• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 393
  • Last Modified:

Issue with dropped packets between remote sites

My current setup is a 2 site organization, with 2 seperate subnets.  At the corporate office we have 2 ISP's, one is hooked up thru a Sonicwall NSA3500 which routes internet traffic and other rules like VPN, OWA, Exchange to an ISA server.  Our clients then have the proxy set to look at ISA to get out to the internet.

The 2nd ISP is hooked directly into an Edgemarc, which has a VPN tunnel established to our remote site.  The gateway for my client PC's, is set to the IP address of the on-site Edgemarc at each location.

The issue is when I begin to copy a file, I get time outs on each PC when doing pings during the file transfer.  There is a noticable pause in my remote connection, similar to if you unplug the network cable to a PC your remoted into and plug it back in real quick.  After this little hiccup, it continues to transfer the file and completes.  

Should my gateway be the Edgemarc?  I'm being asked why the gateway isn't the switch, and as long as I can remember you always used your router to route traffic to IP addresses on a different subnet.  We have tried replacing modems at each end, network cables, and swapping Edgemarc hardware.  It just appears to be an issue with routing, but I can't determine my next troubleshooting step.

Your advice is appreciated! Thanks!
0
jmchristy
Asked:
jmchristy
  • 4
  • 4
  • 2
1 Solution
 
Rick_O_ShayCommented:
Your gateway should usually be whatever router is nearest to the clients and is in as direct a path as possible to their destinations. You don't want to hop back and forth between routers because the gateway isn't the most direct route to where you are going.

You are most likely going to lose some packets when you go across a WAN of any kind. Therefore you need to use applications and protocols that do upper layer checking to make your transfers work around those glitches.

You can look at the error counters for the various circuits to see if they are taking any detectable errors that might be fixed or at least diagnosed with the vendor once you can see where they are but if they are happening outside of your control like somewhere in the WAN or Internet you won't be able to see them.

If you do a Wireshark capture from a client PC and maybe then move it to mirror the router's port you might get a better idea of what is breaking down.
0
 
jmchristyAuthor Commented:
I'll give that wireshark a try, and see if I can see anything.

How about my gateway? no issues with my gateway setup?  It shouldn't be my switch stack or ISA?
0
 
Rick_O_ShayCommented:
If I'm reading you right you have two routers one of which is the default gateway for the local clients.

Anything that needs to go out the other router is going to have to be routed from your gateway to that router and then out. Unless redirects are in use in which case the gateway would alert the client to the better route that is available via the other router. Some stuff ignores the redirects and just continues to use use the default gateway and the extra hop anyway.

If you have a layer3 switch with routing enable between the clients and both routers then you could make it the default gateway and it would route directly to router A or B to get to the remote destinations.
0
Never miss a deadline with monday.com

The revolutionary project management tool is here!   Plan visually with a single glance and make sure your projects get done.

 
digitapCommented:
i agree with Rick regarding the routing.  it would be best to have a layer3 switch routing traffic to one or the other or to let one of your firewalls do the routing.
0
 
jmchristyAuthor Commented:
Thanks for the advice!
0
 
digitapCommented:
you're welcome.
0
 
jmchristyAuthor Commented:
I'd like to follow up on this with another question.

Since we switched from our Cisco p2p t1's to the Edgemarc as our gateway, all users who have that as their default gateway now can get right out to the internet.  We set the users proxy in IE to force them to use proxy, so we can apply our security policies with the GFI webmonitor package.

Question I have is, is it normal practice to have end users PC's access directly to the internet?  We have policies in place to restrict .EXE's that aren't approved, and force users to use a proxy.  Just wasn't sure if there are any other risks that I'm not aware of.

The users default gateway being point2point T1's before, if they didn't have a proxy specified they couldn't get out to the internet because the T's had no internet access.
0
 
digitapCommented:
i think it's just a matter of preference.  i deploy sonicwall appliances with the viewpoint server.  i depend on the sonicwall security services and viewpoint to keep my users safe.  i have clients that needed some extra work so i added a proxy to generate "white list" type access to the internet.  in that case, we didn't trust the users to make the good judgment call.

It sounds as if you Cisco may have been routing traffic according to your current Internet policy.  Maybe it had a access rule that would only let the proxy server out the WAN interface to the internet.  perhaps this is something to consider with your Edgemarc.  this would help your curtail someone having internet access outside your policies.
0
 
jmchristyAuthor Commented:
The Cisco was routing all traffic over a T1 and terminating at another T1, which was another Cisco router that had no internet access.  So traffic would go over the T1's and not know how to resolve, that was kind of our way of forcing internet users to always have that check box checked in IE.

Appreciate the feedback.
0
 
digitapCommented:
i see. that makes sense.  sure, if anything else comes up post back.
0

Featured Post

The new generation of project management tools

With monday.com’s project management tool, you can see what everyone on your team is working in a single glance. Its intuitive dashboards are customizable, so you can create systems that work for you.

  • 4
  • 4
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now