| Author |
Message |
Mike Drechsler - SPAM PRO
Guest
|
 Posted:
Sat Oct 01, 2005 8:20 am Post subject:
Re: 3-site VPN implementation w/Terminal Server - Netopia up |
|
|
Vince wrote:
| Quote: | OK, here's where I stand with this frustrating setup.
Site A: phase2 renegotiation with Site B takes place every few
seconds. Can ping router addresses
ate sites B and C, but can only ping remote host IP addresses at site
C.
Site B: phase2 renegotiation with Site A takes place every few
seconds. Can ping router addresses
ate sites A and C, but can't ping remote host IP addresses at sites A
or C.
Site C: phase1 and 2 renegotiations occur at scheduled intervals. Can
ping router addresses
ate sites A and B, but can't ping remote host IP addresses at sites A
or B.
If anyone can offer insight to what I am doing wrong, I would greatly
appreciate it. Mike, I am in
dire need of your wisdom.
Here's a recap of the tunnel info, along with my router config dumps:
Site A (207)
IPSec TunnelA-B
Local Subnet: 192.168.0.0
Local SNM: 255.255.255.0
Remote Subnet: 192.168.1.0
Remote SNM: 255.255.255.0
Remote Tunnel Endpoint: 71.138.2xx.xx (Site B static ip)
cp 2 tag AtoB
SNIP
cp 2 ipsec ike phase1 2
cp 2 ipsec ip remote members 192.168.1.0/24 sg 71.138.2xx.xx local
members 19\
2.168.0.0/24 ;[Net 0]
SNIP
IPSec TunnelA-C
Local Subnet: 192.168.0.0
Local SNM: 255.255.255.0
Remote Subnet: 192.168.2.0
Remote SNM: 255.255.255.0
Remote Tunnel Endpoint: 66.125.3x.xxx (Site C static ip)
cp 3 tag SBCto805
SNIP
cp 3 ipsec ike phase1 2
cp 3 ipsec ip remote members 192.168.2.0/24 sg 66.125.3x.xxx local
members 192.\
168.0.0/24 ;[Net 0]
SNIP
Site B (Montebello)
IPSec TunnelB-A
Local Subnet: 192.168.1.0
Local SNM: 255.255.255.0
Remote Subnet: 192.168.0.0
Remote SNM: 255.255.255.0
Remote Tunnel Endpoint: 71.138.1xx.xxx (Site A static ip)
cp 4 tag BtoA
SNIP
cp 4 ipsec ike phase1 2
cp 4 ipsec ip remote members 192.168.0.0/24 sg 71.138.1xx.xxx local
members 192\
..168.1.0/24 ;[Net 0]
SNIP
IPSec TunnelB-C
Local Subnet: 192.168.1.0
Local SNM: 255.255.255.0
Remote Subnet: 192.168.2.0
Remote SNM: 255.255.255.0
Remote Tunnel Endpoint: 66.125.3x.xxx (Site C static ip)
cp 3 tag BtoC
SNIP
cp 3 ipsec ike phase1 2
cp 3 ipsec ip remote members 192.168.2.0/24 sg 66.125.3x.xxx local
members 192.\
168.1.1/24 ;[Net 0]
SNIP
Site C
IPSec TunnelC-A
Local Subnet: 192.168.2.0
Local SNM: 255.255.255.0
Remote Subnet: 192.168.0.0
Remote SNM: 255.255.255.0
Remote Tunnel Endpoint: 71.138.1xx.xxx (Site A static ip)
cp 3 tag CtoA
SNIP
cp 3 ipsec ike phase1 2
cp 3 ipsec ip remote members 192.168.0.0/24 sg 71.138.1xx.xxx local
members 192\
..168.2.0/24 ;[Net 0]
SNIP
IPSec TunnelC-B
Local Subnet: 192.168.2.0
Local SNM: 255.255.255.0
Remote Subnet: 192.168.1.0
Remote SNM: 255.255.255.0
Remote Tunnel Endpoint: 71.138.2xx.xx (Site B static ip)
cp 2 tag CtoB
SNIP
cp 2 ipsec ike phase1 2
cp 2 ipsec ip remote members 192.168.1.0/24 sg 71.138.2xx.xx local
members 19\
2.168.2.0/24 ;[Net 0]
SNIP
The IKE config is identical on all 3 routers, as determined by using
Beyond Compare:
ike phase1 2 authentication method shared-secret
ike phase1 2 authentication shared-secret ascii *****
ike phase1 2 dangling-sas no
ike phase1 2 encryption 3des
ike phase1 2 group 2
ike phase1 2 hash md5
ike phase1 2 id 2
ike phase1 2 identity local ipv4-address 0.0.0.0
ike phase1 2 identity remote ipv4-address 0.0.0.0
