Hi Peter. There is something very strange going on, but I think you are making progress.
Not being able to ping because the do not fragment bit is set is the expected response when the network
MTU size is smaller than the ping packets with the -f flag. So your results were exactly as expected, except
that 520 is a very low number. I have seen as low as ~1300 something when running a vpn over low quality
dsl lines. I _think_ what is going on is that your network MTU is lower than the default, 1500. Normally a
network device will respond to an instruction from a router to lower it's MTU, however the cFP controllers,
at least -20xx and probably -21xx, DO NOT respond to an MTU request. When you first try your normal
ping, the packet size is < 520, so everything works fine. MAX probably uses larger packets. The cFP
can't respond, because the cFP is sending response packets > 520, and when the router bounces them
and says to use a smaller MTU, the cFP ignores the request and (probably) tries to retransmit. This may
be the source of the 'storm'; lots of retries, probably coming from both ends.
So, possible solutions or further testing.
1) Set the MTU in your VPN server. I am not familiar with the D-Link VPN server, but I know the Linksys
gadgets we use typically have an MTU setting on the first page where you set the (WAN) IP address.
Set the number here to the maximum packet size you can ping with the -f flag. Your traffic will be
slightly slower, but should work ok.
2) Install a router with a configurable MTU setting between your cFP and the D-Link VPN server, WAN
side to the D-Link. Set the MTU of this router to your maximum packet size. This is the solution we
have used at customer sites where the VPN router did not have an MTU setting. This does significantly
complicate the networking and connection to the cFP, though, and is not plug-and-play.
The PPTP link probably has an MTU setting of 1500, or at least high enough that the cFP responses
don't get bounced. Try the ping -f test with a packet of 1502.
I'm sorry there isn't an easy fix. The best solution would be for the cFP controllers to recognize the
MTU command, then everything would just magically work like all other network devices. Second best
would be an ni-rt.ini token in the cFP to manually set an MTU size. I have requested either of these
changes, but didn't get an encouraging response. Maybe the -22xx will be better.
Our vpns usually use IPSEC, but because we have routers on both ends, we are not using a client
on the PC.
Hope this helps, let me know what you find.
Matt