• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 726
  • Last Modified:

New Fiber Line making VPN unstable

We recently upgraded from a T-1 line (1.5mb) to a fiber line (10mb) with the same ISP and kept our same IP address.  Since the upgrade about 1/3 has seen speed improvements, 1/3 see no change and 1/3 are getting booted off after 2-3 up to 20 minutes after connecting.  I'm connected right now from home and while I'm copying files of the server to test find that after about 20 minutes I'm disconnected.  I've not changed anything at home and before we upgraded the office the VPN would allow me to stay connected without a glitch for days.  I had a remote user connect on Friday to the VPN and she is still connected despite not touching her computer all weekend.  I have a user that can connect from his remote office and stay connected but when he takes his laptop home and connects he gets kicked off after 2-3 minutes.  Any ideas where I can start looking to fix this issue?  Thanks.

I'm running Windows Server 2003 behind a Sonicwall 170 firewall and have the VPN on the server.  I'm connecting from home using Windows 7 but all other users have XP SP3.
0
kim2vp
Asked:
kim2vp
  • 16
  • 7
  • 7
  • +2
5 Solutions
 
digitapCommented:
Confirm the speed/duplex of the WAN interface.  Also, since your bandwidth changed, so your MTU size changed.  Follow the steps in my article to calculate the MTU of your WAN interface and change it accordingly.  Let me know how you get along.http://www.experts-exchange.com/viewArticle.jsp?aid=3110My bet is on the speed/duplex setting.  Try all the combinations: 100MB/Full; 10MB/Half...etc.
0
 
woolnoirCommented:
The first thing to check is if the line is the issue causing the instability. The best way is either setup a ping test yourself - or get the ISP to run a physical level test of the line ( which could , depending on the tests mean some downtime ).

Once you have an idea on the stability of the line you can start looking at other issues - it could be a hop inbetween causing the issue, just because the IP address is the same doesnt mean the traffic is taking the same route between the fibre and your users ... infact it could be something at any point inbetween causing the issues so take it step by step.
0
 
theonlyallanCommented:
Have you checked the Event ID log of why the disconnect occured?
0
Restore individual SQL databases with ease

Veeam Explorer for Microsoft SQL Server delivers an easy-to-use, wizard-driven interface for restoring your databases from a backup. No expert SQL background required. Web interface provides a complete view of all available SQL databases to simplify the recovery of lost database

 
kim2vpAuthor Commented:
Sorry for the delayed response.

Using the guide below at the link my MTU should be 1500.  I was able to ping at 1472 before getting a message about fragmented packets.  My sonicwall is already set to 1500 and the setting for speed is currently 100 Mbps, half duplex - I have it set to auto negotiate.

Should I force it to something else? Thanks.

>Confirm the speed/duplex of the WAN interface.  Also, since your bandwidth changed, so your MTU size changed.  Follow the steps in my >article to calculate the MTU of your WAN interface and change it accordingly.  Let me know how you get along.

>http://www.experts-exchange.com/viewArticle.jsp?aid=3110

0
 
woolnoirCommented:
did you check the routing ?
0
 
kim2vpAuthor Commented:
>Have you checked the Event ID log of why the disconnect occured?

One unique user is getting this as a reason:

The user liz connected from 174.57.56.52 but failed an authentication attempt due to the following reason: The user attempted to use an authentication method that is not enabled on the matching remote access policy.

The account for user \liz connected on port VPN4-127 does not have Remote Access privilege.  The line has been disconnected.

They have the same privileges they have always had and when I check the Active Directory user they have remote access permissions.

Another gets this one:

The following error occurred in the Point to Point Protocol module on port: VPN4-125, UserName: POS\nicole. The remote computer does not support the required data encryption type.

What's odd is if they try to get right back in it might work the next time.

For the ones getting kicked off after XX amount of time I see nothing in the server event log (or don't know where to look).
0
 
kim2vpAuthor Commented:
>did you check the routing ?

I have no idea how to check the routing.