ike phase1 2 independent rekeys yes
ike phase1 2 initial-contact yes
ike phase1 2 invalid-spi-recovery no
ike phase1 2 mode main
ike phase1 2 negotiation normal
ike phase1 2 port policy permissive
ike phase1 2 sa lifetime seconds 28800
ike phase1 2 sa lifetime kbytes none
ike phase1 2 sa use-policy new-sas-immediately
ike phase1 2 tag "DHC IKE Profile"
ike phase1 2 vendor-id yes
Since this last config dump, I have tried scheduling the phase 2
duration to be half that of phase 1 (4 hours instead of 8), following
some recommendations I found elsewhere. No help.
|
Ok, I think I know what you have going on. You are using the same IKE
phase 1 session for 2 different endpoints. You should setup a separate
phase 1 IKE connection for each router pair with it's own password. I
personally like randomly generated passwords for these. I don't even
bother to remember the password, I just generate a new one if I ever
need to change it.
So on each site, you should have 2 connection profiles and 2 IKE
profiles. One for each remote router that will be connecting to that
router. They should not share an ike configuration even though the
router lets you do this.
--
WARNING! Email address has been altered for spam resistance.
Please remove the -deletethispart-. section before replying directly.
Mike Drechsler (mike-newsgroup@-deletethispart-.upcraft.com) |
|
| Back to top |
|
 |
Vince
Guest
|
| Posted:
Fri Oct 07, 2005 9:34 pm Post subject:
Re: 3-site VPN implementation w/Terminal Server - Netopia up |
|
|
Hi Mike,
OK, I tried setting up the IKE profiles as you suggested. I have one
IKE profile for each tunnel on each router - the ends of each tunnel
have identical IKE profile settings. Both tunnels coming from Site C
are fine, communication is good, no excessive phase 2 renegotiations.
The problem now is that the tunnels between site A and B were still
re-negotiating phase 2 every few seconds, and periodically lose
communication between the subnets until I re-set the tunnel. I just
now tried changing the advanced IKE settings to use old SA's until
expired instead of using new SA's immediately, that seems to have
quieted things down for now - but for how long, who knows. Any
suggestions? |
|
| Back to top |
|
|
Mike Drechsler - SPAM PRO
Guest
|
| Posted:
Fri Oct 07, 2005 10:25 pm Post subject:
Re: 3-site VPN implementation w/Terminal Server - Netopia up |
|
|
Vince wrote:
| Quote: | Hi Mike,
OK, I tried setting up the IKE profiles as you suggested. I have one
IKE profile for each tunnel on each router - the ends of each tunnel
have identical IKE profile settings. Both tunnels coming from Site C
are fine, communication is good, no excessive phase 2 renegotiations.
The problem now is that the tunnels between site A and B were still
re-negotiating phase 2 every few seconds, and periodically lose
communication between the subnets until I re-set the tunnel. I just
now tried changing the advanced IKE settings to use old SA's until
expired instead of using new SA's immediately, that seems to have
quieted things down for now - but for how long, who knows. Any
suggestions?
|
Make sure that each IKE profile has a different password/key and they
aren't all identical.
--
WARNING! Email address has been altered for spam resistance.
Please remove the -deletethispart-. section before replying directly.
