Slow VPN connections, TZ170 and global VPN client

Hello,

I am having some difficulty with a recently set up VPN connection, this conversation stems from the following http://www.experts-exchange.com/Operating_Systems/Win2000/Q_21818364.html

I am stumped as to why the VPN takes 20 minutes to load a file, I think we narrowed it down to a DNS issue but I can not figure out where this DNS problem lies.  Am I missing something on the server or the router?  I have not called sonicwall support yet because I don't think they will help, just take the money.

as you can see from the past conversation, it is a small network, win2K server.  Server is running AD, DNS, WINS, and DHCP.  Internal server address is 192.168.1.100.  That IP is for DHCP, DNS etc...  The forwarders for DNS are set up to my ISP's DNS addresses.  DHCP does not hand out the ISP DNS, just my internal DNS.

Maybe someone out there knows the missing step here??  I sure am baffled.

Thanks a bunch!
LVL 1
mrjking2000Asked:
Who is Participating?
 
Rob WilliamsConnect With a Mentor Commented:
Rather than delete the LMHosts just add an unknown extension such as .abc to disable it.
You will need to do purge and reload the local name cache bu running at a command line:
 nbtstat  -R
Note: 'R' is case sensitive. If you want to verify it has been purged run:
  nbtstat  -c
again, 'c' is case sensitive

The fact that the response time is varying that much is very odd, sounds like something else is going on. A decent VPN connection should be consistently under 125ms
0
 
snerkelCommented:
This could be a problem with MTU on the client, try using http://www.dslreports.com/drtcp to reduce the current MTU setting. Say reduce by 40 to start with.
0
 
m1crochipCommented:
Is the LMHOSTS file set up correctly on the client?  Does the client machine's DNS server point to the private IP of the remote DNS server?  Security issue sounds like a time sync issue - I know you said that the script should handle it, but you should verify the system times on the sonicwall and the client.  

Hope I didn't repeat anything that was posted in the previous thread.
0
Protect Your Employees from Wi-Fi Threats

As Wi-Fi growth and popularity continues to climb, not everyone understands the risks that come with connecting to public Wi-Fi or even offering Wi-Fi to employees, visitors and guests. Download the resource kit to make sure your safe wherever business takes you!

 
mrjking2000Author Commented:
Not sure if MTU is a concern, the VPN client adapter has a default MTU of 1418 and the LAN port on the laptop has a MTU of 1500.

As for LMHOSTS files...I haven't been asked this yet and I actually don't know how to check that.  Please explain the LMHOSTS.  I will reverify the time sync now.

Thanks!
0
 
m1crochipCommented:
Here is a link: http://support.microsoft.com/?kbid=150800

Works with WINS
0
 
m1crochipCommented:
When you don't have a local WINS server, you need to manually edit the LMHOSTS file for name resolution, etc.
0
 
mrjking2000Author Commented:
okay so my server is running WINS...which is the server that does everything else (DHCP, DNS, Active Directory)

I do still need the LMHOSTS file?  I just made it and am trying to test it out. (I have two routers with different public IPs)
0
 
mrjking2000Author Commented:
hmm, you know what, this LMHOSTS file made a vast improvement.  It got rid of the security errors, I was able to click my mapped drives and open documents

I need to test this remotely (at the office I have two routers attached to the same ISP, I'd like to try the home which is comcast cable internet)

I'll keep you posted.
0
 
Rob WilliamsCommented:
mrjking2000, LMHosts file works well.
If you are going to use that I would recommend including a domain line such as:
192.168.123.123      "DOMAIN-NAME     \0x1b"     #PRE
LMHosts has a series of 'odd' rules, one of which is with this line there has be 20 characters between the quotations and last 5 characters need be \0x1b
The #PRE needs to be capitalized. It will preload the information at start up.

The downside of LMHosts is it is static. If you use DHCP at the remote site or you change static IP's you need to edit the host file. With numerous remote users this becomes a management nightmare.
You Mentioned you have a WINS server. Adding the WINS server's IP to the remote computers TCP/IP advanced properties should assist with Dynamic name resolution. WINS works well over a VPN. Also on the WINS tab enable NetBIOS over TCP/IP.