If I run tracert to www.google.com here is what I get:

Tracing route to www.l.google.com [173.194.36.104]
over a maximum of 30 hops:

  1     2 ms     1 ms     1 ms  207.138.153.97
  2     3 ms     1 ms     1 ms  vlan411.asr1.wdc2.gblx.net [64.208.158.221]
  3    86 ms    78 ms    78 ms  74.125.51.229
  4    77 ms    77 ms    91 ms  216.239.48.108
  5    87 ms    77 ms    82 ms  209.85.249.10
  6    98 ms    77 ms    78 ms  209.85.250.55
  7    77 ms    77 ms    79 ms  209.85.251.62
  8    77 ms    77 ms    77 ms  lhr14s01-in-f104.1e100.net [173.194.36.104]

Trace complete.

C:\Users\kim>
0
 
kim2vpAuthor Commented:
I have asked global crossing to test the line and they report ZERO issues on their end.  I also do a test from home where I ping yahoo.com with a small packet to see if I am missing any replies when I get booted form the VPN and it's always clear on the ping replies.

>The first thing to check is if the line is the issue causing the instability. The best way is either setup a ping test yourself - or get the ISP >to run a physical level test of the line ( which could , depending on the tests mean some downtime ).

>Once you have an idea on the stability of the line you can start looking at other issues - it could be a hop inbetween causing the issue, >just because the IP address is the same doesnt mean the traffic is taking the same route between the fibre and your users ... infact it >could be something at any point inbetween causing the issues so take it step by step.
0
 
Ron MalmsteadInformation Services ManagerCommented:
I actually had this EXACT same problem and i'm sorry to inform you ...but the Sonicwall TZ170/160 series cannot handle the amount of bandwidth available.

The CPU/Memory get's tanked.

You need to upgrade your firewall to get the true bandwith, and a stable use of your fiber connection.
0
 
Ron MalmsteadInformation Services ManagerCommented:
...Here's a simple test..

Plug a laptop into the switch port your fiber is delivered on.... set your IP address as if it were the same as your WAN interface on your firewall...

Now run bandwidth test, and any other test you want... I guarantee it works like a champ.


In the meantime...while you are waiting for your new firewall to arrive by mail....

You can mess with the egress ingress bandwidth management... and that will help you reduce fragmented packets while still having somewhat better performance than what you had before on the 1.5

However, If you are using this vpn for any kind of voip connection, then you will continue have problems until your new hardware arrives.
0
 
kim2vpAuthor Commented:
>I actually had this EXACT same problem and i'm sorry to inform you ...but the Sonicwall TZ170/160 series cannot handle the amount of >bandwidth available. The CPU/Memory get's tanked.  You need to upgrade your firewall to get the true bandwith, and a stable use of >your fiber connection.

I'm upgrading the sonicwall but I checked the CPU usage for the last 30 days and it's pretty low.  Is there some where on the sonicwall I can look and see errors or indications that the memory is tanking?

Thanks.
sonicwall-cpu.JPG
0
 
kim2vpAuthor Commented:
Here is my bandwidth from behind the sonicwall:

Last Result:
Download Speed: 9694 kbps (1211.8 KB/sec transfer rate)
Upload Speed: 4334 kbps (541.8 KB/sec transfer rate)

And then plugged directly into the WAN port so no other traffic

Last Result:
Download Speed: 10510 kbps (1313.8 KB/sec transfer rate)
Upload Speed: 5557 kbps (694.6 KB/sec transfer rate)
0
 
kim2vpAuthor Commented:
Well I replaced my Sonicwall 170 with a brand new Sonicwall NSA 240 and the same users who were getting kicked off the VPN with the old system after a few minutes, are still getting kicked off the VPN.  Replacing the firewall did not do anything to fix the issue.

Anyone have any other ideas?

Thanks.
0
 
digitapCommented:
i was involved in a question the other day and someone suggested changing a security services setting.  go to security services > summary and scroll down to the security services section.  you can change the scanning behavior to be optimized.  apparently this can have a large effect on the bandwidth.

also, now that the new sonicwall is in place, you might review my original post, http:#a33612256, in your question and confirm the duplex/speed and MTU.

0
 
kim2vpAuthor Commented:
I made the change to the sonicwall (security services > summary and scroll down to the security services section.  you can change the scanning behavior to be optimized) had the user log back in and had the same issues - he disconnects after 2 minutes - events ID 20158 and 20159

I previously checked the MTU settings and they are set to 1500 which is correct.
0
 
digitapCommented:
would you be willing to test something?  would you be willing to use the sonicwall global vpn client as a test to see if the issue is at the sonicwall or the server?
0
 
Ron MalmsteadInformation Services ManagerCommented:
...have you ruled out the possiblity that they have their own set of issues on the machines they are connecting from ?

