MS05-019 (893066) and KB898060 - and path MTU

I applied this security update to domain controllers at different locations
around the world connected via a VPN and all communication between the hosts
failed after about a day.

I opened a ticked with MS and was told that this is expected behavior and
that I need to hard code MTU settings on all my servers after applying this
update. If this did not work then I needed to apply a hot fix (see
http://support.microsoft.com/default.aspx?scid=898060)

I was luck as I have back door connectivity to my remote servers (via remote
management) so that I could make this change. Otherwise I would have had
remote office down for a long time while I got someone on site.

I cannot really get a good answer from Microsoft as to the status of this
issue and whether or not disabling path MTU will be including on all OS's
from now on (I believe this change is in 2003 SP1). If this is the case then
I need to hardcode MTU settings on all system forever which is not a viable
solution to me.

Has anyone come across this? If you have a VPN WAN and use path MTU then I
highly recommend that you fully read
http://www.microsoft.com/technet/sec.../MS05-019.mspx and
understand the consequences of the update.

Anyone any ideas on a way around this update going forward?

DB,

I have had the same problem happen over the last couple of weeks since
applying SP1.. I have only just applied the hotfix so we will see how it
goes.

Daniel

"DB" <(E-Mail Removed)> wrote in message
news:4B8705DD-8C4A-432D-ABE9-(E-Mail Removed)...
>I applied this security update to domain controllers at different locations
> around the world connected via a VPN and all communication between the
> hosts
> failed after about a day.
>
> I opened a ticked with MS and was told that this is expected behavior and
> that I need to hard code MTU settings on all my servers after applying
> this
> update. If this did not work then I needed to apply a hot fix (see
> http://support.microsoft.com/default.aspx?scid=898060)
>
> I was luck as I have back door connectivity to my remote servers (via
> remote
> management) so that I could make this change. Otherwise I would have had
> remote office down for a long time while I got someone on site.
>
> I cannot really get a good answer from Microsoft as to the status of this
> issue and whether or not disabling path MTU will be including on all OS's
> from now on (I believe this change is in 2003 SP1). If this is the case
> then
> I need to hardcode MTU settings on all system forever which is not a
> viable
> solution to me.
>
> Has anyone come across this? If you have a VPN WAN and use path MTU then
> I
> highly recommend that you fully read
> http://www.microsoft.com/technet/sec.../MS05-019.mspx and
> understand the consequences of the update.
>
> Anyone any ideas on a way around this update going forward?

keep me posted as to how everything goes.

The official explanation from MS on how to fix this is

1. Apply MS05-019 (893066) security update and reboot. This may break
communication to and from this host so make sure you have some alternative
method to connect to this system. We have IP KVM so we are ok!
2. After the MS05-019 is applied and the server is broken then apply hotfix
898060 (make sure you copy it to the server before #1 as you may never be
able to get it on there!)
3. reboot

Alternatively you can preempt the failure caused by #1 by manually changing
the MTU settings after #1 at
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\Tcpip\Parameters\Interfaces\{DeviceID},
MTU (DWORD) = 543 (Decimal). Once the hotfix is applied you should be able
to removed this registry entry and reboot again.