Most encapsulated protocols will have an MTU that is smaller than 1500 because additional bytes must be added to each packet. IPSEC requires an MTU of 1480. When a NetMAX VPN Server Suite gateway and a Windows 2000 machine begin an IP conversation, MTU discovery should allow the Windows 2000 machine to lower it's MTU setting to the one offered by the NetMAX in the MTU Discovery negotiation.

Since the Windows 2000 machine is set to not perform this MTU negotiation, it will continue to send packets that are 1500 bytes. If the Windows 2000 machine sends a packet larger than 1480 bytes, the NetMAX will be unable to accept the packet and will report this with an ICMP message asking the Windows 2000 machine to fragment packets larger than 1480 bytes. Windows 2000 ignores these ICMP messages.

This problem can be worked around by enabling MTU discovery on your Windows 2000 machines by making a registry entry:

Under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters, create a DWORD value with the name "EnablePMTUDiscovery", and the value of "1".

Modifying your registry is considered advanced configuration for Windows 2000 users and can cause serious problems if done incorrectly. We will not be able to support this. This article is for information purposes only, and we can not recommend your modifying the default behavior of Windows 2000.
address-suppressed