However, Active Directory and Group Policy rely on DNS, so if anyone has some magical solutions to that, it would be your best option.
0
 
giltjrCommented:
I have have tried to read all of the related posts, but there are quite a bit. So I applogize if some of this has been addressed before.

From the desktop can you ping all of the hosts you need to get to by the hosts names?  If you can ping by hosts names, it is not a DNS/WINS issue.  

You state that it takes 20 minutes to load the file, how big is the file?  What is the link speed that you are on?

Install a packet capture tool (I use Ethreal), start a capture packets on the VPN virtual NIC, and then do the file copy.  Now stop the capture and see were there are big delays.

0
 
mrjking2000Author Commented:
okay well I got my hopes up for nothing, still runs very very slow.  But I can ping my server remotely and it is 39 ms.  Not too shabby.

here is my Sonicwall Global VPN Client log.  unedited...

http://nti-llc.net/log/SWVpnClientLog.txt

Towards the very bottom one of the last lines says "NetGetDCName failed: Could not find domain controller for this domain."

Any ideas?
0
 
giltjrCommented:
How big is the file that you are trying to load? Another question, what are you loading into?  
0
 
mrjking2000Author Commented:
the file was 124KB.  So pretty small.
0
 
m1crochipCommented:
It looks to me that the sonicwall vpn client virtual interface is on the same subnet as your office.
0
 
mrjking2000Author Commented:
well that virtual interface had recieved an IP address from the DHCP server over the VPN connection.  So they would be on the same subnet.  that 1.101 is one of my internal addresses.

is that a bad thing?
0
 
m1crochipCommented:
Yes - you should turn off dhcp and assign a static one like 2.1
0
 
m1crochipCommented:
Keep the DNS and WINS servers the same, though.
0
 
mrjking2000Author Commented:
okay that is where this doesn't make sense to me...but if it'll work I'll give it a shot.  Wouldn't having my server hand out an IP address over the VPN be better because then my laptop in question is acting as part of the network?

Plus, if I make it 192.168.2.1 statically, would my gateway (server address) of 192.168.1.100 still work on a different subnet?

Sorry if that sounds like a dumb question but to me that doesn't make sense.
Thanks!
0
 
m1crochipCommented:
That's correct.  You could still use DHCP over the VPN, but you would have to create a new scope that assigned the remote clients a different subnet address than the subnet you're connecting to.
0
 
Rob WilliamsCommented:
Virtual clients are always in the same subnet as the site handing out the IP. True in a normal hardware to hardware environment they must be different, but not a software client. You should make sure the local subnet is different than the main office though. Even though it will often work it can cause routing issues.
I am seeing the main office as 192.168.1.0, the Virtual adapter as 192.168.1.101, and the local subnet as 192.168.12.0  If so, all looks good.

Also, if it were a problem you would be more likely diagnosing a connection issue than a slow logon issue.
0
 
m1crochipCommented:
I worked with global VPN a long time ago, I guess that I remember that now - sorry if that screwed you up.

Rob - there is no default gateway on the virtual interface - is that normal?
0
 
mrjking2000Author Commented:
okay as I read above comments, the 2.1 subnet won't even let me connect to the VPN when I set that statically.

I'll wait for the next comment.
0
 
Rob WilliamsCommented:
Interesting point m1crochip. I don't know the SonicWall system, but most virtual adapters use themselves as the gateway, but it does show up as such. They also usually have a subnet mask of 255.255.255.255 instead of the 255.255.255.0  I could take the easy out and say doesn't matter, as the connection works <G>  
As I recall SonicWall uses the SafeNet client.  I use that in a few locations, though the DHCP requests may get handed out differently by WatchGuard and Netgear (also SafeNet), I could look next time I am on site and compare.
0
 
m1crochipCommented:
mrjking2000 - can you post a log from the TZ 170 for a connection during a file download?
0
 
mrjking2000Author Commented:
yes I am offsite right now working on another customer issue.  As soon as I get back I'll get a copy of the log to you.

