A colleague is working with a Samba installation where Windows clients are accessing the server over a VPN. They are seeing an issue where a share is visible, but if a directory contains more than 8 files, they get an error. The VPN is set to allow everything in both directions. Windows->Window sharing does work OK across the link, as do other large file transfers (NFS, FTP). The Samba connections work OK locally, and if the firewalls are replaced with a router (the two 'sites' were original local for testing), then the problem goes away. However, the firewall policy doesn't limit anything (and wouldn't it break Windows too?) Does this ring any bells with anyone? The firewalls are Juniper Netscreens at both ends, for what it's worth. I've had a google around, and I can't see anything related to packet size or MTUs, which is what it smells like to me... (presumably the 9th filename ends up in a second packet, or a certain sized response). Thanks in advance for any pointers, Howie
At 04:35 25-07-2007, Howard Jones wrote:>A colleague is working with a Samba installation where Windows clients >are accessing the server over a VPN. They are seeing an issue where a >share is visible, but if a directory contains more than 8 files, they >get an error. > >The VPN is set to allow everything in both directions. Windows->Window >sharing does work OK across the link, as do other large file transfers >(NFS, FTP). The Samba connections work OK locally, and if the firewalls >are replaced with a router (the two 'sites' were original local forWhen you put in a router, you are taking the VPN out of the picture.>testing), then the problem goes away. However, the firewall policy >doesn't limit anything (and wouldn't it break Windows too?)Does that mean that the firewalls are turned off? The effects of the firewall policy may only be noticeable under certain circumstances like that one you described about. Verify the firewall logs to see whether anything gets blocked.>Does this ring any bells with anyone? The firewalls are Juniper >Netscreens at both ends, for what it's worth. I've had a google around, >and I can't see anything related to packet size or MTUs, which is what >it smells like to me... (presumably the 9th filename ends up in a second >packet, or a certain sized response).That sounds like a MTU related issue. The traffic get encapsulated as it goes over the VPN and you may see packet fragmentation. Regards, -sm
Howard Jones wrote: Does this ring any bells with anyone? The firewalls are Juniper Netscreens at both ends, for what it's worth. I've had a google around, and I can't see anything related to packet size or MTUs, which is what it smells like to me... (presumably the 9th filename ends up in a second packet, or a certain sized response). I've seen this type of behavior with a cisco to cisco vpn connection -- all workstations are xp, and one out of eight could not browse/see/access files on the other end of the vpn. I used dr. tcpip to change the mtu to 1400, and enable the rwin to 32000 (or whatever they suggested) and life was good from then on. Weird, as it was only one machine that was having the issues. Say thankya to Microsoft for being consistent. :) Hope that helps, -=R
Howard Jones wrote:> A colleague is working with a Samba installation where Windows clients > are accessing the server over a VPN. They are seeing an issue where a > share is visible, but if a directory contains more than 8 files, they > get an error. > > The VPN is set to allow everything in both directions. Windows->Window > sharing does work OK across the link, as do other large file transfers > (NFS, FTP). The Samba connections work OK locally, and if the firewalls > are replaced with a router (the two 'sites' were original local for > testing), then the problem goes away. However, the firewall policy > doesn't limit anything (and wouldn't it break Windows too?) >Just for the archive, the final solution appears to be the following config in the netscreens to enable path MTU discovery, and alter the maximum segment size for VPNs: set flow path-mtu set flow tcp-mss 1452 I'm still unclear on why this affects the samba session but not the windows->windows session, or FTP, or NFS, but there you are. Howie