Solved

New Fiber Line making VPN unstable

Posted on 2010-09-06
35
714 Views
Last Modified: 2012-05-10
We recently upgraded from a T-1 line (1.5mb) to a fiber line (10mb) with the same ISP and kept our same IP address.  Since the upgrade about 1/3 has seen speed improvements, 1/3 see no change and 1/3 are getting booted off after 2-3 up to 20 minutes after connecting.  I'm connected right now from home and while I'm copying files of the server to test find that after about 20 minutes I'm disconnected.  I've not changed anything at home and before we upgraded the office the VPN would allow me to stay connected without a glitch for days.  I had a remote user connect on Friday to the VPN and she is still connected despite not touching her computer all weekend.  I have a user that can connect from his remote office and stay connected but when he takes his laptop home and connects he gets kicked off after 2-3 minutes.  Any ideas where I can start looking to fix this issue?  Thanks.

I'm running Windows Server 2003 behind a Sonicwall 170 firewall and have the VPN on the server.  I'm connecting from home using Windows 7 but all other users have XP SP3.
0
Comment
Question by:kim2vp
  • 16
  • 7
  • 7
  • +2
35 Comments
 
LVL 33

Expert Comment

by:digitap
Comment Utility
Confirm the speed/duplex of the WAN interface.  Also, since your bandwidth changed, so your MTU size changed.  Follow the steps in my article to calculate the MTU of your WAN interface and change it accordingly.  Let me know how you get along.http://www.experts-exchange.com/viewArticle.jsp?aid=3110My bet is on the speed/duplex setting.  Try all the combinations: 100MB/Full; 10MB/Half...etc.
0
 
LVL 20

Expert Comment

by:woolnoir
Comment Utility
The first thing to check is if the line is the issue causing the instability. The best way is either setup a ping test yourself - or get the ISP to run a physical level test of the line ( which could , depending on the tests mean some downtime ).

Once you have an idea on the stability of the line you can start looking at other issues - it could be a hop inbetween causing the issue, just because the IP address is the same doesnt mean the traffic is taking the same route between the fibre and your users ... infact it could be something at any point inbetween causing the issues so take it step by step.
0
 
LVL 6

Expert Comment

by:theonlyallan
Comment Utility
Have you checked the Event ID log of why the disconnect occured?
0
 

Author Comment

by:kim2vp
Comment Utility
Sorry for the delayed response.

Using the guide below at the link my MTU should be 1500.  I was able to ping at 1472 before getting a message about fragmented packets.  My sonicwall is already set to 1500 and the setting for speed is currently 100 Mbps, half duplex - I have it set to auto negotiate.

Should I force it to something else? Thanks.

>Confirm the speed/duplex of the WAN interface.  Also, since your bandwidth changed, so your MTU size changed.  Follow the steps in my >article to calculate the MTU of your WAN interface and change it accordingly.  Let me know how you get along.

>http://www.experts-exchange.com/viewArticle.jsp?aid=3110

0
 
LVL 20

Expert Comment

by:woolnoir
Comment Utility
did you check the routing ?
0
 

Author Comment

by:kim2vp
Comment Utility
>Have you checked the Event ID log of why the disconnect occured?

One unique user is getting this as a reason:

The user liz connected from 174.57.56.52 but failed an authentication attempt due to the following reason: The user attempted to use an authentication method that is not enabled on the matching remote access policy.

The account for user \liz connected on port VPN4-127 does not have Remote Access privilege.  The line has been disconnected.

They have the same privileges they have always had and when I check the Active Directory user they have remote access permissions.

Another gets this one:

The following error occurred in the Point to Point Protocol module on port: VPN4-125, UserName: POS\nicole. The remote computer does not support the required data encryption type.

What's odd is if they try to get right back in it might work the next time.

For the ones getting kicked off after XX amount of time I see nothing in the server event log (or don't know where to look).
0
 

Author Comment

by:kim2vp
Comment Utility
>did you check the routing ?

I have no idea how to check the routing.

If I run tracert to www.google.com here is what I get:

Tracing route to www.l.google.com [173.194.36.104]
over a maximum of 30 hops:

  1     2 ms     1 ms     1 ms  207.138.153.97
  2     3 ms     1 ms     1 ms  vlan411.asr1.wdc2.gblx.net [64.208.158.221]
  3    86 ms    78 ms    78 ms  74.125.51.229
  4    77 ms    77 ms    91 ms  216.239.48.108
  5    87 ms    77 ms    82 ms  209.85.249.10
  6    98 ms    77 ms    78 ms  209.85.250.55
  7    77 ms    77 ms    79 ms  209.85.251.62
  8    77 ms    77 ms    77 ms  lhr14s01-in-f104.1e100.net [173.194.36.104]

Trace complete.

