Very slow Windows domain login over IPSec VPN

I'm experiencing very slow Windows domain logins over an IPSec VPN connection. The AD is in Site 1, some users are in Site 2. Two Cisco ASA firewalls connect both sites by an IPSec VPN over the Internet.
I made some registery changes on the Windows XP client on site2 to let Kerberos communicate over TCP instead of UDP. Still the logins take extremely long (45 minutes). Profiles are very small, so there had to be a problem with Kerberos, MTU sizes or somethin like that. I already changed the clients MTU settings to 1000 byes, but login is still very slow. I made some sniffer logs...
Does anybody know what the problem can be ?

Hi Remco,
The most common issue with slowness over VPN is going to be fragementation. In general below are the recommendations to avoid fragmentation
1. For TCP traffic, use "ip tcp adjust-mss 1360" on the Internal LAN Interface on the Router. If you are using GRE then configure "ip mtu 1400" under the Tunnel Interface.
If you are not using GRE then the value of "ip tcp adjust-mss" depends on the type of transform-set being used E.g. AES\3DES etc, so you can increase the value of TCP adjust command from 1360 to a higher value. Though I will start from 1360 first for testing.
Also take a look at the below article for MTU Issues

Similar Messages

  • Slow window domain logon over ezvpn netw ext mode tunnel

    I have 4 branch offices connected to a central EZVPN server in network extension mode.
    tunnels are working correctly but domain logon is extremely low (often more than 10 minutes).
    Do you think it could be a fragmentation issue?
    If it is, do you know any way to solve it?
    The errors reported are in windows XP system logs are the following:
         System     > LSASRV 40961 no secure connection with server, no authentication protocol available
         Application> usernv 1030
         Application> usernv 1006

    I am in exactly the same situation with the ASA 5510 running security plus license, version 8.0(5) 512 MB RAM
    going to try to upgrade the IOS tonight and upgrade the RAM to 1GB to take it up to version 9 will let you know if it helps,
    cureently download speeds are very bad aroudn 14MB where as uploads are around 96 MB

  • 9.0 can a dynamic nat be used over ipsec vpn?

    9.0 can a  dynamic nat be used over ipsec vpn?
    we have a vpn up and working between two asa's and when we run the traffic through a static nat rule the traffic passes over the vpn. When we use a dynamic nat the traffic does not get picked up by the vpn ACL. 
    we are disabling the nat rules to switch back and forth so even when we use the same source destination the result is the same. 
    Am I missing something with 9.0 code versions? If i disable all nats and pass the traffic it goes over the vpn. 
    So it seems when using the dynamic nat statement it pushes the traffic to the outside interface without looking at the vpn acl. Please let me know if I am off base I am a newb on post 8.3 code. 

    I didn't do that at first because I remember reading something about in ver 9 to only use the unnatted IP because of order of ops. That seemed weird to me at the time. 
    Yes it seems that you need the nat ip like always. Should have just went with my gut on that. 

  • Is it possible configurate split-tunnel at l2tp over ipsec vpn at asa

    Dear i want to know is it possibly to configurate split-tunnel at l2tp over ipsec vpn at asa???

    please help me.

  • Configurate L2tp over ipsec vpn at ASA

    Hi dear i want to  configurate L2tp over ipsec vpn at asa. my asa behind nat device(nat device is router).
    is it working?

    thanks to reply me.
    i have a transfor set for ipsec vpn client.  yes you are rigth i have same sequence dynamic map. which one i changed? and then what about  crytpto map? how i do it? please write to me how to do at my configuration??
    i have real working network i confused to test it. please write me how to do it.