Mike Drechsler (mike-newsgroup@-deletethispart-.upcraft.com) |
|
| Back to top |
|
|
Vince
Guest
|
| Posted:
Sat Oct 08, 2005 1:54 am Post subject:
Re: 3-site VPN implementation w/Terminal Server - Netopia up |
|
|
Not sure I understand what you mean by different - each router has 2
tunnels, and each tunnel has the same IKE profile on each end, but each
pair has a unique profile/password/key, shared between the 2 routers at
each end. Shouldn't the parameters at each end be the same? Or does
each and every password need to be unique?
Here's what I have now:
Site A <==Tunnel A-B==> Site B
Router A config for "Tunnel A-B":(IKE Profile: "A-B", password: "a2b")
Router B config for "Tunnel A-B":(IKE Profile: "A-B", password: "a2b")
Site A <==Tunnel A-C==> Site C
Router A config for "Tunnel A-C":(IKE Profile: "A-C", password: "a2c")
Router C config for "Tunnel A-C":(IKE Profile: "A-C", password: "a2c")
Site B <==Tunnel A-B==> Site C
Router B config for "Tunnel B-C":(IKE Profile: "B-C", password: "b2c")
Router C config for "Tunnel B-C":(IKE Profile: "B-C", password: "b2c") |
|
| Back to top |
|
|
Vince
Guest
|
| Posted:
Wed Oct 12, 2005 1:08 am Post subject:
Re: 3-site VPN implementation w/Terminal Server - Netopia up |
|
|
Sorry, the last tunnel should be:
Site B <==Tunnel B-C==> Site C
Router B config for "Tunnel B-C":(IKE Profile: "B-C", password: "b2c")
Router C config for "Tunnel B-C":(IKE Profile: "B-C", password: "b2c")
Could there be an issue with the way I am "nailing" the tunnels?
Should only on side have a "dead peer detection" and/or 24-hour
scheduled connection and/or 0-value timeout for the tunnel? |
|
| Back to top |
|
|
Mike Drechsler - SPAM PRO
Guest
|
| Posted:
Wed Oct 12, 2005 1:49 am Post subject:
Re: 3-site VPN implementation w/Terminal Server - Netopia up |
|
|
Vince wrote:
[quote]Sorry, the last tunnel should be:
Site B <==Tunnel B-C==> Site C
Router B config for "Tunnel B-C":(IKE Profile: "B-C", password: "b2c")
Router C config for "Tunnel B-C":(IKE Profile: "B-C", password: "b2c")
Could there be an issue with the way I am "nailing" the tunnels?
Should only on side have a "dead peer detection" and/or 24-hour
scheduled connection and/or 0-value timeout for the tunnel?
[/quote]
Dead peer detection is a bit hit or miss. I start with it disabled and
then add it in if the connection seems unstable. It only helps if the
underlying network has problems though. (ADSL link that goes offline,
occasional packetloss, that kind of thing). If you see constant dead
peer detected messages in the logs you may try turning it off. If the
connection is stable with it disabled then either the dead peer
detection settings were wrong or something wasn't responding to
keepalive messages as expected.
Scheduled connections do nothing for IPSec. This is for PPP style
connections.
Setting the idle to 0 is the correct way to indicate the tunnel should
stay "nailed" up at all times regardless of traffic.
So are your tunnels still renegotiating every few seconds? Have you had
any luck isolating the problem? The last mention you said that both
tunnels from one site were working properly but the connection between
two other sites were still not working. Have you deleted the tunnels
between those two problem sites and tried creating all new settings?
Have you tried calling Netopia to have them look at the problem?
--
WARNING! Email address has been altered for spam resistance.
Please remove the -deletethispart-. section before replying directly.
Mike Drechsler (mike-newsgroup@-deletethispart-.upcraft.com) |
|
| Back to top |
|
|
Vince
Guest
|
| Posted:
Wed Oct 12, 2005 3:43 am Post subject:
Re: 3-site VPN implementation w/Terminal Server - Netopia up |
|
|
The persistent re-negotiation between the 2 problem sites seems to take
place when either phase1 or phase 2 has expired (I haven't been able to
accurately determine determine the timing, since the expiration
happens when I'm at work and I can't make a VPN like my client's
network).
