214-042308
asked on
VPN works great UNTIL users logon or off the domain, then tunnel breaks!
Really driving me nuts. I have a branch office tunnel between sites using Soinicwall TZ170 firewalls. The tunnels work perfectly for remote network folder access, Exchange, and Internet. But as soon as someone in that office logs onto their desktop computer to the domain BAM! the connection drops and they have to reboot the firewall to re-establish it (and then everything works fine again until another logon attempt). Has anyone seen this?
ASKER
Not likely. The device is licensed for five connections, with only three people in the office. I spoke with AT&T and it seems the provisioned DSL is WAAAAY past their 13k distance limit. The problem seems to be corrupted packets killing the circuit - as soon as the firewall is rebooted, everything works fine again. As soon as someone tries to logon, BANG. Circuit dead. I was following the theory that I was dealing with malformed packets and changed the MTU size (matched) but that didn't do it. Somehow the logon process is sending data using specific services/ports that this line does not like. I am using the identical setup for four branch offices with identical equipment - the other three offices work perfectly. Scratching my head...
DSL did have a 4. or 4.7 km distance limit. They have extended that but sounds like they are pushing the limit at your site. VPN's do require stable connections with consistent ping responses of less than 125ms, and preferably less than 50ms, with stable being the key.
Do you have the option of changing providers?
How low did you set the MTU? Try the VPN client at 1200 if you haven't done so already.
Do you have the option of changing providers?
How low did you set the MTU? Try the VPN client at 1200 if you haven't done so already.
ASKER
With apologies to anyone reading this in the Eureka, California area - the wiring infrastructure there is nothing to write home about. The area is prone to almost constant corrosion problems, the B-box punchdowns are probably not very clean, and the demarc locations are often wet. Changing carriers won't do anything because they would have to use the same lines. I'm leaning in the direction of poor infrastructure as my problem, since when the circuit is working all network resources 300 miles away are accessible without any problems. Burp the line with unexpected packet traffic or dropouts and that's all she wrote. I'll wrap this thread up after I meet with technicians this morning.
Sounds like it is systems out of your control.
ASKER
Well, it's not my configuration. I had a network technician onsite to double-check my VPN. When it's up it works like a champ. When we tracert and ping tested the connection it was all over the place - sometimes over 450ms for stretches. I'm still curious though - what is it about logging on that kills the connection? I can only assume it has something do to with traffic related to authentication, but all that stuff is passed on the firewall. Weird.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Just a thought.