  • Trying to connect to a L2TP over IPSec VPN

    There are quite a few threads on here about VPN's and Lion, and clearly quite a number of questions. However, I haven't found one that quite addresses the problem I've got and I've now exhausted all my ideas and am looking for help...
    I have a hardware VPN server that I know is working correctly. I normally have it setup so that all connections have to be L2TP over IPSec, but currently also have PPTP connections enabled.
    At the moment I can do the following:
    Connect to it from a machine running Windows 7 using all methods
    Connect to it from a machine running Snow Leopard using the in built PPTP and L2TP over IPSec network configurations
    Connect to it from a machine running Lion using the in built PPTP network configuration
    Connect to it from a machine running Lion using Equinux's VPN Tracker 6
    What I can't do is connect to it from a machine running Lion using L2TP over IPSec using the network configuration
    I have tried a clean install of Lion and entering the connections. I have tried using an install of Snow Leopard that works and then upgrading it. I just cannot get it to work.
    Looking at the logs on both the VPN server and my machine I can see that the IPSec connection is established but then my client says that it cannot connect to the server whilst my server is saying that CHAP login has failed.
    I have been through all of the potential solutions I can find on here or the wider internet, no matter how unlikely they seem to be to my problem. I've ensured that there are no potential firewall issues. I've also tried every setting I can think of on both my client and the server. I've tried changing secrets and passwords, including reducing their length, ensuring nothing like Back to My Mac can interfere, and even starting up in 32 bit mode.
    I've now exhausted my ideas. Does anybody have any ideas, a potential solution or managed to get this to work?
    My connection is set up to use a shared secret and a password.

    I am trying to set up connection to PureVPN for security purposes and have followed their config settings for my Macbook.
    So how do I check the ports on my machine, as I'm sure it's not a problem at their end. I only have one machine so don't understand how it is possible to see if ports are being blocked at my end.
    Do I run that /var/log/ppp.log in Terminal?

  • Photoshop CS6 very very slow (Windows 7)

    Hi, im desperate as ive run out of options i think. Photoshop CS6 behaves slow, very slow.
    Even with no document open, right after launch it reacts with delay on any mouseclick, sometimes it takes
    more than 20 seconds before a menu pops open after clicking. Painting paintbrushes are impossible slow.
    Basically any action is dragged.
    Its impossible to work like this. With all previous versions of PS i never encountered this.
    Things i tried :
    - turned off gpu acceleration (i read that gpu can cause performance issues, some ppl solved slowness by turning it off)
    - updated latest nvidia drivers
    - reinstalled photoshop
    - tried to inspect photoshop processes with ProcessHacker, even when at 5% cpu it runs extremely slow
    specs :
    Windows 7
    Nvidia GT545
    1 terrabyte free scratch disk space (on C:)
    8 gb ram
    CPU i7 2600

    Has it always run slow, or did this start recently?
    What anti-virus are you using?  Have you tried disabling it to see it that make a difference?
    Are you working over a network?

  • After Photoshop CC 2014 update - Photoshop is very slow (Windows 7)

    After updating today to the latest photoshop cc2014 Version, Photoshop starts very slow and is not useable.
    I updated from V. 2014.1.0 to 2014.2.1 20141014.r.257.
    Starting Photoshop Needs 6 minutes (before 1.5 minutes). The menue and button reactiontime is more than slow, you cant work with this Setup.
    Is there a Problem with the new release?
    And please Adobe, dont tell me, my System has a problem. Did only an update on the CC2014 Suite via creative cloud. Old PS Version (2014.1.0)runs great.
    After testing a few time, I recovered my System back to Version 2014.1.0 with Windows recovery and Photoshop works good again.
    So whats wrong with the new release?
    My PC config:
    Adobe Photoshop Version: 2014.2.1 20141014.r.257 2014/10/14:23:59:59 CL 987299  x64
    Windows 7 64-Bit
    Version: 6.1 Service Pack 1
    Intel CPU-Familie:6, Modell:10, Stepping:5mit MMX, SSE (ganze Zahl), SSE FP, SSE2, SSE3, SSE4.1, SSE4.2, Hyper-Threading
    Physischer Prozessor: 8
    Logischer Prozessor: 16
    Prozessor-Taktfrequenz: 2664 MHz
    Memory: 20463 MB
    Thanks for any tipp!

