Search this forum and you'll find all kinds of MTU issues. JTAC will tell you to upgrade to 6.0R6.

Are you hitting Windows 2003 servers ? If so the problem is likely the TCP auto-scaling features Juniper unsuccessfully tried to take advantage of in 6.0R4-1 and earlier.

MTU issues are all about IPSec and DSL PPPoE. We have seen this on a number of occations and usually it is because of all the headers in a PPPoE Connection as well as the headers in the IPSec connection make the packet to large.

If it is possible set the home routers to an MTU of 1300... If you can't do that you have to change in the the registry of the home machines.

any idea why my Nortel Contivity VPN is immune to these issues ? Same pc, behind the same router... It's been a mystery to me for a long time. I have used Dr. TCP, to lower the PC's MTU's in the past. I'm not crazy about doing that though because you are telling the PC to chop packets up into smaller chunks. This is less efficient but will probably resolve your problem. The MTU change should be done on the LAN NIC. (not the NetConnect Adapter)

There is a good chance the the Contivity has already been set with a lower MTU - sometimes play with Fragment setting will also help. I would avoid changing the MYU on the PC as well.... That solution does not scale well.

The MTU on our SA is at the default - 1500, but we always set our Firewalls to 1300 - that way smaller packets are negotiated and the problem does not show up.

My experience is that fragmentation is always much worse than inefficiency due to smaller MTU. I've always done a

ping -f -l 1500 and decrease until the pings make it out.

I find the Contivity much less reliable than the NC because there's now IKE channel to timeout or get in conflict with someone else. Also, NC does a great job of transparently reconnecting, expecially when Roaming Session is enabled.

-=Dan=-