[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Slow VPN connections, TZ170 and global VPN client

Posted on 2006-05-03
41
Medium Priority
?
6,761 Views
Last Modified: 2012-05-05
Hello,

I am having some difficulty with a recently set up VPN connection, this conversation stems from the following http://www.experts-exchange.com/Operating_Systems/Win2000/Q_21818364.html

I am stumped as to why the VPN takes 20 minutes to load a file, I think we narrowed it down to a DNS issue but I can not figure out where this DNS problem lies.  Am I missing something on the server or the router?  I have not called sonicwall support yet because I don't think they will help, just take the money.

as you can see from the past conversation, it is a small network, win2K server.  Server is running AD, DNS, WINS, and DHCP.  Internal server address is 192.168.1.100.  That IP is for DHCP, DNS etc...  The forwarders for DNS are set up to my ISP's DNS addresses.  DHCP does not hand out the ISP DNS, just my internal DNS.

Maybe someone out there knows the missing step here??  I sure am baffled.

Thanks a bunch!
0
Comment
Question by:mrjking2000
  • 17
  • 10
  • 9
  • +2
40 Comments
 
LVL 10

Expert Comment

by:snerkel
ID: 16598097
This could be a problem with MTU on the client, try using http://www.dslreports.com/drtcp to reduce the current MTU setting. Say reduce by 40 to start with.
0
 
LVL 3

Expert Comment

by:m1crochip
ID: 16598175
Is the LMHOSTS file set up correctly on the client?  Does the client machine's DNS server point to the private IP of the remote DNS server?  Security issue sounds like a time sync issue - I know you said that the script should handle it, but you should verify the system times on the sonicwall and the client.  

Hope I didn't repeat anything that was posted in the previous thread.
0
 
LVL 1

Author Comment

by:mrjking2000
ID: 16598420
Not sure if MTU is a concern, the VPN client adapter has a default MTU of 1418 and the LAN port on the laptop has a MTU of 1500.

As for LMHOSTS files...I haven't been asked this yet and I actually don't know how to check that.  Please explain the LMHOSTS.  I will reverify the time sync now.

Thanks!
0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 
LVL 3

Expert Comment

by:m1crochip
ID: 16598538
Here is a link: http://support.microsoft.com/?kbid=150800

Works with WINS
0
 
LVL 3

Expert Comment

by:m1crochip
ID: 16598567
When you don't have a local WINS server, you need to manually edit the LMHOSTS file for name resolution, etc.
0
 
LVL 1

Author Comment

by:mrjking2000
ID: 16598694
okay so my server is running WINS...which is the server that does everything else (DHCP, DNS, Active Directory)

I do still need the LMHOSTS file?  I just made it and am trying to test it out. (I have two routers with different public IPs)
0
 
LVL 1

Author Comment

by:mrjking2000
ID: 16598762
hmm, you know what, this LMHOSTS file made a vast improvement.  It got rid of the security errors, I was able to click my mapped drives and open documents

I need to test this remotely (at the office I have two routers attached to the same ISP, I'd like to try the home which is comcast cable internet)

I'll keep you posted.
0
 
LVL 78

Expert Comment

by:Rob Williams
ID: 16601928
mrjking2000, LMHosts file works well.
If you are going to use that I would recommend including a domain line such as:
192.168.123.123      "DOMAIN-NAME     \0x1b"     #PRE
LMHosts has a series of 'odd' rules, one of which is with this line there has be 20 characters between the quotations and last 5 characters need be \0x1b
The #PRE needs to be capitalized. It will preload the information at start up.

The downside of LMHosts is it is static. If you use DHCP at the remote site or you change static IP's you need to edit the host file. With numerous remote users this becomes a management nightmare.
You Mentioned you have a WINS server. Adding the WINS server's IP to the remote computers TCP/IP advanced properties should assist with Dynamic name resolution. WINS works well over a VPN. Also on the WINS tab enable NetBIOS over TCP/IP.

However, Active Directory and Group Policy rely on DNS, so if anyone has some magical solutions to that, it would be your best option.
0
 
LVL 57

Expert Comment

by:giltjr
ID: 16602406
I have have tried to read all of the related posts, but there are quite a bit. So I applogize if some of this has been addressed before.

From the desktop can you ping all of the hosts you need to get to by the hosts names?  If you can ping by hosts names, it is not a DNS/WINS issue.  

You state that it takes 20 minutes to load the file, how big is the file?  What is the link speed that you are on?

Install a packet capture tool (I use Ethreal), start a capture packets on the VPN virtual NIC, and then do the file copy.  Now stop the capture and see were there are big delays.

0
 
LVL 1

Author Comment

by:mrjking2000
ID: 16608022
okay well I got my hopes up for nothing, still runs very very slow.  But I can ping my server remotely and it is 39 ms.  Not too shabby.

here is my Sonicwall Global VPN Client log.  unedited...

http://nti-llc.net/log/SWVpnClientLog.txt

Towards the very bottom one of the last lines says "NetGetDCName failed: Could not find domain controller for this domain."

