KBI 311321 Daughter Engine Could Not Communicate With Mother Engine By CISCO VPN Even Though Telnet To Mother Engine Port Works Fine
Version
Argent Advanced Technology all versions
Date
Monday, 7 December 2015
Summary
It is not a firewall issue
The correct TCP port used by the Mother Engine is properly configured at firewall
This can be proved by telnet into Mother Engine port from Daughter Engine
For example, user can run command ‘telnet mother_ip_address 6700’ for Argent Guardian Ultra
However, Daughter Engine has never gone online
Following communication error can be seen in service log:
COMMUNICATION ERROR. Failed to read reply from mother engine ‘xxxxxx’. TCP error: No error (0)
If Daughter Engine connects to Mother Engine using CISCO VPN, the issue can be caused by CISCO VPN MTU setting
The VPN drops TCP packets because the packet size is too big
The solution is to reduce MTU in VPN
It allows the big TCP packets being sent by fragmentation
Technical Background
Whether the port is allowed or blocked is controlled by firewall
However, the communication channel, the VPN in the case, must function properly in order to get the two-way TCP communication to succeed
VPN may not be able to send big TCP packets
They must be broken into smaller packets before being sent to VPN, and reassembled in the other end
MTU (Maximum Transmission Unit) must be adjusted
It has been found that reducing it to 1300 will allow Daughter Engine communicates successfully with Mother Engine
Resolution
N/A