Thanks!
0
 
mrjking2000Author Commented:
here is the log.

http://nti-llc.net/log/VPNLOG5406.txt

this is for the timeframe that I was using the VPN.  I connected and disconnected a few times while checking things out (intentionally).
0
 
m1crochipConnect With a Mentor Commented:
Check the advanced setting for VPN on the sonicwall and make sure that you have the "Enable Fragmented Packet Handling"  & "Ignore DF (Don't Fragment) Bit" checkboxes checked.    
0
 
mrjking2000Author Commented:
okay that was not checked...I just turned it on.  He did not try the VPN from his house last night, but plans to tonight or over the weekend.

We'll see what this latest change produces.
Thanks!
0
 
mrjking2000Author Commented:
I'm on the laptop right now from his house and when I open files I get a very slow load still and a 320ms ping.  But when the connection sits idle I get a 39ms ping.

So any more thoughts?  I'm thinking about deleting the LMHOSTS file and seeing what happens now with the latest settings on the router.
0
 
mrjking2000Author Commented:
Any other ideas? I'm at a total loss trying to speed this up.
0
 
Rob WilliamsCommented:
There are no network related service enabled that could be running when using the connection, such as offline files, folder redirection, windows update services using WSUS from the server, or similar? Curious as to why ping response would improve when idle.
0
 
mrjking2000Author Commented:
Nothing else is running.  It is mind boggling isn't it...

Windows update is set to run at 3:00 PM, we don't use offline files, redirection etc...
0
 
Rob WilliamsCommented:
mrjking2000, just reviewing this again and everything seems to be in place, I can't think of what the problem may be. It is very unusual.
0
 
mrjking2000Author Commented:
To those that are still subscribed to this, I found an interesting thing about MTU size.  My router is set to 1500, but when I do the tests to find my max MTU through my DSL provider I come up with 1464 as the max transmission unit.

Would this cause some of the issues with fragmented information above the 1464 size?

--Justin
0
 
Rob WilliamsCommented:
It could be causing some retransmissions which would definitely slow things down. If you wish to change do so on both the router (on the client end) and the client PC. To change on the PC use the DrTCP tool:
http://www.dslreports.com/faq/7752
0
 
giltjrConnect With a Mentor Commented:
When you are using a VPN, the MTU over the VPN connection will be less that your "real" connections MTU.  This is because you are putting IP insdie of IP, so you have additional overhead.  Depending on what type of VPN you are doing (L2TP, PPTP, IPSec) will depend on the overhead.  

Normally IP MTU is 1500, this is because normally IP is associated with Ethernet and a standard Ethernet frame allows 1500 bytes of payload.  However, PPPoE, which is what you normally use when using DSL, has a MTU of 1480.  

So your Internet connection has a MTU of 1480.  If you were doing your test over your VPN connection, then you have to subtract the overhead of your VPN connection, which could easly be another 16 bytes which brings you down to 1464.





0
 
mrjking2000Author Commented:
okay so after banging my head against the wall for weeks upon weeks on this issue...we upgraded to a comcast 8mg down 1 mg up broadband connection and the VPN is super fast now.  Turns out that our old ADSL line just wasnt fast enough on the 256 upload speed to support transferring files.

Problem solved for now, but I am going to tweak the MTU on the sonicwall again to see if that helps matters any.

By the way, sonicwall tech support doesn't speak english until you get escalated to a level 3 tech after 8 hours of phone support.  Then all they said was simply ask for a "state side" tech and you'll get right through to somone you can understand.

Words of wisdom for any other sonicwall users out there.

Not sure what I'll do with the points on this one, I will probably divvy them up if the MTU works, there was other suggestions posted that helped along the way but I need to review them again.

Thanks!
--Justin
0
 
Rob WilliamsCommented:
Thanks for the update Justin. Sounds like one way or the other, you now have a resolution. Usually if you have a decent Internet connection on either end, auto works fine for MTU.
As for support, one of the main reasons so many people use Cisco, is support is readily available. I know with many of the manufacturers it can be frustrating. I had 9 e-mails and 2 phone calls with Netgear and all I got was I don't understand the question.
0
 
Rob WilliamsCommented:
Thanks Justin,
--Rob
0
 
mrjking2000Author Commented:
No problem, I totally forgot to award the points.  

--Justin
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.