    The CC 2014 update  2014.2.1 is a month old and ACR 8.7 is two days old.  Something strange is happening to you.  First try resetting your Photoshop Preferences. This is a Adobe Photoshop User forum your not dealing with Adobe here. You seem to think you are and your attitude seems like you not open to to possibility that your system may have a problem. I think you may have one..
    Adobe CC 2014 Product Updates/Downloads for Windows
    Photoshop CC 2014
    File Download
    Adobe Photoshop 2014.2.1 Update for CC 2014 (64-bit)
    249 MB
    Release 15.2.1
    Adobe Photoshop 2014.2.1 Update for CC 2014 (32-bit)
    223 MB
    Adobe Photoshop 2014.2.0 Update for CC 2014 (64-bit)
    249 MB
    Release 15.2
    Adobe Photoshop 2014.2.0 Update for CC 2014 (32-bit)
    223 MB
    Adobe Photoshop 2014.1.0 Update for CC 2014 (64-bit)
    236 MB
    Release 15.1
    Adobe Photoshop 2014.1.0 Update for CC 2014 (32-bit)
    210 MB
    Adobe Camera Raw – ACR
    Adobe Camera Raw 8.7 Update for CC
    122 MB
    Release 8.7
    Adobe Camera Raw 8.6 Update for CC
    106 MB
    Release 8.6
    Adobe Camera Raw 8.5 Update for CC
    100 MB
    Release 8.5

  • Very Slow VDI Client Login Time

    My environment contains two Hyper-V Servers for DCs, Connection Broker, RD-Web, and two Hyper-V servers as virtualization host to thin clients. All Hyper-V servers are only 35% utilized and all client VMs don't have a performance issue.
    After setting up the roles and creating the "Personalized Pools", I open the RD-Web, click on the collection and here it takes a very long time in securing connection part, then a warning message appears for the connection broker self-signed certificate,
    I accept it and again a very long time to open the VM.
    After searching the internet I figured out that I should install "PFX" certificates for the connection broker (SSO, Publisher). In my environment, we don't use a public certificate from trusted root CAs, however, we have our own "Enterprise
    Root CA".
    I then figured that I should create a certificate with the following attributes:
    Advanced Key Usage: Server Authentication, Client Authentication
    Key Usage: Data encipherment, Digital Signature, Key Agreement
    I created the certificate and imported it to the RD CB, however, the "securing connection" part was even slower than before, so I duplicated the "Computer" certificate, and configured 1024 bit certificate instead of the old one "2048".
    The "securing connection" part is taking half the time now, however it is still very long "+60 seconds" to open the VM.
    I still suspect that it is a certificate issue and not sure if I have done the correct certificate.
    Would anyone help in this case and providing the correct steps to install a certificate for the RD CB from internal CA.

    To avoid confusion, let's focus on the same thread.
    Jeremy Wu
    TechNet Community Support

  • Time Capsule - Very slow and eventually unresponsive over wi-fi.

    I've been using my TC for some time now, but it was the first time I had to recover a file. I know it's slow as **** to backup over wi-fi and that it takes aaages to "prepare" the backup. Also I did the initial backup using a cable and not wi-fi.
    My question is: Why is it SO slow to browse and restore small files from a not-so-far-away backup, like, from yesterday? First, when I tried to browse the previous versions of the file it took aaaages to show the contents of the folder and eventually crashed while I stared incredulous the screen...
    Then when I tried again it took it a very long time to browse the folder (I went for a coffee...) and then another 5 minutes to restore a very small file.
    I know it's not supposed to be blinking fast, but it's borderline unusable. Isn't it supposed to be at least "not annoying"?

