I've been having a problem with a VPN client for months now where it would exit out of the connection very frequently complaining that the routing table could not be changed once the VPN was up. And routes were being added, but I had no idea why. Not only that, but they were useless host routes for random computers I was talking to on the internet that pointed them to my default router, where they were routed to anyway. I finally did some in-depth research and came to the conclusion that those routes were being added as a result of the OS receiving ICMP Fragmentation Needed packets. I reduced my MTU to an absurdly small size (500) and I've now had the VPN up for hundreds of times longer than I ever have before.

I want to know if it seems reasonable for the OS (WinXP Pro and Home) to add host routes when it receives an ICMP Fragmentation Needed packet. Other than my VPN client being anal, it's pretty innocuous to add redundant routes, but I don't see any reason it should be doing it at all. Maybe it keeps MTU sizes for particular hosts in the routing table? If so, it doesn't show it to me in any routing table UI I know of.

Anyway, if anyone has any feedback on this, I'd love to hear it.

No clue at all. I just wanted to lend support, as I'm fighting with my own VPN issue at the moment. I'll avoid thread hijacking till tomorrow.

Matthew

I wonder if this was related to the VPN client issue that I had to work around with the SonicWall VPN client a while back... I was on tech support with them, and they gave me a specific work-around of certain numbers to change in the VPN client configuration screens. Don't have that information handy right now, but this is sounding familiar. The main thing was that I didn't have to change the windows network configuration, just the sonicwall client configuration.

I have seen strange results with MTU in networking configurations - not as much VPN, but the old Microsoft Network Sharing type stuff and DSL. Use "ping -f -l size" to get a feel for what your maximum safe packet size is.

It sounds like the other networks might be using an odd network metric, and yours is lower, so it chooses you to route through???

Well, it was late last night when I posted, so I didn't think about doing further research once I had that piece of information. Getting just that was a collosal frustration. It looks like WinXP (and prior OSes, probably) use Path MTU Discovery, which means that it finds MTU sizes for each individual host it communicates with. This isn't really necessary, however, as communication can go on without that by just letting the intermediary routers fragment the packets as needed. It's slightly more efficient to do PMTUD, but not by a whole lot, probably doubling packet overhead on the receiving end at most. (Packet overhead is something like 56 bytes per packet for TCP over ethernet.)

So I haven't tested this yet, but I'm about to. Cross your fingers for me.

What are you using the show you the routing in a UI? I only know of the command line program route.

Just route, like you said. The command line is a user interface.

Well, it looks like that worked. I disabled Path MTU Discovery, and, since the docs said that that reduces the MTU to 500 and some, I upped the MTU manually (which I'm not really sure actually worked) and everything's good. I even undid all the other changes I'd made.

I'll avoid thread hijacking till tomorrow.


Since Bitt seems to have solved his problem, would it be OK if I hijacked the thread? Just a little bit?

I just tried (for the first time) to VNC into my work computer from home. My work computer is running Win2K, home computer WinXP.

I always lock my work computer when I leave it, so that the message about "...computer is locked and can only be opened by God..." or some such is displayed. I have to key in ctrl-alt-del and enter a password to unlock it.

So, here I am at home, looking at the lock message, thinking, "Hey, it worked." I enter ctrl-alt-del to get to the password dialog box, and of course the only thing that happens is that it opens up the Windows task manager on my home computer.

Do I have to leave my work computer unlocked in order to VNC into it from home, or is there a workaround to this?

tanstaafl.

You can't press Ctrl+Alt+Del on your home PC and have it sent to the remote PC via VNC. Click on the window menu icon in the top left and select Send Ctrl+Alt+Del.

Yup, what Trevor said. Remote control programs that control Windows PCs always have a way to send special system keystrokes to the remote host. For example, there was one package I used (forget which one it was) where their keyboard shortcut for sending Ctrl-Alt-Del was Ctrl-Alt-D.

Shift+Ctrl+Alt+Del will also work in VNC

I believe Remote Desktop Connection is Ctrl+Alt+End

What the heck is (Alt Gr) ?

The Right Alt+Del doesn't work for me on a Win2k3 server with WinXP client. Only the Ctl+Alt+End mentioned above works. Curious.

Shift+Ctrl+Alt+Del will also work in VNC


Thank you! I will give that a try when I get home.

tanstaafl.

Definitely a different key:

http://en.wikipedia.org/wiki/Alt_Gr