I'll try removing the scheduled connections (for IPSec) and the dead
peer connections. I did delete and re-create the tunnels once after I
created all new IKE profiles, but I'll try it again.
Any advice on timing/duration settings of phase1/2 configs? Should
phase1 be set to expire after 24hrs and phase 2 set for something like
8 or 12 hrs? |
|
| Back to top |
|
|
Vince
Guest
|
| Posted:
Thu Oct 20, 2005 1:08 am Post subject:
Re: 3-site VPN implementation w/Terminal Server - Netopia up |
|
|
Well Mike, I thought I was OK, but I'm still having trouble.
I re-created the tunnels between the 2 problem endpoints (Sites A and
B), and things seemed to work nicely. Phase 2 re-negotiations took
only a handful of attempts. For the past 5 days or so, the tunnels
have been stable, with the phase 2's renegotiating successfully as
scheduled (every 4 hours.) Then just this morning, I ran into the same
problem again with the A-B tunnel, with phase 2 failing repeatedly
(endless "Phase 2 complete" messages) for several hours. I rebooted
the router at Site B and the tunnels re-established after about 90
seconds. Connections and IP traffic between sites A and B have been
fine for the past 3 hours; hopefully the next phase 2 re-negotiation
won't barf.
I'm at my wits end with this. The tunnels out of Site C have been
rock-solid since inception. The A-B tunnel settings at Sites A and B
are identical (and different from the A-C and B-C settings). I have
done a 'show config' dump and checked everything line by line.
Furthermore, the IKE and Connection Profile settings for the A-B tunnel
match the A-C and B-C settings (though unique from the other 2 tunnels
in name, IKE Profile, and password).
Netopia online chat help would not offer any VPN configuration
assistance; they referred me to their fee-based production support
offerings (consistent with their website's advertised support policy
regarding VPN's).
The only common issue I can think of at this point is that Sites A and
B both have an ISP connection requiring PPPOE underlying encapsulation
even though they have fixed IP addresses. Site C (the oldest) for some
reason, even though under the same provider (SBC), does not utilize
PPPOE at all.
Any thoughts? |
|
| Back to top |
|
|
Mike Drechsler - SPAM PRO
Guest
|
| Posted:
Thu Oct 20, 2005 2:43 am Post subject:
Re: 3-site VPN implementation w/Terminal Server - Netopia up |
|
|
Vince wrote:
| Quote: | Well Mike, I thought I was OK, but I'm still having trouble.
I re-created the tunnels between the 2 problem endpoints (Sites A and
B), and things seemed to work nicely. Phase 2 re-negotiations took
only a handful of attempts. For the past 5 days or so, the tunnels
have been stable, with the phase 2's renegotiating successfully as
scheduled (every 4 hours.) Then just this morning, I ran into the same
problem again with the A-B tunnel, with phase 2 failing repeatedly
(endless "Phase 2 complete" messages) for several hours. I rebooted
the router at Site B and the tunnels re-established after about 90
seconds. Connections and IP traffic between sites A and B have been
fine for the past 3 hours; hopefully the next phase 2 re-negotiation
won't barf.
I'm at my wits end with this. The tunnels out of Site C have been
rock-solid since inception. The A-B tunnel settings at Sites A and B
are identical (and different from the A-C and B-C settings). I have
done a 'show config' dump and checked everything line by line.
Furthermore, the IKE and Connection Profile settings for the A-B tunnel
match the A-C and B-C settings (though unique from the other 2 tunnels
in name, IKE Profile, and password).
Netopia online chat help would not offer any VPN configuration
assistance; they referred me to their fee-based production support
offerings (consistent with their website's advertised support policy
regarding VPN's).
The only common issue I can think of at this point is that Sites A and
B both have an ISP connection requiring PPPOE underlying encapsulation
even though they have fixed IP addresses. Site C (the oldest) for some
reason, even though under the same provider (SBC), does not utilize
PPPOE at all.
Any thoughts?
|
PPPoE doesn't exist around here. Every provider where I live is either
DHCP or manual hardcoded IP. If there is a problem with the PPPoE side
of things I would have never seen it because of this.