C:\Users\kim>
0
 

Author Comment

by:kim2vp
Comment Utility
I have asked global crossing to test the line and they report ZERO issues on their end.  I also do a test from home where I ping yahoo.com with a small packet to see if I am missing any replies when I get booted form the VPN and it's always clear on the ping replies.

>The first thing to check is if the line is the issue causing the instability. The best way is either setup a ping test yourself - or get the ISP >to run a physical level test of the line ( which could , depending on the tests mean some downtime ).

>Once you have an idea on the stability of the line you can start looking at other issues - it could be a hop inbetween causing the issue, >just because the IP address is the same doesnt mean the traffic is taking the same route between the fibre and your users ... infact it >could be something at any point inbetween causing the issues so take it step by step.
0
 
LVL 25

Accepted Solution

by:
Ron M earned 100 total points
Comment Utility
I actually had this EXACT same problem and i'm sorry to inform you ...but the Sonicwall TZ170/160 series cannot handle the amount of bandwidth available.

The CPU/Memory get's tanked.

You need to upgrade your firewall to get the true bandwith, and a stable use of your fiber connection.
0
 
LVL 25

Expert Comment

by:Ron M
Comment Utility
...Here's a simple test..

Plug a laptop into the switch port your fiber is delivered on.... set your IP address as if it were the same as your WAN interface on your firewall...

Now run bandwidth test, and any other test you want... I guarantee it works like a champ.


In the meantime...while you are waiting for your new firewall to arrive by mail....

You can mess with the egress ingress bandwidth management... and that will help you reduce fragmented packets while still having somewhat better performance than what you had before on the 1.5

However, If you are using this vpn for any kind of voip connection, then you will continue have problems until your new hardware arrives.
0
 

Author Comment

by:kim2vp
Comment Utility
>I actually had this EXACT same problem and i'm sorry to inform you ...but the Sonicwall TZ170/160 series cannot handle the amount of >bandwidth available. The CPU/Memory get's tanked.  You need to upgrade your firewall to get the true bandwith, and a stable use of >your fiber connection.

I'm upgrading the sonicwall but I checked the CPU usage for the last 30 days and it's pretty low.  Is there some where on the sonicwall I can look and see errors or indications that the memory is tanking?

Thanks.
sonicwall-cpu.JPG
0
 

Author Comment

by:kim2vp
Comment Utility
Here is my bandwidth from behind the sonicwall:

Last Result:
Download Speed: 9694 kbps (1211.8 KB/sec transfer rate)
Upload Speed: 4334 kbps (541.8 KB/sec transfer rate)

And then plugged directly into the WAN port so no other traffic

Last Result:
Download Speed: 10510 kbps (1313.8 KB/sec transfer rate)
Upload Speed: 5557 kbps (694.6 KB/sec transfer rate)
0
 

Author Comment

by:kim2vp
Comment Utility
Well I replaced my Sonicwall 170 with a brand new Sonicwall NSA 240 and the same users who were getting kicked off the VPN with the old system after a few minutes, are still getting kicked off the VPN.  Replacing the firewall did not do anything to fix the issue.

Anyone have any other ideas?

Thanks.
0
 
LVL 33

Assisted Solution

by:digitap
digitap earned 400 total points
Comment Utility
i was involved in a question the other day and someone suggested changing a security services setting.  go to security services > summary and scroll down to the security services section.  you can change the scanning behavior to be optimized.  apparently this can have a large effect on the bandwidth.

also, now that the new sonicwall is in place, you might review my original post, http:#a33612256, in your question and confirm the duplex/speed and MTU.

0
 

Author Comment

by:kim2vp
Comment Utility
I made the change to the sonicwall (security services > summary and scroll down to the security services section.  you can change the scanning behavior to be optimized) had the user log back in and had the same issues - he disconnects after 2 minutes - events ID 20158 and 20159

I previously checked the MTU settings and they are set to 1500 which is correct.
0
 
LVL 33

Assisted Solution

by:digitap
digitap earned 400 total points
Comment Utility
would you be willing to test something?  would you be willing to use the sonicwall global vpn client as a test to see if the issue is at the sonicwall or the server?
0
How does your email signature look on mobiles?

Do your employees use mobile devices to reply to emails? With mobile becoming increasingly important to the business world, it is in your best interest to make sure that your email signature looks great across all types of devices.