    Experiencing the same problem. Drag/Dropping a 30Mb file from my HD to TC takes about a minute. Tried about all suggestions and didn't see an improvement. TC is in 5GHZ n mode with only my iMac as a client. Speeds should be around 9 Mb/s instead of the 0.5 Mb/s I'm observing. I've switched off Spotlight indexing for TC, de-activated the Airport status indicator, did several hard resets of TC and put ACK at zero instead of the default value of 3. No major impact; my 30Mb file continues to be transferred in around 60 seconds from iMac to TC. I read one comment that TC might be sensitive to heat, so my next trial-and-error initiative will be to put TC in a cooler spot to see if this has an effect. I'm very eager to learn how to get TC up to 9 Mb/s and hope Apple will pick up on this discussion. I assume they're very aware of the issue as there's quite some discussion going on on this topic. One thing I also tried was downgrading TC firmware to a more stable version, where Airport Extreme v5.5 was advised. I didn't succeed, assuming this old version is not compatible with my Intel Mac. I would like to know if there's a stable robust throughput firmware version available for TC I could downgrade to...??

  • Smtp_out very slow external domains

    I have ocs 10.1.2 on Red Hat Enterprise Linux ES release 4 (Nahant Update 2)
    When I send mail to external domain
    smtp_out is very slow to close session
    When I send 2 mails to the same outside user, the second mail is very to be delivered
    because smtp_out try the last session wich is closed by the remote host.
    My ocs is directly connected to Internet so no relay needed.
    OCS / External Domains
    SYN -->
    <--- SYN
    PUSH --->
    15,30 minutes later
    FIN ----> (I supposed ignored by the remote server)
    Think you

    OiDAdmin / Directory Manager:
    Entry Management, OracleContext, Computers, midtier, midtier ORACLE_HOME,
    EMailServer, mailprocessconfig, smtp_in:
    Right hand site, click on "All" attributes.
    Change: orclmailsmtpminqueueage from 30 to 1
    Add: orclmailsmtpminqueuepollinterval: 10
    Entry Management, OracleContext, Computers, midtier, midtier ORACLE_HOME,
    EMailServer, mailprocessconfig, smtp_out:
    Right hand site, click on "All" attributes.
    Change: orclmailsmtpqueuepollinterval: 120 to 10.
    orclmailsmtpconnectionnumber: 30 to 0 (yes you read correctly)
    orclmailsmtpminqueueage: 30 to 1
    Stop and restart both smtp_in and smtp_out.

  • Help with Windows Domain Login on Mac

    Hello Everyone,
    We have two Mac Pros at my work running Mac OS 10.5.8 and they are attached to the Windows Server / Domain so when the Mac is turned on you login with your Domain credentials (using Win Server to Authenticate). Now all of this has been working fine since the computers were purchased a year ago, until two days ago that is. I turned on the Mac Pro in the morning and tried to login, and the Mac would freeze and do nothing. I restarted and tried again, using the same credentials I always use, but nothing worked. I called the IT guys and had my windows user account reset thinking that the password was expired, still didn't help, so I asked them to reset the whole account, still didn't help.
    At this point I asked a few of my co-workers to login on my Mac using their login info, and they had no problems at all. I decided to dig deeper into this problem and logging in under a "local" Mac account I went into the "Accounts" preferences to check what was going on, to my surprise my Domain account was visible (normally it wasn't unless you were logged in) and under the account it said "sharing only".
    I am still trying to figure out why my Domain account was changed from "Admin, Managed" to "Sharing Only"? So I decided that the easy fix here was to use a previously made (and tested) image file which I created when the Mac Pro was first setup and all the software was installed. So after cloning the image to the Mac HD I turned on the Mac and tried to login, again nothing happened. I can login using the local account, and my co-workers can login fine, but my domain login just refuses to work. I have also tired to login on other Macs in the department and I can login just fine on each one, the only Mac that doesn't let me login is my machine.
    I have run out of ideas, short of re-installing the entire system from scratch.. which I really don't want to do unless I have to. But if anyone out there has any ideas I would more than welcome them.
    Thanks in advance..

