Solved

VPN Client slow to establish connection to private network

Posted on 2015-02-24
8
335 Views
Last Modified: 2015-03-31
Hello,

A customer is using a Barracuda NGF300 firewall. The clients create a VPN connection using the Barracuda NG VPN client (3.5) on  Window 7x64 Professional from their local station to the Firewall appliance.

Some times the time to establish the link is fast (less than 10 seconds) and at times it can take 50 seconds to establish the connection.

Can anyone suggest why there is such a time variance? This happens when users are remote and the variance takes place from the same remote location (e.g. the owner's home).

Are there any tools someone could recommend that would help identify what is causing such a variance in establishing VPN connection?
0
Comment
Question by:mbudman
  • 5
  • 3
8 Comments
 
LVL 37

Accepted Solution

by:
Bing CISM / CISSP earned 500 total points
ID: 40630985
you need to check the VPN client's log for the details about what happened underneath the slow VPN establishment. you may post related logs here for further assistance.

for general troubleshooing of Barracuda VPN client, see below link.

https://techlib.barracuda.com/display/bngv52/troubleshooting

have you tried talking to Barracuda's techical support from here at https://www.barracuda.com/support?
0
 
LVL 1

Author Comment

by:mbudman
ID: 40634662
I was wondering if a particular situation could pose a problem when establishing a VPN connection:

What happens if multiple clients (employees) have their workstations NAT'ted behind the same router-firewall when establishing a client to firewall connection. The rourer-firewall would advertise the same public ip address for all clients. Could this be an issue and cause VPN connection problems?
0
 
LVL 37

Assisted Solution

by:Bing CISM / CISSP
Bing CISM / CISSP earned 500 total points
ID: 40634677
> The rourer-firewall would advertise the same public ip address for all clients. could this be an issue?

no, except the VPN client program is not NAT friendly which is unlikely for today's enterprise solutions.

however, if you really concern about this, it is worth having a try as such a test can be easily done and confirmed.
0
 
LVL 37

Assisted Solution

by:Bing CISM / CISSP
Bing CISM / CISSP earned 500 total points
ID: 40634686
FYI - from the viewpoint of the VPN server, all connections established from the same remote IP are still different as they come from different source ports hence the VPN sessions can't be confused.
0
Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

 
LVL 1

Author Comment

by:mbudman
ID: 40634690
How would I perform the test?

I also have another question more related to networking that perhaps you can answer.

The private VLAN is defined as 10.0.0.0 / 255.255.248.0

The VPN assigned ip address is 10.0.41.X / 255.255.255.0

The local network of the computer establishing a VPN connection is: 192.168.0.0 / 255/255/255.0

On the private remote network  where establishing a VPN connection, there is also a subnet of 192.168.0.0 / 255.255.255.0; This network handles the routing to the internet - it is communication between firewall, layer 3 switch and internet.

The configuration is as follows:

VLAN connects to layer 3 swtich. It routes all traffic between VLANS. 3 VLANs exist:

1) 10.0.0.0 /255.255.248.0
2) 10.0.8.0 /255.255.248.0,
3) 10.0.16.0 / 255.255.248.0

If a request is made from one of the subnets to the internet, the layer 3 switch communicates to the firewall which is on subnet 192.168.0.0 / 255.255.255.0

could this pose a problem?

Also, how would one test you refer to to ensure that the VPN client is not NAT friendly?
0
 
LVL 37

Assisted Solution

by:Bing CISM / CISSP
Bing CISM / CISSP earned 500 total points
ID: 40634741
> How would I perform the test?

just ask two employees to connect the same VPN from different PC on the same LAN using different credentail. that's it.

> the layer 3 switch communicates to the firewall which is on subnet 192.168.0.0 /
255.255.255.0 could this pose a problem?

it depends on where the VPN gateway is located. if the 192.168 subnet is BEFORE (outside) the VPN gateway and NOT directly connected to the VPN gateway, that should NOT be an issue as the VPN client's private IP is encapsulated within the VPN traffic hence not visible to the 192.168 subnet that the VPN pass through. like below diagram.

subnet 10.0.0.0 <-> VPN gateway <-> other subnets <-> subnet 192.168.0.0 <-> firewall-1 <-> Internet <-> firewall-2 <-> subnet 192.168.0.0 <-> VPN Client
subnet 10.0.8.0 <-------/    |
subnet 10.0.16.0 <-----------|

but, if the 192.168 subnet is DIRECTLY connected to the VPN gateway, that would NOT work, like below.

subnet 10.0.0.0 <-> VPN gateway <-> subnet 192.168.0.0 <-> firewall-1 <-> Internet <-> firewall-2 <-> subnet 192.168.0.0 <-> VPN Client
subnet 10.0.8.0 <-------/    |
subnet 10.0.16.0 <-----------|

in any situation, if the 192.168 subnet is BEHIND (inner side of) the VPN gateway, that would NOT work either, as shown below, simply because the VPN Client's private IP (192.168.0.x) is no longer encapsulated within the VPN traffic and will be confused with another 192.168.0.0 subnet.

subnet 10.0.0.0 <-> subnet 192.168.0.0 <-> other subnets <-> VPN gateway <-> firewall-1 <-> Internet <-> firewall-2 <-> subnet 192.168.0.0 <-> VPN Client
subnet 10.0.8.0 <-------/    |
subnet 10.0.16.0 <-----------|

does it make sense?
0
 
LVL 37

Expert Comment

by:Bing CISM / CISSP
ID: 40634744
BTW, i am not sure the diagrams are readable from your side as i am posting from my mobile phone. you better view them on a wide enough screen and make sure the lines not wrapped. :)
0
 
LVL 1

Author Closing Comment

by:mbudman
ID: 40699417
Thank you for your assistance.
0

Featured Post

What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

Join & Write a Comment

This is an article about my experiences with remote access to my clients (so that I may serve them) and eventually to my home office system via Radmin Remote Control. I have been using remote access for over 10 years and have been improving my metho…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now