[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 188
  • Last Modified:

VPN works great UNTIL users logon or off the domain, then tunnel breaks!

Really driving me nuts. I have a branch office tunnel between sites using Soinicwall TZ170 firewalls. The tunnels work perfectly for remote network folder access, Exchange, and Internet. But as soon as someone in that office logs onto their desktop computer to the domain BAM! the connection drops and they have to reboot the firewall to re-establish it (and then everything works fine again until another logon attempt). Has anyone seen this?


0
214-042308
Asked:
214-042308
  • 4
  • 3
1 Solution
 
Rob WilliamsCommented:
No chance it is related to the number of licenses? Soniwalls are sold with a specific number of user licenses and that cannot be exceeded. On a LAN, if for example you have 10 licenses, the 11th user will be blocked. I am not sure about the VPN connections. It is possible the new LAN user may have priority over the VPN user and "bump" them.
Just a thought.
0
 
214-042308Author Commented:
Not likely. The device is licensed for five connections, with only three people in the office. I spoke with AT&T and it seems the provisioned DSL is WAAAAY past their 13k distance limit. The problem seems to be corrupted packets killing the circuit - as soon as the firewall is rebooted, everything works fine again. As soon as someone tries to logon, BANG. Circuit dead. I was following the theory that I was dealing with malformed packets and changed the MTU size (matched) but that didn't do it. Somehow the logon process is sending data using specific services/ports that this line does not like. I am using the identical setup for four branch offices with identical equipment - the other three offices work perfectly. Scratching my head...
0
 
Rob WilliamsCommented:
DSL did have a 4. or 4.7 km distance limit. They have extended that but sounds like they are pushing the limit at your site. VPN's do require stable connections with consistent ping responses of less than 125ms, and preferably less than 50ms, with stable being the key.
Do you have the option of changing providers?
How low did you set the MTU? Try the VPN client at 1200 if you haven't done so already.
0
 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

 
214-042308Author Commented:
With apologies to anyone reading this in the Eureka, California area - the wiring infrastructure there is nothing to write home about. The area is prone to almost constant corrosion problems, the B-box punchdowns are probably not very clean, and the demarc locations are often wet. Changing carriers won't do anything because they would have to use the same lines. I'm leaning in the direction of poor infrastructure as my problem, since when the circuit is working all network resources 300 miles away are accessible without any problems. Burp the line with unexpected packet traffic or dropouts and that's all she wrote. I'll wrap this thread up after I meet with technicians this morning.
0
 
Rob WilliamsCommented:
Sounds like it is systems out of your control.
0
 
214-042308Author Commented:
Well, it's not my configuration. I had a network technician onsite to double-check my VPN. When it's up it works like a champ. When we tracert and ping tested the connection it was all over the place - sometimes over 450ms for stretches. I'm still curious though - what is it about logging on that kills the connection? I can only assume it has something do to with traffic related to authentication, but all that stuff is passed on the firewall. Weird.
0
 
Rob WilliamsCommented:
>>"The tunnels work perfectly for remote network folder access, Exchange, and Internet. But as soon as someone in that office logs onto their desktop computer to the domain BAM!"
Curious as to how you can have folder access without logging on to the domain?

With ping replies of 450ms, you will not be able to maintain a VPN. This is a common problem with satellite connections.
0

Featured Post

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

  • 4
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now