Any ideas?
0
 
LVL 57

Expert Comment

by:giltjr
ID: 16608082
How big is the file that you are trying to load? Another question, what are you loading into?  
0
 
LVL 1

Author Comment

by:mrjking2000
ID: 16608486
the file was 124KB.  So pretty small.
0
 
LVL 3

Expert Comment

by:m1crochip
ID: 16608555
It looks to me that the sonicwall vpn client virtual interface is on the same subnet as your office.
0
 
LVL 1

Author Comment

by:mrjking2000
ID: 16608596
well that virtual interface had recieved an IP address from the DHCP server over the VPN connection.  So they would be on the same subnet.  that 1.101 is one of my internal addresses.

is that a bad thing?
0
 
LVL 3

Expert Comment

by:m1crochip
ID: 16608612
Yes - you should turn off dhcp and assign a static one like 2.1
0
 
LVL 3

Expert Comment

by:m1crochip
ID: 16608627
Keep the DNS and WINS servers the same, though.
0
 
LVL 1

Author Comment

by:mrjking2000
ID: 16608699
okay that is where this doesn't make sense to me...but if it'll work I'll give it a shot.  Wouldn't having my server hand out an IP address over the VPN be better because then my laptop in question is acting as part of the network?

Plus, if I make it 192.168.2.1 statically, would my gateway (server address) of 192.168.1.100 still work on a different subnet?

Sorry if that sounds like a dumb question but to me that doesn't make sense.
Thanks!
0
 
LVL 3

Expert Comment

by:m1crochip
ID: 16608755
That's correct.  You could still use DHCP over the VPN, but you would have to create a new scope that assigned the remote clients a different subnet address than the subnet you're connecting to.
0
 
LVL 78

Expert Comment

by:Rob Williams
ID: 16608777
Virtual clients are always in the same subnet as the site handing out the IP. True in a normal hardware to hardware environment they must be different, but not a software client. You should make sure the local subnet is different than the main office though. Even though it will often work it can cause routing issues.
I am seeing the main office as 192.168.1.0, the Virtual adapter as 192.168.1.101, and the local subnet as 192.168.12.0  If so, all looks good.

Also, if it were a problem you would be more likely diagnosing a connection issue than a slow logon issue.
0
 
LVL 3

Expert Comment

by:m1crochip
ID: 16608929
I worked with global VPN a long time ago, I guess that I remember that now - sorry if that screwed you up.

Rob - there is no default gateway on the virtual interface - is that normal?
0
 
LVL 1

Author Comment

by:mrjking2000
ID: 16608963
okay as I read above comments, the 2.1 subnet won't even let me connect to the VPN when I set that statically.

I'll wait for the next comment.
0
 
LVL 78

Expert Comment

by:Rob Williams
ID: 16609006
Interesting point m1crochip. I don't know the SonicWall system, but most virtual adapters use themselves as the gateway, but it does show up as such. They also usually have a subnet mask of 255.255.255.255 instead of the 255.255.255.0  I could take the easy out and say doesn't matter, as the connection works <G>  
As I recall SonicWall uses the SafeNet client.  I use that in a few locations, though the DHCP requests may get handed out differently by WatchGuard and Netgear (also SafeNet), I could look next time I am on site and compare.
0
 
LVL 3

Expert Comment

by:m1crochip
ID: 16609319
mrjking2000 - can you post a log from the TZ 170 for a connection during a file download?
0
 
LVL 1

Author Comment

by:mrjking2000
ID: 16609937
yes I am offsite right now working on another customer issue.  As soon as I get back I'll get a copy of the log to you.

Thanks!
0
 
LVL 1

Author Comment

by:mrjking2000
ID: 16610685
here is the log.

http://nti-llc.net/log/VPNLOG5406.txt

this is for the timeframe that I was using the VPN.  I connected and disconnected a few times while checking things out (intentionally).
0
 
LVL 3

Assisted Solution

by:m1crochip
m1crochip earned 500 total points
ID: 16615388
Check the advanced setting for VPN on the sonicwall and make sure that you have the "Enable Fragmented Packet Handling"  & "Ignore DF (Don't Fragment) Bit" checkboxes checked.    
0
 
LVL 1

Author Comment

by:mrjking2000
ID: 16615535
okay that was not checked...I just turned it on.  He did not try the VPN from his house last night, but plans to tonight or over the weekend.

We'll see what this latest change produces.
Thanks!
0
 
LVL 1

Author Comment

by:mrjking2000
ID: 16627060
I'm on the laptop right now from his house and when I open files I get a very slow load still and a 320ms ping.  But when the connection sits idle I get a 39ms ping.

