Re: VPN connection allows telnet/ssh but sftp/ftp fails

• Previous message: Heiko Dudzus: "Re: Hijacked Xterm"
• In reply to: strepxe_at_yahoo.co.uk: "VPN connection allows telnet/ssh but sftp/ftp fails"
• Next in thread: strepxe_at_yahoo.co.uk: "Re: VPN connection allows telnet/ssh but sftp/ftp fails"
• Reply: strepxe_at_yahoo.co.uk: "Re: VPN connection allows telnet/ssh but sftp/ftp fails"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: 13 Jun 2005 19:06:48 GMT

In article <1118671659.789929.122380@z14g2000cwz.googlegroups.com>,
 <strepxe@yahoo.co.uk> wrote:
:we have setup a vpn to our customer site from our office and connect to
:unix servers using putty with ssh. we can also connect to the box using
:ssh/sftp and ftp to transfer files. while the ssh connection has no
:problem the file transfer mechanism has never works.

I'm a bit confused by those last two statements. I'm not sure if you
are saying that you have -configured- sftp and you can start transfers
over the VPN but the transfers fail; or if you are saying that
you have been successful with sftp when you are not going over the VPN ?

:in each case the
:connection is "reset by peer" or words to that effect. we are a bit
:stumped as to where the problem may lie; the customer is adament that
:it is on our side. any ideas about how i should go diagnosing things
:our end ?

The available tools would depend in part on which VPN device (and
software rev) you are using.

My shot in the dark would be that you are running into MTU problems.
putty/ssh are not generally going to be transfering full packets
(at least not in one of the two directions), but as soon as you
hit sftp then it is going to want to transfer large packets.

There is an overhead to VPNs that reduces the effective link MTU;
the exact amount of the overhead depends on the authentication
and confidentiality parameters you choose for IPSec (e.g., AH,
which ESP, whether you are using NAT-Traversal).

If both your ends have Path MTU Discovery turned on, but you are
filtering out ICMP Fragmentation Needed packets from getting through,
then the PMTUD is going to fail the first time it wants to send
a packet bigger than the effective MTU.

This problem does not occur if Path MTU Discovery is turned off
on either (or both) sides, because then the two sides will not
negotiate PMTUD, thus leaving it up to the VPN to fragment the
packets at need... which would be inefficient but effective
[provided that you haven't configured the VPN to forbid fragmentation.]

-- 
Feep if you love VT-52's.

• Previous message: Heiko Dudzus: "Re: Hijacked Xterm"
• In reply to: strepxe_at_yahoo.co.uk: "VPN connection allows telnet/ssh but sftp/ftp fails"
• Next in thread: strepxe_at_yahoo.co.uk: "Re: VPN connection allows telnet/ssh but sftp/ftp fails"
• Reply: strepxe_at_yahoo.co.uk: "Re: VPN connection allows telnet/ssh but sftp/ftp fails"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]