Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Intermittent access via itnernet, VPNs, and NAT

Posted on 2003-11-30
3
Medium Priority
?
305 Views
Last Modified: 2010-10-05
This one has me stumped. We have a private network that is connected to the Internet.  The configuration is:

Internet feed connects via my Providers switch to a fiber connection to my POP.
At the POP, the fibre media converter connects to an additron switch.
Additron connects to a Netscreen Firewall/VPN/NAT device.
The netscreen connects to a Cisco 2900 XL switch (SW1).
The SW1 then connects a (new)email server and on to other switches and end users on the network

The problem is mainly to connect to the email server which is assigned both a private IP and a Public IP (NATed by the Netscreen.

I am testing the email remotely from another city and have a working VPN tunnel into the netwscreen to access the private IP addresses.

THE PROBLEM
Pinging the provider's switch (the entry point into my network) - I lose about 50% of all packets (thousands of pings)
However, if I connect via the VPN, I can ping a device inside the network using its private IP address with no problem - less than 2% loss.
Sometimes it takes several tries to establish the VPN tunnel but, once connected, it works perfectly.
Other locations seem to have lower loss to the Provider's swicth so I suspected my local connection - but this does not explain why the VPN works so well. The provider claims he can ping his switch with no loss from multiple locations.

Finally, although we once had a conenction to the email server, we cannot log on to it at all now.

I need to activate this server soon and this connectivity issue has stopped us dead.

Thanks.
0
Comment
Question by:emeger
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
3 Comments
 
LVL 7

Accepted Solution

by:
Robing66066 earned 1000 total points
ID: 9848097
Here is how I am thinking of it.  It may be right or wrong, I've never really considered it from this angle before.  I think it makes sense, but you can judge.

The confusion here comes from the fact that you are losing packets when you ping the switch, but not when you go through the VPN.

I think it makes sense, in a strange kinda way.  When you try to ping the switch, the packets go out in a best effort to reach the switch.  If they make it, and back, you get a reply.  If not, then the ping dies.  You lose about 50% of them.

When you attach to the VPN, however, you are making a connection based link, regardless of the type of traffic that is sent.  Dropped packets are retried.  So, if from within the VPN connection you try to ping something on the inside, the VPN link makes sure that each and every ping packet makes it onto your local network, even if it has to retry them.  This is a service you don't get if you just directly ping the switch without the benefit of the VPN tunnel.  Even if your connection is dropping 50% of all packets sent, you should see 'perfect' performance with respect to packet loss for your internal pings.  With respect to speed, obviously that depends on what you are doing, but if your bandwidth is twice what you need to make a good connection, you won't notice it there either.

So, from that point of view, I don't think that the 'good' VPN connection tells you anything.  At least not from a whether the connection seems to work viewpoint.  If possible, try to determine how many packets your VPN software is retransmitting during its connection with the Netscreen device.  This will tell you if the connection really is perfect or if it only seems that way.
0

Featured Post

Keep up with what's happening at Experts Exchange!

Sign up to receive Decoded, a new monthly digest with product updates, feature release info, continuing education opportunities, and more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This solves the problem of diagnosing why an internet connection is no longer working. It also helps identify the likely cause of the lost connection if the procedure fails to re-establish your internet connection. It helps to pinpoint the likely co…
Cable Modem Provisioning from DPoE compliant server  This Article is to support CMTS administrators to provide an overview of DOCSIS compliance configuration file, and to provision a cable modem located at customer place from a Back office serve…
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…
Have you created a query with information for a calendar? ... and then, abra-cadabra, the calendar is done?! I am going to show you how to make that happen. Visualize your data!  ... really see it To use the code to create a calendar from a q…

610 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question