You could try playing around with any available MTU settings if PPPoE is
involved.
Though it doesn't seem likely that there is a network problem if these
sites can communicate with the other router without problems but you
should check the network between the two sites. Do ping test with large
packet sizes and the do not fragment bit set. Do these tests while
transfering increasing amounts of data back and forth and see how it
behaves.
If these 2 sites do not communicate with each other frequently or
require high bandwidth you could route all traffic through your "site C"
location.
You could consider paying Netopia for their VPN setup service and if
they find a bug in the router firmware you get a refund. Ask them if
they will refund the money if they fail to get a reliable connection.
It's not like they charge an excessive amount for the service. (Less
than a typical consultant visit)
On the extreme end of things you could configure a test network. There
are ways of using Linux to create your very own pppoe server and make a
test to determine if it's the routers or the network causing the problem.
--
WARNING! Email address has been altered for spam resistance.
Please remove the -deletethispart-. section before replying directly.
Mike Drechsler (mike-newsgroup@-deletethispart-.upcraft.com) |
|
| Back to top |
|
|
Vince
Guest
|
| Posted:
Wed Nov 02, 2005 1:01 am Post subject:
Re: 3-site VPN implementation w/Terminal Server - Netopia up |
|
|
I think I will be calling Netopia this week or next. This is
maddening. Sometimes the Phase 2 IPSec renegotiation (at time of
expiration) takes 2 minutes, sometimes it takes 2 hours, sometimes it
never succeeds until I bounce the routers. This problem is now
occurring in all 3 locations. I am going to do a factory reset on all
3 routers this week and try re-building the setups from scratch, but at
this point I have my doubts that even that will work.
Even after scouring the 'net, I was unable to find anyone having a
similar problem, so woe is me.
If anyone has seen this type of behavior, and could offer any insight,
I would greatly appreciate it. I will post my results from the rebuild
and Netopia supposrt assistance as I have them. |
|
| Back to top |
|
|
Mike Drechsler - SPAM PRO
Guest
|
| Posted:
Wed Nov 02, 2005 8:53 am Post subject:
Re: 3-site VPN implementation w/Terminal Server - Netopia up |
|
|
Vince wrote:
| Quote: | I think I will be calling Netopia this week or next. This is
maddening. Sometimes the Phase 2 IPSec renegotiation (at time of
expiration) takes 2 minutes, sometimes it takes 2 hours, sometimes it
never succeeds until I bounce the routers. This problem is now
occurring in all 3 locations. I am going to do a factory reset on all
3 routers this week and try re-building the setups from scratch, but at
this point I have my doubts that even that will work.
Even after scouring the 'net, I was unable to find anyone having a
similar problem, so woe is me.
If anyone has seen this type of behavior, and could offer any insight,
I would greatly appreciate it. I will post my results from the rebuild
and Netopia supposrt assistance as I have them.
|
The only times I have had that kind of trouble is when there was
packetloss on the connection between two sites. A good example is
recently I had trouble maintaining VPN links from home. I found that my
cable modem would drop large packets. As the size of a packet
increased, it's likelihood of it being lost increased in this case.
When doing a ping with the default 32 bytes the packetloss was almost
0%. At the maximum ethernet packet size (ping with 1472bytes) the loss
was often nearly 90%. The cable company tech came out, we hooked up the
modem to the pedestal out on the street and found the same trouble there
so he booked a call to have network maintenance come out and fix the
amplifiers in the area. A week later and now everything is great again.
I get no packetloss with large packet sizes and my VPN connections are
solid again.
It's possible you have some lower level problem with your internet
connections. Packetloss is an enemy to a stable VPN connection.
--
WARNING! Email address has been altered for spam resistance.
Please remove the -deletethispart-. section before replying directly.
Mike Drechsler (mike-newsgroup@-deletethispart-.upcraft.com) |
|
| Back to top |
|
|
Vince
Guest
|
| Posted:
Wed Nov 02, 2005 9:20 am Post subject:
Re: 3-site VPN implementation w/Terminal Server - Netopia up |
|
|
Boy, if that's the case, I would be ecstatic if I can get this
resolved. OK, say the scenario you described is applicable in my case.