So any more thoughts?  I'm thinking about deleting the LMHOSTS file and seeing what happens now with the latest settings on the router.
0
 
LVL 78

Accepted Solution

by:
Rob Williams earned 500 total points
ID: 16627285
Rather than delete the LMHosts just add an unknown extension such as .abc to disable it.
You will need to do purge and reload the local name cache bu running at a command line:
 nbtstat  -R
Note: 'R' is case sensitive. If you want to verify it has been purged run:
  nbtstat  -c
again, 'c' is case sensitive

The fact that the response time is varying that much is very odd, sounds like something else is going on. A decent VPN connection should be consistently under 125ms
0
 
LVL 1

Author Comment

by:mrjking2000
ID: 16690541
Any other ideas? I'm at a total loss trying to speed this up.
0
 
LVL 78

Expert Comment

by:Rob Williams
ID: 16690606
There are no network related service enabled that could be running when using the connection, such as offline files, folder redirection, windows update services using WSUS from the server, or similar? Curious as to why ping response would improve when idle.
0
 
LVL 1

Author Comment

by:mrjking2000
ID: 16690853
Nothing else is running.  It is mind boggling isn't it...

Windows update is set to run at 3:00 PM, we don't use offline files, redirection etc...
0
 
LVL 78

Expert Comment

by:Rob Williams
ID: 16724346
mrjking2000, just reviewing this again and everything seems to be in place, I can't think of what the problem may be. It is very unusual.
0
 
LVL 1

Author Comment

by:mrjking2000
ID: 16895747
To those that are still subscribed to this, I found an interesting thing about MTU size.  My router is set to 1500, but when I do the tests to find my max MTU through my DSL provider I come up with 1464 as the max transmission unit.

Would this cause some of the issues with fragmented information above the 1464 size?

--Justin
0
 
LVL 78

Expert Comment

by:Rob Williams
ID: 16895857
It could be causing some retransmissions which would definitely slow things down. If you wish to change do so on both the router (on the client end) and the client PC. To change on the PC use the DrTCP tool:
http://www.dslreports.com/faq/7752
0
 
LVL 57

Assisted Solution

by:giltjr
giltjr earned 1000 total points
ID: 16896355
When you are using a VPN, the MTU over the VPN connection will be less that your "real" connections MTU.  This is because you are putting IP insdie of IP, so you have additional overhead.  Depending on what type of VPN you are doing (L2TP, PPTP, IPSec) will depend on the overhead.  

Normally IP MTU is 1500, this is because normally IP is associated with Ethernet and a standard Ethernet frame allows 1500 bytes of payload.  However, PPPoE, which is what you normally use when using DSL, has a MTU of 1480.  

So your Internet connection has a MTU of 1480.  If you were doing your test over your VPN connection, then you have to subtract the overhead of your VPN connection, which could easly be another 16 bytes which brings you down to 1464.





0
 
LVL 1

Author Comment

by:mrjking2000
ID: 16960864
okay so after banging my head against the wall for weeks upon weeks on this issue...we upgraded to a comcast 8mg down 1 mg up broadband connection and the VPN is super fast now.  Turns out that our old ADSL line just wasnt fast enough on the 256 upload speed to support transferring files.

Problem solved for now, but I am going to tweak the MTU on the sonicwall again to see if that helps matters any.

By the way, sonicwall tech support doesn't speak english until you get escalated to a level 3 tech after 8 hours of phone support.  Then all they said was simply ask for a "state side" tech and you'll get right through to somone you can understand.

Words of wisdom for any other sonicwall users out there.

Not sure what I'll do with the points on this one, I will probably divvy them up if the MTU works, there was other suggestions posted that helped along the way but I need to review them again.

Thanks!
--Justin
0
 
LVL 78

Expert Comment

by:Rob Williams
ID: 16961010
Thanks for the update Justin. Sounds like one way or the other, you now have a resolution. Usually if you have a decent Internet connection on either end, auto works fine for MTU.
As for support, one of the main reasons so many people use Cisco, is support is readily available. I know with many of the manufacturers it can be frustrating. I had 9 e-mails and 2 phone calls with Netgear and all I got was I don't understand the question.
0
 
LVL 78

Expert Comment

by:Rob Williams
ID: 17189289
Thanks Justin,
--Rob
0
 
LVL 1

Author Comment

by:mrjking2000
ID: 17189314
No problem, I totally forgot to award the points.  

--Justin
0

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Juniper VPN devices are a popular alternative to using Cisco products. Last year I needed to set up an international site-to-site VPN over the Internet, but the client had high security requirements -- FIPS 140. What and Why of FIPS 140 Federa…
Will you be ready when the clock on GDPR compliance runs out? Is GDPR even something you need to worry about? Find out more about the upcoming regulation changes and download our comprehensive GDPR checklist today !
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

834 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question