 
LVL 25

Expert Comment

by:Ron M
Comment Utility
...have you ruled out the possiblity that they have their own set of issues on the machines they are connecting from ?

The thing about VPN users... you cannot control what they do to their own machines.
If you have some vpn users that never have problems, and then a few who always have problems, it would be logical to assume those problems are unique to the user and not a network issue.

confirm ?
0
 
LVL 25

Expert Comment

by:Ron M
Comment Utility
digitap makes a good point too.
You must rule out the server being the issue in all of this.
0
 

Author Comment

by:kim2vp
Comment Utility
I'm downloading and installing the global client on a computer right now.  I'm not positive the sonicwall is setup to use global client, how would I check that?
0
 
LVL 33

Assisted Solution

by:digitap
digitap earned 400 total points
Comment Utility
here is a KB on how to configure this on the sonicwall.

http://www.fuzeqna.com/sonicwallkb/consumer/kbdetail.asp?kbid=7507
0
 
LVL 25

Expert Comment

by:Ron M
Comment Utility
...Another thing.

What about equipment that your sonicwall plugs into ?

Is it a cisco catalyst switch possibly ?
....If so there are issues i've seen with Spanning tree protocol/portfast, on the cisco switches causing trouble with sonicwall firewalls.

See what i'm talking about here:  http://www.sonicwall.com/us/support/2134_3113.html

If your sonicwall plugs into a switch that is the fiber delivery... you may want to pass the above doc on to your ISP so they can verify the port configuration.
0
 
LVL 33

Expert Comment

by:digitap
Comment Utility
@xuser :: great info!  i don't think i've ever run across this before.
0
 

Author Comment

by:kim2vp
Comment Utility
>If you have some vpn users that never have problems, and then a few who always have problems,
>it would be logical to assume those problems are unique to the user and not a network issue.

Assuming the problems is with the users what would I look at on the end user computer to figure out the solution?  These are laptops we provide so I don't think the users are screwing anything up on them.

We have one user that can connect fine at the remote office but gets kicked off at home so I figured it MUST be him home router so we replaced it with a router I used at home that was fine on the vpn. He got it and hooked it up and STILL has the same issue with getting booted off.  

0
 

Author Comment

by:kim2vp
Comment Utility
It plugs into a cisco 1841.  
0
 
LVL 25

Expert Comment

by:Ron M
Comment Utility
"We have one user that can connect fine at the remote office but gets kicked off at home so I figured it MUST be him home router so we replaced it with a router I used at home that was fine on the vpn. He got it and hooked it up and STILL has the same issue with getting booted off. "


I would have made the exact same assumption.  His connection, his router, or "other" on his end.

Spyware is always the first thing I check...notorious for causing all sorts of strange behaviour.

...also, I don't always have the best of luck mixing router brands/models, when creating hardware vpns'.
However, the sonicwall global vpn client that Digitap mentioned above has always been very stable for me, even for VOIP connections.

" These are laptops we provide so I don't think the users are screwing anything up on them"...

OH, never assume that...  users are not to be trusted. EVER !..lol
0
 

Author Comment

by:kim2vp
Comment Utility
I'm trying the global vpn client but it stops at "acquiring ip"
0
 
LVL 33

Expert Comment

by:digitap
Comment Utility
have you configured the dhcp over vpn settings?  you either need to specify an internal Windows (assuming Windows) DHCP server or use the sonicwall.
0
 

Author Comment

by:kim2vp
Comment Utility
I have the dhcp over vpn set to just forward requests to the microsoft dhcp server, the global client still just sits at the acquiring an ip stop.
0
 

Author Comment

by:kim2vp
Comment Utility
the test machine is finally connected, it is super slow though.
0
 

Author Comment

by:kim2vp
Comment Utility
Connection speed of Global VPN:

 .47 Mbps
 .01 Mbps up
0
 
LVL 33

Assisted Solution

by:digitap
digitap earned 400 total points
Comment Utility
yikes...that does seem slow.  i'm really thinking that xuser may be onto something.  if connectivity is THAT slow for the GVC, it may be affecting the connectivity of your Windows VPN connections.  what do you think?  seem logical?
0
 

Author Comment

by:kim2vp
Comment Utility
Getting to the regular VPN is not that bad.
0
 
LVL 25

Expert Comment

by:Ron M
Comment Utility
I have sonicwall global vpn as well.... and when I connect from home... it's almost instantaneous.  ZERO delay...

I would say there is something going on with his machine.
Before you go any further troubleshooting network stuff, I would try changing out his machine.

0

Featured Post

Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

Join & Write a Comment

ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now