The thing about VPN users... you cannot control what they do to their own machines.
If you have some vpn users that never have problems, and then a few who always have problems, it would be logical to assume those problems are unique to the user and not a network issue.

confirm ?
0
 
Ron MalmsteadInformation Services ManagerCommented:
digitap makes a good point too.
You must rule out the server being the issue in all of this.
0
 
kim2vpAuthor Commented:
I'm downloading and installing the global client on a computer right now.  I'm not positive the sonicwall is setup to use global client, how would I check that?
0
 
digitapCommented:
here is a KB on how to configure this on the sonicwall.

http://www.fuzeqna.com/sonicwallkb/consumer/kbdetail.asp?kbid=7507
0
 
Ron MalmsteadInformation Services ManagerCommented:
...Another thing.

What about equipment that your sonicwall plugs into ?

Is it a cisco catalyst switch possibly ?
....If so there are issues i've seen with Spanning tree protocol/portfast, on the cisco switches causing trouble with sonicwall firewalls.

See what i'm talking about here:  http://www.sonicwall.com/us/support/2134_3113.html

If your sonicwall plugs into a switch that is the fiber delivery... you may want to pass the above doc on to your ISP so they can verify the port configuration.
0
 
digitapCommented:
@xuser :: great info!  i don't think i've ever run across this before.
0
 
kim2vpAuthor Commented:
>If you have some vpn users that never have problems, and then a few who always have problems,
>it would be logical to assume those problems are unique to the user and not a network issue.

Assuming the problems is with the users what would I look at on the end user computer to figure out the solution?  These are laptops we provide so I don't think the users are screwing anything up on them.

We have one user that can connect fine at the remote office but gets kicked off at home so I figured it MUST be him home router so we replaced it with a router I used at home that was fine on the vpn. He got it and hooked it up and STILL has the same issue with getting booted off.  

0
 
kim2vpAuthor Commented:
It plugs into a cisco 1841.  
0
 
Ron MalmsteadInformation Services ManagerCommented:
"We have one user that can connect fine at the remote office but gets kicked off at home so I figured it MUST be him home router so we replaced it with a router I used at home that was fine on the vpn. He got it and hooked it up and STILL has the same issue with getting booted off. "


I would have made the exact same assumption.  His connection, his router, or "other" on his end.

Spyware is always the first thing I check...notorious for causing all sorts of strange behaviour.

...also, I don't always have the best of luck mixing router brands/models, when creating hardware vpns'.
However, the sonicwall global vpn client that Digitap mentioned above has always been very stable for me, even for VOIP connections.

" These are laptops we provide so I don't think the users are screwing anything up on them"...

OH, never assume that...  users are not to be trusted. EVER !..lol
0
 
kim2vpAuthor Commented:
I'm trying the global vpn client but it stops at "acquiring ip"
0
 
digitapCommented:
have you configured the dhcp over vpn settings?  you either need to specify an internal Windows (assuming Windows) DHCP server or use the sonicwall.
0
 
kim2vpAuthor Commented:
I have the dhcp over vpn set to just forward requests to the microsoft dhcp server, the global client still just sits at the acquiring an ip stop.
0
 
kim2vpAuthor Commented:
the test machine is finally connected, it is super slow though.
0
 
kim2vpAuthor Commented:
Connection speed of Global VPN:

 .47 Mbps
 .01 Mbps up
0
 
digitapCommented:
yikes...that does seem slow.  i'm really thinking that xuser may be onto something.  if connectivity is THAT slow for the GVC, it may be affecting the connectivity of your Windows VPN connections.  what do you think?  seem logical?
0
 
kim2vpAuthor Commented:
Getting to the regular VPN is not that bad.
0
 
Ron MalmsteadInformation Services ManagerCommented:
I have sonicwall global vpn as well.... and when I connect from home... it's almost instantaneous.  ZERO delay...

I would say there is something going on with his machine.
Before you go any further troubleshooting network stuff, I would try changing out his machine.

0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 16
  • 7
  • 7
  • +2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now