Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

Intermittent access via itnernet, VPNs, and NAT

Posted on 2003-11-30
3
294 Views
Last Modified: 2010-10-05
This one has me stumped. We have a private network that is connected to the Internet.  The configuration is:

Internet feed connects via my Providers switch to a fiber connection to my POP.
At the POP, the fibre media converter connects to an additron switch.
Additron connects to a Netscreen Firewall/VPN/NAT device.
The netscreen connects to a Cisco 2900 XL switch (SW1).
The SW1 then connects a (new)email server and on to other switches and end users on the network

The problem is mainly to connect to the email server which is assigned both a private IP and a Public IP (NATed by the Netscreen.

I am testing the email remotely from another city and have a working VPN tunnel into the netwscreen to access the private IP addresses.

THE PROBLEM
Pinging the provider's switch (the entry point into my network) - I lose about 50% of all packets (thousands of pings)
However, if I connect via the VPN, I can ping a device inside the network using its private IP address with no problem - less than 2% loss.
Sometimes it takes several tries to establish the VPN tunnel but, once connected, it works perfectly.
Other locations seem to have lower loss to the Provider's swicth so I suspected my local connection - but this does not explain why the VPN works so well. The provider claims he can ping his switch with no loss from multiple locations.

Finally, although we once had a conenction to the email server, we cannot log on to it at all now.

I need to activate this server soon and this connectivity issue has stopped us dead.

Thanks.
0
Comment
Question by:emeger
3 Comments
 
LVL 7

Accepted Solution

by:
Robing66066 earned 250 total points
ID: 9848097
Here is how I am thinking of it.  It may be right or wrong, I've never really considered it from this angle before.  I think it makes sense, but you can judge.

The confusion here comes from the fact that you are losing packets when you ping the switch, but not when you go through the VPN.

I think it makes sense, in a strange kinda way.  When you try to ping the switch, the packets go out in a best effort to reach the switch.  If they make it, and back, you get a reply.  If not, then the ping dies.  You lose about 50% of them.

When you attach to the VPN, however, you are making a connection based link, regardless of the type of traffic that is sent.  Dropped packets are retried.  So, if from within the VPN connection you try to ping something on the inside, the VPN link makes sure that each and every ping packet makes it onto your local network, even if it has to retry them.  This is a service you don't get if you just directly ping the switch without the benefit of the VPN tunnel.  Even if your connection is dropping 50% of all packets sent, you should see 'perfect' performance with respect to packet loss for your internal pings.  With respect to speed, obviously that depends on what you are doing, but if your bandwidth is twice what you need to make a good connection, you won't notice it there either.

So, from that point of view, I don't think that the 'good' VPN connection tells you anything.  At least not from a whether the connection seems to work viewpoint.  If possible, try to determine how many packets your VPN software is retransmitting during its connection with the Netscreen device.  This will tell you if the connection really is perfect or if it only seems that way.
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
ADSL Connection Dropout 8 135
Prioritize SIP traffic on Cisco Router 6 125
Verizon Metro Ethernet vs. Comcast Business Cable modem for 125 users? 5 103
PIng command and its use 9 160
This solves the problem of diagnosing why an internet connection is no longer working. It also helps identify the likely cause of the lost connection if the procedure fails to re-establish your internet connection. It helps to pinpoint the likely co…
Cable Modem Provisioning from DPoE compliant server  This Article is to support CMTS administrators to provide an overview of DOCSIS compliance configuration file, and to provision a cable modem located at customer place from a Back office serve…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

808 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question