    It's probably related to some type of DRM (copy-protection) on the digital copy, and not due to it being any particular type of file format. The DRM scheme probably only works under Windows. And if that is the case, I don't think you will be able to get it to work under Mac OS X, short of running VMware Fusions or Parallels Desktop (or Sun's free VirtualBox) and installing Windows to run under Mac OS X.
    Considering the popularity of Macs recently, and higher use of Macs among creative folks, it's pretty stupid for the studio/distributor to make a key feature Windows-only.

  • Windows Domain login and timer

    We are binding several Macs to the windows domain here.  That really hasnt been an issue, we used Centrify Express, and that went fine.  Users can log into the domain no problem.  All the Macs were built with a service account (UID svc-account) similar to an admin account on windows.  Any user can sit down at a Mac and if they enter good domain credentials they get logged in.
    But when a mac is first powered on, and gets to the login screen, the svc-account is first presented, then after about 10 sec, a little arrow appears.  by clicking on the arrow, you can choose "other user" and log in with domain credentials.  Is there a way to shorten this timer, or default to "other user", or default to any domain user account?

    We are binding several Macs to the windows domain here.  That really hasnt been an issue, we used Centrify Express, and that went fine.  Users can log into the domain no problem.  All the Macs were built with a service account (UID svc-account) similar to an admin account on windows.  Any user can sit down at a Mac and if they enter good domain credentials they get logged in.
    But when a mac is first powered on, and gets to the login screen, the svc-account is first presented, then after about 10 sec, a little arrow appears.  by clicking on the arrow, you can choose "other user" and log in with domain credentials.  Is there a way to shorten this timer, or default to "other user", or default to any domain user account?

  • Very Slow Windows Networking

    My department is running OS X 10.4, and we're networked with a Windows server for storage and job backup. One of our main backup servers is very slow. Logging into the server can take up to 5-7 minutes, and for a period of 5-7 minutes after that the machine logging into the server will run very slow, even when not copying a file.
    Now the backup server is quite large (almost a terrabyte), which is my belief why it runs so slowly. We have two other servers on the same network that behave fine.
    Is there something on my end (OS X) that can speed up the problem, or is this a server issue? My boss is demanding answers and our Windows IT guy is placing the blame solely on our Macs (with no evidence of course). Help!

    Google for "SMB performance". There are a bunch of discussions on macosxhints on how to tweak SMB performance on Max OS X. I have tried a few different ones, which all seem to help in some small way. YMMV.
    Apple SMB is not known for its performance.

  • GRE OVER IPSec vpn

    this is lab i did, today,and  offcouse i am able to understand this lab bus the confusion are
    1 . why we use crypto map on both interface (phiycal interface or tunnel interface)
    2.  when i remove crypto map from tunnel interface i recieve this message
    ( R2691#*Mar  1 01:12:54.243: ISAKMP:(1002):purging node 2144544879 )
       please tell me what is meaning of this message
    3.But i can see vpn is working fine. this is cryto sa and crypto isakmp sa
    R2691#sh crypto ipsec sa
    interface: Serial0/0
        Crypto map tag: vpn, local addr
       protected vrf: (none)
       local  ident (addr/mask/prot/port): (
       remote ident (addr/mask/prot/port): (
       current_peer port 500
         PERMIT, flags={origin_is_acl,}
        #pkts encaps: 65, #pkts encrypt: 65, #pkts digest: 65
        #pkts decaps: 66, #pkts decrypt: 66, #pkts verify: 66
        #pkts compressed: 0, #pkts decompressed: 0
        #pkts not compressed: 0, #pkts compr. failed: 0
        #pkts not decompressed: 0, #pkts decompress failed: 0
        #send errors 2, #recv errors 0
         local crypto endpt.:, remote crypto endpt.:
         path mtu 1500, ip mtu 1500, ip mtu idb Serial0/0
         current outbound spi: 0xDBF65B0E(3690355470)
         inbound esp sas:
          spi: 0x44FF512B(1157583147)
            transform: esp-3des esp-md5-hmac ,
            in use settings ={Tunnel, }
            conn id: 5, flow_id: SW:5, crypto map: vpn
            sa timing: remaining key lifetime (k/sec): (4598427/3368)
            IV size: 8 bytes
            replay detection support: Y
            Status: ACTIVE
         inbound ah sas:
         inbound pcp sas:
         outbound esp sas:
          spi: 0xDBF65B0E(3690355470)
            transform: esp-3des esp-md5-hmac ,
            in use settings ={Tunnel, }
            conn id: 6, flow_id: SW:6, crypto map: vpn
            sa timing: remaining key lifetime (k/sec): (4598427/3368)
            IV size: 8 bytes
            replay detection support: Y
            Status: ACTIVE
         outbound ah sas:
         outbound pcp sas:
    R2691#sh crypto isakmp sa
    IPv4 Crypto ISAKMP SA
    dst             src             state          conn-id slot status        QM_IDLE           1002    0 ACTIVE
    IPv6 Crypto ISAKMP SA.
    4 . how do i know it is useing GRE over IPsec.
    i am also attach my topology on which i did lab

