Question : troubleshooting easy vpn remote

Hi

I have a problem with easy vpn network extension, tunnel works fine i can ping from remote subnet to Server and vice versa . i can also use some apps like windows remote desktop but some others not like apple remote desktop or biometric device (both uses udp).

below the conf's

regards

1: 2: 3: 4: 5: 6: 7: 8: 9: 10: 11: 12: 13: 14: 15: 16: 17: 18: 19: 20: 21: 22: 23: 24: 25: 26: 27: 28: 29: 30: 31: 32: 33: 34: 35: 36: 37: 38: 39: 40: 41: 42: 43: 44: 45: 46: 47: 48: 49: 50: 51: 52: 53: 54: 55: 56: 57: 58: 59: 60: 61: 62: 63: 64: 65: 66: 67: 68: 69: 70: 71: 72: 73: 74: 75: 76: 77: 78: 79: 80: 81: 82: 83: 84: 85: 86: 87: 88: 89: 90: 91: 92: 93: 94: 95: 96: 97: 98: 99: 100: 101: 102: 103: 104: 105: 106: 107: 108: 109: 110: 111: 112: 113: 114: 115: 116: 117: 118: 119: 120: 121: 122: 123: 124: 125: 126: 127: 128: 129: 130: 131: 132: 133: 134: 135: 136: 137: 138: 139: 140: 141: 142: 143: 144: 145: 146: 147: 148: 149: 150: 151: 152: 153: 154: 155: 156: 157: 158: 159: 160: 161: 162: 163: 164: 165: 166: 167: 168: 169: 170: 171: 172: 173: 174: 175: 176: 177: 178: 179: 180: 181: 182: 183: 184: 185: 186: 187: 188: 189: 190: 191: 192: 193: 194: 195: 196: 197: 198: 199: 200: 201: 202: 203: 204: 205: 206: 207: 208: 209: 210: 211: 212: 213: 214: 215: 216: 217: 218: 219: 220: 221: 222: 223: 224: 225: 226: 227: 228: 229: 230: 231: 232: 233: 234: 235: 236: 237: 238: 239: 240: 241: 242:

--------Server conf crypto isakmp policy 1 encr 3des authentication pre-share group 2 ! crypto isakmp client configuration group VPNIntecnia key intecniavpn pool SDM_POOL_1 acl 100 save-password crypto isakmp profile sdm-ike-profile-1 match identity group VPNIntecnia client authentication list sdm_vpn_xauth_ml_1 isakmp authorization list sdm_vpn_group_ml_1 client configuration address respond virtual-template 1 ! ! crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac ! crypto ipsec profile SDM_Profile1 set transform-set ESP-3DES-SHA set isakmp-profile sdm-ike-profile-1 ! ! crypto dynamic-map SDM_DYNMAP_1 1 set transform-set ESP-3DES-SHA1 reverse-route ! ! crypto map SDM_CMAP_1 client authentication list sdm_vpn_xauth_ml_2 crypto map SDM_CMAP_1 isakmp authorization list sdm_vpn_group_ml_2 crypto map SDM_CMAP_1 client configuration address respond crypto map SDM_CMAP_1 65535 ipsec-isakmp dynamic SDM_DYNMAP_1 ! ! ! ! interface ATM0 no ip address no atm ilmi-keepalive dsl operating-mode auto ! interface ATM0.1 point-to-point description $ES_WAN$$FW_OUTSIDE$ no snmp trap link-status pvc 8/81 pppoe-client dial-pool-number 1 ! ! interface FastEthernet0 ! interface FastEthernet1 ! interface FastEthernet2 ! interface FastEthernet3 ! interface Virtual-Template1 type tunnel ip unnumbered Vlan1 tunnel mode ipsec ipv4 tunnel protection ipsec profile SDM_Profile1 ! interface Virtual-Template2 type tunnel ip address 172.17.52.111 255.255.255.0 ip virtual-reassembly tunnel mode ipsec ipv4 ! interface Vlan1 description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$ ip address 172.16.1.1 255.255.255.0 ip access-group sdm_vlan1_in in ip nat inside ip virtual-reassembly ip tcp adjust-mss 1412 ! interface Dialer0 ip address negotiated ip mtu 1452 ip nat outside ip virtual-reassembly encapsulation ppp dialer pool 1 dialer-group 1 no cdp enable ppp authentication chap pap callin ppp chap hostname aloguerrero ppp chap password 7 130C19060E0F0A232A ppp pap sent-username aloguerrero password 7 0828425A0C1A0B1E13 crypto map SDM_CMAP_1 ! ip local pool SDM_POOL_1 172.16.1.122 172.16.1.126 ip route 0.0.0.0 0.0.0.0 Dialer0 ! ! ip http server ip http authentication local ip http secure-server ip http timeout-policy idle 60 life 86400 requests 10000 no ip nat service sip tcp port 5060 no ip nat service sip udp port 5060 ip nat inside source static tcp 172.16.1.13 8080 interface Dialer0 8080 ip nat inside source route-map SDM_RMAP_1 interface Dialer0 overload ! ip access-list extended sdm_vlan1_in remark SDM_ACL Category=1 permit tcp any any eq smtp permit tcp any any eq pop3 permit tcp host 172.16.1.20 any permit tcp host 172.16.1.4 any permit udp host 172.16.1.4 any permit tcp any any permit ip any any ! logging 172.16.1.1 logging 172.16.1.113 access-list 1 remark INSIDE_IF=Vlan1 access-list 1 remark SDM_ACL Category=2 access-list 1 permit 172.16.1.0 0.0.0.255 access-list 100 remark SDM_ACL Category=4 access-list 100 permit ip 172.16.1.0 0.0.0.255 any access-list 101 remark SDM_ACL Category=4 access-list 101 permit ip 192.168.1.0 0.0.0.255 any access-list 102 remark SDM_ACL Category=4 access-list 102 permit ip 192.168.1.0 0.0.0.255 any access-list 103 remark SDM_ACL Category=4 access-list 103 permit udp 192.168.1.0 0.0.0.255 any log access-list 103 permit ip 192.168.1.0 0.0.0.255 any log access-list 103 permit udp 172.16.1.0 0.0.0.255 any access-list 103 permit ip 172.16.1.0 0.0.0.255 any access-list 104 remark SDM_ACL Category=4 access-list 104 permit ip 172.17.52.0 0.0.0.255 any access-list 105 remark SDM_ACL Category=2 access-list 105 deny ip any host 172.16.1.122 access-list 105 deny ip any host 172.16.1.123 access-list 105 deny ip any host 172.16.1.124 access-list 105 deny ip any host 172.16.1.125 access-list 105 deny ip any host 172.16.1.126 access-list 105 deny ip 172.16.1.0 0.0.0.255 host 172.16.1.122 access-list 105 deny ip 172.16.1.0 0.0.0.255 host 172.16.1.123 access-list 105 deny ip 172.16.1.0 0.0.0.255 host 172.16.1.124 access-list 105 deny ip 172.16.1.0 0.0.0.255 host 172.16.1.125 access-list 105 deny ip 172.16.1.0 0.0.0.255 host 172.16.1.126 access-list 105 permit ip 172.16.1.0 0.0.0.255 any dialer-list 1 protocol ip permit no cdp run ! ! ! route-map SDM_RMAP_1 permit 1 match ip address 105 ! ! ------ Client Conf ! ! crypto ipsec client ezvpn intecnia connect auto group VPNIntecnia key intecniavpn mode network-extension peer 189.130.202.XXX acl 100 virtual-interface 1 username vpn password vpnintecnia xauth userid mode local ! ! archive log config hidekeys ! ! ! ! ! interface ATM0 no ip address no atm ilmi-keepalive dsl operating-mode auto ! interface ATM0.1 point-to-point description $ES_WAN$ pvc 8/35 pppoe-client dial-pool-number 1 ! ! interface FastEthernet0 ! interface FastEthernet1 ! interface FastEthernet2 ! interface FastEthernet3 ! interface Virtual-Template1 type tunnel ip unnumbered Dialer0 tunnel mode ipsec ipv4 ! interface Vlan1 description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$ ip address 172.17.51.1 255.255.255.0 ip nat inside ip virtual-reassembly ip tcp adjust-mss 1412 crypto ipsec client ezvpn intecnia inside ! interface Dialer0 ip address negotiated ip mtu 1452 ip nat outside ip virtual-reassembly encapsulation ppp dialer pool 1 dialer-group 1 no cdp enable ppp authentication chap pap callin ppp chap hostname XXXXXXXXXXXXXX ppp chap password 0 XXXXXXXXXXXXX ppp pap sent-username XXXXXXXXXXX password 0 XXXXXXXX crypto ipsec client ezvpn intecnia ! ip forward-protocol nd ip route 0.0.0.0 0.0.0.0 Dialer0 2 ! ip http server ip http authentication local ip http secure-server ip http timeout-policy idle 60 life 86400 requests 10000 ip nat inside source list 3 interface Dialer0 overload ! access-list 3 remark SDM_ACL Category=2 access-list 3 deny 172.16.1.0 0.0.0.255 log access-list 3 permit 172.17.51.0 0.0.0.255 access-list 100 remark SDM_ACL Category=4 access-list 100 permit ip 172.16.1.0 0.0.0.255 any dialer-list 1 protocol ip permit no cdp run !

Answer : troubleshooting easy vpn remote

Clearing DF bit may do the job, but the traffic will become very slow because of time spent in reassembly. You should rather ensure that the packets do not get fragmented in between. Although if the packets get fragmented at the endpoints b4 encryption, it may make things work right. There are many ways to accomplish this:
i)First is as i said manually tweak the mtu on tunnel interfaces but i just noticed that you don't have any tunnel interface as its ezvpn. Also the problem is with some kind of traffic only.
ii)PMTUD: Router should do a discovery process
iii)Set the DF bit in encapsulated packet and then allow fragmentation b4 encryption
crypto ipsec df-bit set or crypto ipsec df-bit copy
crypto ipsec fragmentation before-encryption