Solved

Issue with dropped packets between remote sites

Posted on 2011-02-24
10
384 Views
Last Modified: 2012-05-11
My current setup is a 2 site organization, with 2 seperate subnets.  At the corporate office we have 2 ISP's, one is hooked up thru a Sonicwall NSA3500 which routes internet traffic and other rules like VPN, OWA, Exchange to an ISA server.  Our clients then have the proxy set to look at ISA to get out to the internet.

The 2nd ISP is hooked directly into an Edgemarc, which has a VPN tunnel established to our remote site.  The gateway for my client PC's, is set to the IP address of the on-site Edgemarc at each location.

The issue is when I begin to copy a file, I get time outs on each PC when doing pings during the file transfer.  There is a noticable pause in my remote connection, similar to if you unplug the network cable to a PC your remoted into and plug it back in real quick.  After this little hiccup, it continues to transfer the file and completes.  

Should my gateway be the Edgemarc?  I'm being asked why the gateway isn't the switch, and as long as I can remember you always used your router to route traffic to IP addresses on a different subnet.  We have tried replacing modems at each end, network cables, and swapping Edgemarc hardware.  It just appears to be an issue with routing, but I can't determine my next troubleshooting step.

Your advice is appreciated! Thanks!
0
Comment
Question by:jmchristy
  • 4
  • 4
  • 2
10 Comments
 
LVL 21

Expert Comment

by:Rick_O_Shay
Comment Utility
Your gateway should usually be whatever router is nearest to the clients and is in as direct a path as possible to their destinations. You don't want to hop back and forth between routers because the gateway isn't the most direct route to where you are going.

You are most likely going to lose some packets when you go across a WAN of any kind. Therefore you need to use applications and protocols that do upper layer checking to make your transfers work around those glitches.

You can look at the error counters for the various circuits to see if they are taking any detectable errors that might be fixed or at least diagnosed with the vendor once you can see where they are but if they are happening outside of your control like somewhere in the WAN or Internet you won't be able to see them.

If you do a Wireshark capture from a client PC and maybe then move it to mirror the router's port you might get a better idea of what is breaking down.
0
 

Author Comment

by:jmchristy
Comment Utility
I'll give that wireshark a try, and see if I can see anything.

How about my gateway? no issues with my gateway setup?  It shouldn't be my switch stack or ISA?
0
 
LVL 21

Accepted Solution

by:
Rick_O_Shay earned 500 total points
Comment Utility
If I'm reading you right you have two routers one of which is the default gateway for the local clients.

Anything that needs to go out the other router is going to have to be routed from your gateway to that router and then out. Unless redirects are in use in which case the gateway would alert the client to the better route that is available via the other router. Some stuff ignores the redirects and just continues to use use the default gateway and the extra hop anyway.

If you have a layer3 switch with routing enable between the clients and both routers then you could make it the default gateway and it would route directly to router A or B to get to the remote destinations.
0
 
LVL 33

Expert Comment

by:digitap
Comment Utility
i agree with Rick regarding the routing.  it would be best to have a layer3 switch routing traffic to one or the other or to let one of your firewalls do the routing.
0
 

Author Comment

by:jmchristy
Comment Utility
Thanks for the advice!
0
Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

 
LVL 33

Expert Comment

by:digitap
Comment Utility
you're welcome.
0
 

Author Comment

by:jmchristy
Comment Utility
I'd like to follow up on this with another question.

Since we switched from our Cisco p2p t1's to the Edgemarc as our gateway, all users who have that as their default gateway now can get right out to the internet.  We set the users proxy in IE to force them to use proxy, so we can apply our security policies with the GFI webmonitor package.

Question I have is, is it normal practice to have end users PC's access directly to the internet?  We have policies in place to restrict .EXE's that aren't approved, and force users to use a proxy.  Just wasn't sure if there are any other risks that I'm not aware of.

The users default gateway being point2point T1's before, if they didn't have a proxy specified they couldn't get out to the internet because the T's had no internet access.
0
 
LVL 33

Expert Comment

by:digitap
Comment Utility
i think it's just a matter of preference.  i deploy sonicwall appliances with the viewpoint server.  i depend on the sonicwall security services and viewpoint to keep my users safe.  i have clients that needed some extra work so i added a proxy to generate "white list" type access to the internet.  in that case, we didn't trust the users to make the good judgment call.

It sounds as if you Cisco may have been routing traffic according to your current Internet policy.  Maybe it had a access rule that would only let the proxy server out the WAN interface to the internet.  perhaps this is something to consider with your Edgemarc.  this would help your curtail someone having internet access outside your policies.
0
 

Author Comment

by:jmchristy
Comment Utility
The Cisco was routing all traffic over a T1 and terminating at another T1, which was another Cisco router that had no internet access.  So traffic would go over the T1's and not know how to resolve, that was kind of our way of forcing internet users to always have that check box checked in IE.

Appreciate the feedback.
0
 
LVL 33

Expert Comment

by:digitap
Comment Utility
i see. that makes sense.  sure, if anything else comes up post back.
0

Featured Post

Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

Join & Write a Comment

Creating an OSPF network that automatically (dynamically) reroutes network traffic over other connections to prevent network downtime.
Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

728 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now