Solved

Intermittent access via itnernet, VPNs, and NAT

Posted on 2003-11-30
3
290 Views
Last Modified: 2010-10-05
This one has me stumped. We have a private network that is connected to the Internet.  The configuration is:

Internet feed connects via my Providers switch to a fiber connection to my POP.
At the POP, the fibre media converter connects to an additron switch.
Additron connects to a Netscreen Firewall/VPN/NAT device.
The netscreen connects to a Cisco 2900 XL switch (SW1).
The SW1 then connects a (new)email server and on to other switches and end users on the network

The problem is mainly to connect to the email server which is assigned both a private IP and a Public IP (NATed by the Netscreen.

I am testing the email remotely from another city and have a working VPN tunnel into the netwscreen to access the private IP addresses.

THE PROBLEM
Pinging the provider's switch (the entry point into my network) - I lose about 50% of all packets (thousands of pings)
However, if I connect via the VPN, I can ping a device inside the network using its private IP address with no problem - less than 2% loss.
Sometimes it takes several tries to establish the VPN tunnel but, once connected, it works perfectly.
Other locations seem to have lower loss to the Provider's swicth so I suspected my local connection - but this does not explain why the VPN works so well. The provider claims he can ping his switch with no loss from multiple locations.

Finally, although we once had a conenction to the email server, we cannot log on to it at all now.

I need to activate this server soon and this connectivity issue has stopped us dead.

Thanks.
0
Comment
Question by:emeger
3 Comments
 
LVL 7

Accepted Solution

by:
Robing66066 earned 250 total points
ID: 9848097
Here is how I am thinking of it.  It may be right or wrong, I've never really considered it from this angle before.  I think it makes sense, but you can judge.

The confusion here comes from the fact that you are losing packets when you ping the switch, but not when you go through the VPN.

I think it makes sense, in a strange kinda way.  When you try to ping the switch, the packets go out in a best effort to reach the switch.  If they make it, and back, you get a reply.  If not, then the ping dies.  You lose about 50% of them.

When you attach to the VPN, however, you are making a connection based link, regardless of the type of traffic that is sent.  Dropped packets are retried.  So, if from within the VPN connection you try to ping something on the inside, the VPN link makes sure that each and every ping packet makes it onto your local network, even if it has to retry them.  This is a service you don't get if you just directly ping the switch without the benefit of the VPN tunnel.  Even if your connection is dropping 50% of all packets sent, you should see 'perfect' performance with respect to packet loss for your internal pings.  With respect to speed, obviously that depends on what you are doing, but if your bandwidth is twice what you need to make a good connection, you won't notice it there either.

So, from that point of view, I don't think that the 'good' VPN connection tells you anything.  At least not from a whether the connection seems to work viewpoint.  If possible, try to determine how many packets your VPN software is retransmitting during its connection with the Netscreen device.  This will tell you if the connection really is perfect or if it only seems that way.
0

Featured Post

Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This solves the problem of diagnosing why an internet connection is no longer working. It also helps identify the likely cause of the lost connection if the procedure fails to re-establish your internet connection. It helps to pinpoint the likely co…
Cable Modem Provisioning from DPoE compliant server  This Article is to support CMTS administrators to provide an overview of DOCSIS compliance configuration file, and to provision a cable modem located at customer place from a Back office serve…
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…

863 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now