KBI 311321 Daughter Engine Could Not Communicate With Mother Engine By CISCO VPN Even Though Telnet To Mother Engine Port Works Fine

Version

Argent Advanced Technology all versions

Date

Monday, 7 December 2015

Summary

It is not a firewall issue

The correct TCP port used by the Mother Engine is properly configured at firewall

This can be proved by telnet into Mother Engine port from Daughter Engine

For example, user can run command ‘telnet mother_ip_address 6700’ for Argent Guardian Ultra

However, Daughter Engine has never gone online

Following communication error can be seen in service log:

COMMUNICATION ERROR. Failed to read reply from mother engine ‘xxxxxx’. TCP error: No error (0)

If Daughter Engine connects to Mother Engine using CISCO VPN, the issue can be caused by CISCO VPN MTU setting

The VPN drops TCP packets because the packet size is too big

The solution is to reduce MTU in VPN

It allows the big TCP packets being sent by fragmentation

Technical Background

Whether the port is allowed or blocked is controlled by firewall

However, the communication channel, the VPN in the case, must function properly in order to get the two-way TCP communication to succeed

VPN may not be able to send big TCP packets

They must be broken into smaller packets before being sent to VPN, and reassembled in the other end

MTU (Maximum Transmission Unit) must be adjusted

It has been found that reducing it to 1300 will allow Daughter Engine communicates successfully with Mother Engine

Resolution

N/A