VPN works great UNTIL users logon or off the domain, then tunnel breaks!

Really driving me nuts. I have a branch office tunnel between sites using Soinicwall TZ170 firewalls. The tunnels work perfectly for remote network folder access, Exchange, and Internet. But as soon as someone in that office logs onto their desktop computer to the domain BAM! the connection drops and they have to reboot the firewall to re-establish it (and then everything works fine again until another logon attempt). Has anyone seen this?


LVL 1
214-042308Asked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Rob WilliamsCommented:
No chance it is related to the number of licenses? Soniwalls are sold with a specific number of user licenses and that cannot be exceeded. On a LAN, if for example you have 10 licenses, the 11th user will be blocked. I am not sure about the VPN connections. It is possible the new LAN user may have priority over the VPN user and "bump" them.
Just a thought.
0
214-042308Author Commented:
Not likely. The device is licensed for five connections, with only three people in the office. I spoke with AT&T and it seems the provisioned DSL is WAAAAY past their 13k distance limit. The problem seems to be corrupted packets killing the circuit - as soon as the firewall is rebooted, everything works fine again. As soon as someone tries to logon, BANG. Circuit dead. I was following the theory that I was dealing with malformed packets and changed the MTU size (matched) but that didn't do it. Somehow the logon process is sending data using specific services/ports that this line does not like. I am using the identical setup for four branch offices with identical equipment - the other three offices work perfectly. Scratching my head...
0
Rob WilliamsCommented:
DSL did have a 4. or 4.7 km distance limit. They have extended that but sounds like they are pushing the limit at your site. VPN's do require stable connections with consistent ping responses of less than 125ms, and preferably less than 50ms, with stable being the key.
Do you have the option of changing providers?
How low did you set the MTU? Try the VPN client at 1200 if you haven't done so already.
0
Webinar: Miercom Evaluates Wi-Fi Security

It's not just about Wi-Fi connectivity anymore. A wireless security breach can cost your business large amounts of time, trouble, and expense. Plus, hear first-hand from Miercom how WatchGuard's Wi-Fi security stacks up against the competition in our upcoming webinar!

214-042308Author Commented:
With apologies to anyone reading this in the Eureka, California area - the wiring infrastructure there is nothing to write home about. The area is prone to almost constant corrosion problems, the B-box punchdowns are probably not very clean, and the demarc locations are often wet. Changing carriers won't do anything because they would have to use the same lines. I'm leaning in the direction of poor infrastructure as my problem, since when the circuit is working all network resources 300 miles away are accessible without any problems. Burp the line with unexpected packet traffic or dropouts and that's all she wrote. I'll wrap this thread up after I meet with technicians this morning.
0
Rob WilliamsCommented:
Sounds like it is systems out of your control.
0
214-042308Author Commented:
Well, it's not my configuration. I had a network technician onsite to double-check my VPN. When it's up it works like a champ. When we tracert and ping tested the connection it was all over the place - sometimes over 450ms for stretches. I'm still curious though - what is it about logging on that kills the connection? I can only assume it has something do to with traffic related to authentication, but all that stuff is passed on the firewall. Weird.
0
Rob WilliamsCommented:
>>"The tunnels work perfectly for remote network folder access, Exchange, and Internet. But as soon as someone in that office logs onto their desktop computer to the domain BAM!"
Curious as to how you can have folder access without logging on to the domain?

With ping replies of 450ms, you will not be able to maintain a VPN. This is a common problem with satellite connections.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
VPN

From novice to tech pro — start learning today.