dslreports logo
spacer Home Reviews Speed Test Tools News Forums Info About Join  

All FAQsAT&T Southeast Forum FAQ2.8 Virtual Private Network (VPNs) Info

Expand Open navigator

2.8 Virtual Private Network (VPNs) Info

Problems connecting to my VPN or my applications stall and time out.

There are usually two common problems associated with VPN connectivity:

You can't not connect to the VPN server at all.
-If you can not connect to your VPN server at all and have a router (Westell or other) the VPN application may require you to either open certain ports, assign an IP to a specific computer, or use a separate PPPoE client directly on the computer. For more information please click here.

You can connect and authenticate to the VPN server but nothing else happens and applications stall, time out, or fail to load.
-If you can connect and authenticate but applications stall, time out, or fail to load your MTU (Maximum Transfer Unit) may be incorrect. The following FAQ section is designed to help you find the proper MTU size for your VPN. To determine the correct MTU size for your VPN please click here.

    Helpful hint: One way to verify whether if it is an MTU problem is to try and access the application or website via dial up access. Since dial up uses a default MTU of 576 bytes you will not have the same problems as broadband. If you have problems with both broadband and dial up access then the problem is probably something else.


      Andy Houtz DSL

by Andy Houtz See Profile edited by FAQFixer See Profile
last modified: 2006-12-22 00:11:03


I can log into the VPN but applications stall, timeout, or fail to load.

If you can connect and authenticate but applications stall, time out, or fail to load your MTU (Maximum Transfer Unit) may be incorrect. If you are unable to connect to the VPN at all, please click here.

Troubleshooting Tip: If broadband users are having troubles with the VPN have them try to connect via dial up (if possible). If users can access the VPN correctly using dial up it is probably an MTU issue. Dial connections use a default MTU of 768 bytes.

The standard Ping Test is not the best way to determine your optimum MTU when using a VPN client. Although tedious, manually adjusting the MTU by trial and error testing is the best method. You will change the MTU and test the VPN for connectivity then adjust the MTU to the largest size possible that works. Important Note: You must lower the MTU on all client PCs as well as the VPN Server(s). Many client side applications automatically adjust the MTU automatically when it is installed on the end users PC, however the VPN server is commonly overlooked. Please reference the MTU troubleshooting article for a brief overview of the problem.

The MTU size of a network adapter can be changed in one of two ways:
    1) Locate the Windows registry key associated with the adapter and manually change the key.
    2) Use a third party application (such as DrTCP) with a GUI interface. Since there are so many variables with editing the registry this FAQ provides a step by step procedure using DrTCP.

Adjusting the MTU for a VPN using DrTCP

Step 1
Download DrTCP and open the application. Select the proper VPN network adapter from the pull down menu and change the MTU to 1400 bytes. Important Note: There may be more than one network adapter showing in the pull down menu for your PC. You must make sure you change the MTU on the correct network adapter associated with your VPN client. If there is any doubt as to which adapter is the correct one change the MTU on all adapters. Restart your PC. The changes will not be set unless your completely restarted your PC.


Picture by Andy Houtz


Step 2
After the PC has restarted, open a VPN session and test your connectivity to the server as well as any applications.
    If your VPN works correctly at 1400 bytes
    Repeat Steps 1 and 2 but increase your MTU to 1420 bytes. Continue to repeat Steps 1 and 2 (increasing your MTU by 20 bytes each time) until your VPN does not function correctly and back the MTU down to the last known fully functional MTU size. Remember you must restart the PC after every MTU change.

    If your VPN does not work correctly at 1400 bytes
    Repeat Steps 1 and 2 but decrease your MTU to 1380 bytes. Continue to repeat Steps 1 and 2 (dropping your MTU by 20 bytes each time) until your VPN functions correctly. Remember you must restart the PC after every MTU change.