How would I best explain this to my ADSL provider (SBC) to convince
them of an actual problem that falls within the scope of their service
guarantees? I'm worried that the conversation will end with "Well, you
can surf the internet, right? Then it's working as it shoud."
| Quote: | From the central office (192.168.0.1), I tried pinging the opposite
routers for 2-3 minutes w/1427 bytes when the tunnels were working, |
wasn't losing anything:
Reply from 192.168.1.1: bytes=1427 time=217ms TTL=254
Reply from 192.168.1.1: bytes=1427 time=217ms TTL=254
Reply from 192.168.1.1: bytes=1427 time=217ms TTL=254
Reply from 192.168.1.1: bytes=1427 time=217ms TTL=254
Reply from 192.168.1.1: bytes=1427 time=216ms TTL=254
Reply from 192.168.1.1: bytes=1427 time=217ms TTL=254
Reply from 192.168.1.1: bytes=1427 time=218ms TTL=254
Reply from 192.168.1.1: bytes=1427 time=218ms TTL=254
Reply from 192.168.1.1: bytes=1427 time=217ms TTL=254
Reply from 192.168.1.1: bytes=1427 time=217ms TTL=254
Reply from 192.168.2.1: bytes=1427 time=173ms TTL=254
Reply from 192.168.2.1: bytes=1427 time=171ms TTL=254
Reply from 192.168.2.1: bytes=1427 time=171ms TTL=254
Reply from 192.168.2.1: bytes=1427 time=171ms TTL=254
Reply from 192.168.2.1: bytes=1427 time=171ms TTL=254
Reply from 192.168.2.1: bytes=1427 time=171ms TTL=254
Reply from 192.168.2.1: bytes=1427 time=170ms TTL=254
Reply from 192.168.2.1: bytes=1427 time=171ms TTL=254
Reply from 192.168.2.1: bytes=1427 time=172ms TTL=254
Does this mean my problems don't match with what you had? |
|
| Back to top |
|
|
Mike Drechsler - SPAM PRO
Guest
|
| Posted:
Wed Nov 02, 2005 4:23 pm Post subject:
Re: 3-site VPN implementation w/Terminal Server - Netopia up |
|
|
Vince wrote:
| Quote: | Boy, if that's the case, I would be ecstatic if I can get this
resolved. OK, say the scenario you described is applicable in my case.
How would I best explain this to my ADSL provider (SBC) to convince
them of an actual problem that falls within the scope of their service
guarantees? I'm worried that the conversation will end with "Well, you
can surf the internet, right? Then it's working as it shoud."
From the central office (192.168.0.1), I tried pinging the opposite
routers for 2-3 minutes w/1427 bytes when the tunnels were working,
wasn't losing anything:
Reply from 192.168.1.1: bytes=1427 time=217ms TTL=254
Reply from 192.168.1.1: bytes=1427 time=217ms TTL=254
Reply from 192.168.1.1: bytes=1427 time=217ms TTL=254
Reply from 192.168.1.1: bytes=1427 time=217ms TTL=254
Reply from 192.168.1.1: bytes=1427 time=216ms TTL=254
Reply from 192.168.1.1: bytes=1427 time=217ms TTL=254
Reply from 192.168.1.1: bytes=1427 time=218ms TTL=254
Reply from 192.168.1.1: bytes=1427 time=218ms TTL=254
Reply from 192.168.1.1: bytes=1427 time=217ms TTL=254
Reply from 192.168.1.1: bytes=1427 time=217ms TTL=254
Reply from 192.168.2.1: bytes=1427 time=173ms TTL=254
Reply from 192.168.2.1: bytes=1427 time=171ms TTL=254
Reply from 192.168.2.1: bytes=1427 time=171ms TTL=254
Reply from 192.168.2.1: bytes=1427 time=171ms TTL=254
Reply from 192.168.2.1: bytes=1427 time=171ms TTL=254
Reply from 192.168.2.1: bytes=1427 time=171ms TTL=254
Reply from 192.168.2.1: bytes=1427 time=170ms TTL=254
Reply from 192.168.2.1: bytes=1427 time=171ms TTL=254
Reply from 192.168.2.1: bytes=1427 time=172ms TTL=254
Does this mean my problems don't match with what you had?