    MR. Anuj here is my config
    R7200#sh ip int b
    Interface                  IP-Address      OK? Method Status                Protocol
    Serial1/0                YES NVRAM  up                    up
    Loopback1                YES NVRAM  up                    up
    Loopback2                YES NVRAM  up                    up
    Tunnel0                  YES NVRAM  up                    up
    Tunnel1                  YES NVRAM  up                    up
    Tunnel2                  YES NVRAM  up                    up
    R7200#sh int tunnel 0
    Tunnel0 is up, line protocol is up
      Hardware is Tunnel
      Internet address is
      MTU 17916 bytes, BW 100 Kbit/sec, DLY 50000 usec,
         reliability 255/255, txload 1/255, rxload 1/255
      Encapsulation TUNNEL, loopback not set
      Keepalive not set
      Tunnel source (Serial1/0), destination
      Tunnel protocol/transport GRE/IP
        Key disabled, sequencing disabled
        Checksumming of packets disabled
      Tunnel TTL 255
      Fast tunneling enabled
      Tunnel transport MTU 1476 bytes
      Tunnel transmit bandwidth 8000 (kbps)
      Tunnel receive bandwidth 8000 (kbps)
      Last input 00:00:04, output 00:00:04, output hang never
      Last clearing of "show interface" counters never
      Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 2
      Queueing strategy: fifo
      Output queue: 0/0 (size/max)
      5 minute input rate 0 bits/sec, 0 packets/sec
      5 minute output rate 0 bits/sec, 0 packets/sec
         2229 packets input, 213651 bytes, 0 no buffer
         Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
         0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
         2292 packets output, 220520 bytes, 0 underruns
         0 output errors, 0 collisions, 0 interface resets
         0 unknown protocol drops
         0 output buffer failures, 0 output buffers swapped out
    my cryto acl
    access-list 101 permit gre host host

Maybe you are looking for

  • Restoring From An Older Backup Than The Most Recent One Occurred.

    Hi, Today I was backing up my iPod touch as per usual. I waited and waited (it took a fair while). When it finished I looked a the usage of the device and it had changed alot. I was very confused. I looked at my songs and they had all been wiped off.

  • Want to display space in selection screen

    hi, I want to display some space between one select-option and ane checkbox. my coding is like SELECT-OPTIONS:   s_vstel FOR vekp-vstel. PARAMETERS:             p_dimen AS CHECKBOX DEFAULT ' '. any pointer.

  • Doubles/strings ahhh!

    I have a data class which store the info about an item, one of these elements is a Double. so what I want to do is make this editable in a textfield. to get is showing I need to use toString() BUT my issue is that when it is 0 I have an issue because

  • How do I make it so that emails i delete off z10 do not delete off the email server

    I cant seem to find away to stop it from deleting the emails or sent messages off of my server for all my email accounts.

  • SQL Server Non default Instance

    Hi I believe that the Installer for the Server Package, 2005 2007 whatever isn't able to script SBO-COMMON database in an SQL instance other than the default one. Em I right? I also believe that moving databases after having created other SQL Server