Solved

IPSEC Tunnel causing high internet traffic!!!!

Posted on 2009-07-10
4
334 Views
Last Modified: 2013-12-14
Hi Guys,

I have the following setup
Head office is the domain controller with a 4mb ADSL LINE, a billion b7402gx establishes the adsl connection.
Branch office has two workstations that is connected to another billion b7402gx with adsl. Two connect the two sites the billion router establishes a permanent ipsec tunnel between head office and branch office. the reason for the tunnel is
: Head office is antivirus server with trend micro server and branches need to be in sync
: The branch logs into the Head office dc
: Branch workstations use Head office ip as primary dns to resolve domain
: Branch uses RDP to use accounting software at head office

WHENEVER THIS TUNNEL IS ESTABLISHED THE USAGE OF INTERNET BANDWIDTH INCREASES BY AT LEAST 400MB PER DAY ON BOTH THE HEAD OFFICE AND BRANCH??? AUTO UPDATES TURNED OFF, ALL TORRENTS AND KNOWN SITES BLOCKED, ACCOUNTING SOFTWARE NOT USED YET SO NO RDP SESSIONS CAUSING THIS EITHER, WHAT COULD THIS BE?
0
Comment
Question by:ReinerWentzel
  • 2
4 Comments
 
LVL 23

Accepted Solution

by:
rhandels earned 500 total points
ID: 24829803
Hi,
Are both machines on the branch office connected to the network when the VPN tunnel starts clogging up?? If ytou don;t have a DC at the branch office you should keep in mind that all networktraffic will be going over that line.. A lot of network traffic tends to be overhead.. But, e.g. if users open up Outlook and try to send an e-mail and press to, Outlook queries the GC, which is in the main office.. Nor only that, also DHCP and DNS overhead will generate heavy traffic.. The downside to a VPN tunnel is that you cannot see what traffic is being send  through the tunnel..

If you would really like to know what is going thorugh that tunnel, i'd suggest installing a tool like WireShark on a branch machine and monitor what traffic the machine is generating..

Also, as a best pratice, it is always a good idea to have a DC at any branch office,specially when you connected the machines to the domain directly by using VPN, this is known to generate heavy traffic.. Or make sure that the desktops in the branch office are no domain members and only let them work with a Terminal Server that's at the main office.
0
 
LVL 2

Author Comment

by:ReinerWentzel
ID: 24830947
Thanks alot for the feedback. ok so you say If i do take the two workstations of the dc and still maintain the ipsec vpn tunnel and use your suggested terminal server method,this will work? Sorry i will only be able to test this on monday.
0
 
LVL 23

Expert Comment

by:rhandels
ID: 24831517
It is working now allready right?? The only downside to the config you have now is a lot of network traffic over the VPN tunnel?

If so, then either removing them from the domain and using Terminal server to connect to your domain (dont install it on the DC btw, very very bad practice :)) or installing a very very small DC on the branch office will do the trick..

THough imho is it a tremendous issue if you have some extra traffic generated over the VPN tunnel?? The prices you pay for internetconnetions being that low these days it might be a cheaper solution to just upgrade the line...
0

Featured Post

NFR key for Veeam Backup for Microsoft Office 365

Veeam is happy to provide a free NFR license (for 1 year, up to 10 users). This license allows for the non‑production use of Veeam Backup for Microsoft Office 365 in your home lab without any feature limitations.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
ASA AnyConnect tunneling 3 45
IT Contract Fee 17 155
unable to create the folder new folder too many files opened for sharing 3 214
DNS Server 7 59
Juniper VPN devices are a popular alternative to using Cisco products. Last year I needed to set up an international site-to-site VPN over the Internet, but the client had high security requirements -- FIPS 140. What and Why of FIPS 140 Federa…
Sometimes you have to pull out old tricks to get a new firewall to work… While we were installing a new Sonicwall at a customers site we found that sites they were able to visit before were not working.  It seemed random and we could not understa…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

830 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question