|
Well, mine was particularly bad. But it did have it's good moments
where I could use the connection and other times when it was horrible
and my internet was basically down. I felt fortunate that the tech came
when it was very bad. The problem was very evident and it continued for
the entire length of the service call so we were able to do the tests
inside the house and out on the street and find that it was an
unbalanced amplifier (low channels where the return path is transmitted
was very low compared to the rest of the channel range)
You can basically just run a continuous ping to the other site you are
having problems with as well as a ping to a default gateway or other
appropriate router on the ISP side that would show if the problem is
local to your connection or more toward the remote end. There are
plenty of third party programs for monitoring your network connection.
Something like Advanced Hostmonitor http://www.ks-soft.net/ is a good
start, but probably not perfect for this purpose.
The hardest problems to troubleshoot are intermittent as everyone knows.
As for your test. You should ping a public interface to check for
packetloss. The VPN can recover from some level of packetloss and hide
this from your ping session. You may see it as higher ping times.
Compare the results of the ping to local ISP default gateway, remote
site public interface and tunneled connection to remote router private
network. The larger packet sizes just seem better at exposing some
problems but are not always necessary.
--
WARNING! Email address has been altered for spam resistance.
Please remove the -deletethispart-. section before replying directly.
Mike Drechsler (mike-newsgroup@-deletethispart-.upcraft.com) |
|
| Back to top |
|
|
Vince
Guest
|
| Posted:
Wed Nov 09, 2005 2:05 am Post subject:
Re: 3-site VPN implementation w/Terminal Server - Netopia up |
|
|
OK, during a period where the Phase 2's just thrashing each other from
both ends (central office and problem remote office), I tried ping
testing to a public address (easynews.com), the local DNS Server, and
the remote router's WAN IP address, all with no packet loss from either
side after about 2-3 minutes of continuous pings at min and max packet
sizes.
I've gotten to the point where I have pushed the Phase 1 timeout to
24hrs and the Phase 2 timeout to 12hrs, just to keep my clients from
major downtime. That only worked for a day and a half. Yet again, the
remote office had to hard-boot the router and wait 5 minutes before the
tunnel was restored.
I have come across 2 spare Linksys BEFVP41's which I am about to try,
just for comparison. If they appear to work better, I will most likely
junk the Netopias. If the problems remain the same, I may just nuke
the site for morbid. This has been unbelievably frustrating. |
|
| Back to top |
|
|
Mike Drechsler - SPAM PRO
Guest
|
| Posted:
Wed Nov 09, 2005 2:30 am Post subject:
Re: 3-site VPN implementation w/Terminal Server - Netopia up |
|
|
Vince wrote:
| Quote: | OK, during a period where the Phase 2's just thrashing each other from
both ends (central office and problem remote office), I tried ping
testing to a public address (easynews.com), the local DNS Server, and
the remote router's WAN IP address, all with no packet loss from either
side after about 2-3 minutes of continuous pings at min and max packet
sizes.
I've gotten to the point where I have pushed the Phase 1 timeout to
24hrs and the Phase 2 timeout to 12hrs, just to keep my clients from
major downtime. That only worked for a day and a half. Yet again, the
remote office had to hard-boot the router and wait 5 minutes before the
tunnel was restored.
I have come across 2 spare Linksys BEFVP41's which I am about to try,
just for comparison. If they appear to work better, I will most likely
junk the Netopias. If the problems remain the same, I may just nuke
the site for morbid. This has been unbelievably frustrating.
|
Well good luck. I have had my share of phase 2 problems, but they
always seemed to be something with the settings or the network link.
--
WARNING! Email address has been altered for spam resistance.
Please remove the -deletethispart-. section before replying directly.
Mike Drechsler (mike-newsgroup@-deletethispart-.upcraft.com) |
|
| Back to top |
|
|
|
|
|
|
FAQ
Memberlist
Register
Profile
Log in to check your private messages
Log in