- Posts: 783
- Thank you received: 0
How MTU Size Affects Windows Login
- skepticals
- Topic Author
- Offline
- Elite Member
-
Less
More
14 years 11 months ago #33320
by skepticals
How MTU Size Affects Windows Login was created by skepticals
Long story short.
Why would having a small MTU size make loging into Windows take 10 min?
I had a point-to-point link from a provider that did not have jumbo frames enabled when using QinQ tunneling and it made logging into Windows take 10 min, but the overall speed wasn't bad. Once jumbo frames had been enabled everything was really fast.
Does it have to do with framententing the authentication frames or something?
Why would having a small MTU size make loging into Windows take 10 min?
I had a point-to-point link from a provider that did not have jumbo frames enabled when using QinQ tunneling and it made logging into Windows take 10 min, but the overall speed wasn't bad. Once jumbo frames had been enabled everything was really fast.
Does it have to do with framententing the authentication frames or something?
14 years 11 months ago #33323
by KiLLaBeE
Replied by KiLLaBeE on topic Re: How MTU Size Affects Windows Login
Possibly. This may shed some light:
support.microsoft.com/kb/244474
The article basically says that the Kerberos protocol initially tries to use UDP for authentication. The issue that you seem to be occurring in your situation is that when the UDP packets from Kerberos are sent over the tunnel, they are fragmented (because of the small MTU). When they are fragmented, they are lost (due to UDP's connectionless nature) and as a result this greatly delays the authentication process for Windows.
The article suggests changing a registry key on the client computer to for it to use TCP for Kerberos as this would overcome the issue presented by fragmentation.
I've had issues like this with VPN clients, and this solution has beautifully resolved those problems.
The article basically says that the Kerberos protocol initially tries to use UDP for authentication. The issue that you seem to be occurring in your situation is that when the UDP packets from Kerberos are sent over the tunnel, they are fragmented (because of the small MTU). When they are fragmented, they are lost (due to UDP's connectionless nature) and as a result this greatly delays the authentication process for Windows.
The article suggests changing a registry key on the client computer to for it to use TCP for Kerberos as this would overcome the issue presented by fragmentation.
I've had issues like this with VPN clients, and this solution has beautifully resolved those problems.
- skepticals
- Topic Author
- Offline
- Elite Member
-
Less
More
- Posts: 783
- Thank you received: 0
14 years 11 months ago #33334
by skepticals
Replied by skepticals on topic Re: How MTU Size Affects Windows Login
Interesting article...
If the UDP packets are lost in transmission when they arrive out of order due to fragmentation, why does the sever ever get logged in? Does the server simply try over and over unil the fragmented packets happen to arrive in order?
If the UDP packets are lost in transmission when they arrive out of order due to fragmentation, why does the sever ever get logged in? Does the server simply try over and over unil the fragmented packets happen to arrive in order?
14 years 11 months ago #33345
by KiLLaBeE
Replied by KiLLaBeE on topic Re: How MTU Size Affects Windows Login
I suspect either that or the Kerberos protocol has built-in capabilities to resend packets that it receives no acknowledgement on....not sure. I glanced at the Kerberos RFC and saw some areas where it indicates that clients must resend requests.
- skepticals
- Topic Author
- Offline
- Elite Member
-
Less
More
- Posts: 783
- Thank you received: 0
14 years 11 months ago #33348
by skepticals
Replied by skepticals on topic Re: How MTU Size Affects Windows Login
I'm just wonder why the low MTU makes the login take 10 minutes, but it eventually works. Or does it not work and it is only using cached credentials, and that is the timeout?
14 years 11 months ago #33351
by S0lo
Studying CCNP...
Ammar Muqaddas
Forum Moderator
www.firewall.cx
Replied by S0lo on topic Re: How MTU Size Affects Windows Login
Interesting talk.
You could try to temporarily disable caching of roaming profiles through local group policy. I believe this way it will not login using the cached credentials, so you will know then.
Any one, correct me if I'm wrong.
Or does it not work and it is only using cached credentials, and that is the timeout?
You could try to temporarily disable caching of roaming profiles through local group policy. I believe this way it will not login using the cached credentials, so you will know then.
Any one, correct me if I'm wrong.
Studying CCNP...
Ammar Muqaddas
Forum Moderator
www.firewall.cx
Time to create page: 0.131 seconds