 1400 or so)
and the client machine never even sees this attempt. I do not know
where to change the MSS and honestly don't know the difference between
the MTU and MSS, or if this will even make a difference.

Does anybody have any idea why this is happening? Future thanks for
all of the help!

"RBot" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed) ps.com...
> ONLY a handful of machines are unable to ONLY download files using FTP
> (active or passive) while connected to the VPN unless the data fits
> into a single packet

No way a whole file is going to fit into a single packet. I don't think you
realize how small a packet is and how very little data is carried by one. It
takes serveral packets just to agree on the file name.

The first thing I would do is thourghly clean these things with some form of
anti-spyware. I would also remove any third party "tools bars" that have been
added. Probably a good idea to remove (not just disable) any third party
"firewalls" that may be on the machines. Then if they still don't work, then I
would say it is time to call MS Support. I would be totally amazed if something
of this nature gets solved in a newsgroup message if it goes beyond what I have
already suggested.

--
Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com

The views expressed (as annoying as they are, and as stupid as they sound), are
my own and not those of my employer, or Microsoft, or anyone else associated
with me, including my cats.
-----------------------------------------------------

Thank you for responding so quickly. I know that there is no way to
put all of the data for a download into a single packet, I mis-spoke.
I meant if the data being transmitted (as I have tested this) fits
into a single transmission unit, the transfer goes through smoothly.
It is when the amount of data will not fit into a single transmission
unit, and must be fragmented, that the data will not transmit. Also,
this problem is not with spyware nor with third party toolbars, as I
am experiencing this issue with machines that have recently been
restored (and re-restored in some cases) in order to resolve this
issue, and it persists. There are also no third party firewalls
installed, and the integrated Windows XP firewall has been disabled
(by group policy-I have verified that it is disabled on the machines
experiencing this problem). I understand your doubts on the
newsgroups solving issues of this nature, and I can't help but to
agree with you. I do, however, like to post any questions I have in
case somebody has run accross the same scenario, or in the case of
somebody knowing who I can contact to resolve the particular problem I
am experiencing.

I posted this message in another newsgroup quite a while ago and
received a response (along the lines of MTU, MSS, PMTU) that I could
use some help in understanding. He said that:

"Generally you don't need to change these settings. If ICMP is
enabled from one to the other, Windows will calculate the PMTU and
adjust the MTU accordingly (and more importantly, dynamically). "

I am not sure how to check to see if ICMP is being allowed from one to
the other (due to the fact that they are already connected via the VPN
connection). Do you know how I could check this, or does this mean
anything to you that could help me resolve this issue? Thank you
again for your previouse response, and also for your future guidance!

"RBot" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed) ups.com...
> Thank you for responding so quickly. I know that there is no way to
> put all of the data for a download into a single packet, I mis-spoke.
> I meant if the data being transmitted (as I have tested this) fits
> into a single transmission unit, the transfer goes through smoothly.
> It is when the amount of data will not fit into a single transmission
> unit, and must be fragmented, that the data will not transmit. Also,

Yes, that would probably be the MTU size. But I have never heard of this
happening with individual machines,...the problem typically occurs at a "routing
device" and effects all the hosts that have to use that routing device. That's
why (the individual machine thing) I think it may lead to a call to MS where
they have the tools and resources to dig much deeper into it than would be
possible in a newsgroup message.

--
Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com

The views expressed (as annoying as they are, and as stupid as they sound), are
my own and not those of my employer, or Microsoft, or anyone else associated
with me, including my cats.
-----------------------------------------------------
Understanding the ISA 2004 Access Rule Processing
http://www.isaserver.org/articles/IS...cessRules.html

Troubleshooting Client Authentication on Access Rules in ISA Server 2004
http://download.microsoft.com/downlo...7/ts_rules.doc

Microsoft Internet Security & Acceleration Server: Partners
http://www.microsoft.com/isaserver/partners/default.asp
-----------------------------------------------------

This problem I have seen before and reducing the size of the MTU solved the
problem. I don´t say it will solve your problem, but you might want to try
this.


--
----------------------------------------------------------------------------------------------------------------------------
Johan Engdahl
CCSA, CCSE, CCA, MCP | johan AT firewall1 DOT nu | http://www.firewall1.nu

"RBot" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed) ps.com...
> Hello experts. Please advise! (Sorry for the long winded
> explenation, but I want to make sure you have all of the information)
>
> The company I work for has about 30 laptops (all are IBM ThinkPad -
> Windows XP Professional) belonging to sales reps that work out of the
> office. They must connect to the VPN or RRAS servers while "on the
> road" in order to send orders and receive updates. The problem I am
> experiencing is as follows:
>
> ONLY a handful of machines are unable to ONLY download files using FTP
> (active or passive) while connected to the VPN unless the data fits
> into a single packet (If all of the data fits into a single packet,
> the transmission works perfectly; and when sending orders over this
> same connection, no matter the size of the transmission, it works
> perfectly) (Most computers are have no problems with downloading
> multiple packet transmissions, even when using the exact same internet
> connection at the same time; side-by-side). This problem appears to
> occur if the
> data being received needs to be fragmented into multiple packets. The
> computers that APPEAR to be affected are all of the machines that have
> been, at one time or another, restored (although I have not verified
> this completely using the restore partition on the hard drive)
>
> I know the problem is not with the VPN, as most machines CAN use this
> feature to receive updates in the mornings, and I know the problem is
> not with the server as, as this issue happens EVERY time on certain
> machines. That limits the issue to the individual computer, and some
> setting that I am missing. Here is one thought, however I don't know
> if this has anything to do with the issue I am experiencing:
>
> I believe the problem may be a result of the MTU or MSS. The MTU on
> the computers that are experiencing this problem seem to be larger
> than that of the computers that are functioning properly. I have
> found a way to change the MTU to a smaller size, but this doesn't seem
> to resolve the issue. When using Ethereal on both client and server
> machines, it shows the server stating that it will be sending packets
> of a certain size (ie 1020 or so) and the client machine replies with
> a confirmation that this size is acceptable. But when the server
> sends the data, it is sent with larger size packets (ie 1400 or so)
> and the client machine never even sees this attempt. I do not know
> where to change the MSS and honestly don't know the difference between
> the MTU and MSS, or if this will even make a difference.
>
> Does anybody have any idea why this is happening? Future thanks for
> all of the help!
>

As I said before, we did reduce the MTU on the local machine, but the
server still sent a larger size transmission unit. Can you tell me
where to change the MTU in case I have done it in the wrong place?

Thanks again.