Important Notes
  • Some Linksys router model/firmware have an "Auto" MTU capability that does not function correctly. You must enable the manual MTU function and adjust the size to 1492 (or less).
  • If you have a network with more than one computer, all NICs, adapters, and router(s) should have the same MTU setting. Please reference the links below to learn how to change the MTU on some popular routers:
  • MTU change on a Linksys Router
  • MTU change on a D-Link Router

    Andy Houtz DSL


    • Feedback received on this FAQ entry:
    • I have a pc using VPN that functions at an MTU of 1350 and several other pcs that don't use VPN that function at an MTU of 1500. Should I set the MTU on all my machines to 1350? pdeprez1@aol.com

      2008-08-15 01:44:14

    by Andy Houtz See Profile edited by FAQFixer See Profile
    last modified: 2008-08-13 15:41:02

    Am I required to lower the MTU on my VPN clients and VPN servers?

    Yes, most definitely! Clients and servers that are set to an MTU of 1500 may experience latency, fragmentation, or may not work at all when used in conjunction with PPPoE DSL. The MTU MUST be lowered on the all client PCs and the server network adapter(s).
    Many client side applications automatically adjust the MTU automatically when it is installed on the end users PC, however the VPN server is commonly overlooked. Please reference the MTU troubleshooting article from Cisco for a brief overview of the problem. Important Note: You must lower the MTU on all client PCs as well as the VPN Server(s).

    DrTCP can be used to lower the MTU on almost any client or server available and a step by step guide is shown below.

    Step 1
    Download DrTCP to all VPN enabled PCs/Servers and open the application. Select the proper VPN network adapter from the pull down menu and change the MTU to 1400 bytes. Important Note: There may be more than one network adapter showing in the pull down menu. You must make sure you change the MTU on the correct network adapter associated with your VPN. If there is any doubt as to which adapter is the correct one change the MTU on all adapters. Restart the PC or Server. The changes will not be set unless your completely restarted your PC.


    Picture by Andy Houtz


    Step 2
    After the PC has restarted, open a VPN session and test your connectivity to the server as well as any applications.
      If your VPN works correctly at 1400 bytes
      Repeat Steps 1 and 2 but increase your MTU to 1420 bytes. Continue to repeat Steps 1 and 2 (increasing your MTU by 20 bytes each time) until your VPN does not function correctly and back the MTU down to the last known fully functional MTU size. Remember you must restart the PC/Server after every MTU change.

      If your VPN does not work correctly at 1400 bytes
      Repeat Steps 1 and 2 but decrease your MTU to 1380 bytes. Continue to repeat Steps 1 and 2 (decreasing your MTU by 20 bytes each time) until your VPN functions correctly. Remember you must restart the PC/Server after every MTU change.

    Important Notes
  • Some Linksys router model/firmware have an "Auto" MTU capability that does not function correctly. You must enable the manual MTU function and adjust the size to 1492 (or less).
  • If you have a network with more than one computer, all NICs, adapters, servers, and router(s) should have the same MTU setting. Reference the links below for related links:
  • MTU change on a Linksys Router
  • MTU change on a D-Link Router
  • MTU change on a Cisco 837 Router

    Andy Houtz DSL

    • by Andy Houtz See Profile edited by FAQFixer See Profile
    last modified: 2008-08-13 15:42:05

    I have a Westell and can't get my VPN to connect.

    The Westell is actually a router and by default blocks ports using NAT so some popular VPN applications may not work correctly. Other VPNs require a specific IP address be assigned to the computer. Therefore changes must be made to the Westell to either open certain ports, assign a WAN IP to a specific computer, or use a separate PPPoE client directly on the computer.

    To enable port forwarding and open ports on the Westell please click here.

    For port forwarding with a Linksys router, see this: Linksys Knowledge Base

    To enable IP Passthrough and assign a WAN IP to a specific computer please click here.

    Install a third party PPPoE client (such as the BellSouth Connection Agent, Enternet 300, RasPPPoE, or the native PPPoE client on Windows XP) on the computer and enable bridged mode on the Westell as shown here.

    Important note: Opening ports, using IP Passthrough, or a PPPoE client on the computer exposes your computer directly to the Internet. A firewall of some type is highly recommended. If you are having other connection or timeout problems with your VPN please click here.

    Andy Houtz DSL

    by Andy Houtz See Profile edited by FAQFixer See Profile
    last modified: 2006-12-22 00:11:52