Solved

VPN Client slow to establish connection to private network

Posted on 2015-02-24
8
353 Views
Last Modified: 2015-03-31
Hello,

A customer is using a Barracuda NGF300 firewall. The clients create a VPN connection using the Barracuda NG VPN client (3.5) on  Window 7x64 Professional from their local station to the Firewall appliance.

Some times the time to establish the link is fast (less than 10 seconds) and at times it can take 50 seconds to establish the connection.

Can anyone suggest why there is such a time variance? This happens when users are remote and the variance takes place from the same remote location (e.g. the owner's home).

Are there any tools someone could recommend that would help identify what is causing such a variance in establishing VPN connection?
0
Comment
Question by:mbudman
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 3
8 Comments
 
LVL 37

Accepted Solution

by:
bbao earned 500 total points
ID: 40630985
you need to check the VPN client's log for the details about what happened underneath the slow VPN establishment. you may post related logs here for further assistance.

for general troubleshooing of Barracuda VPN client, see below link.

https://techlib.barracuda.com/display/bngv52/troubleshooting

have you tried talking to Barracuda's techical support from here at https://www.barracuda.com/support?
0
 
LVL 1

Author Comment

by:mbudman
ID: 40634662
I was wondering if a particular situation could pose a problem when establishing a VPN connection:

What happens if multiple clients (employees) have their workstations NAT'ted behind the same router-firewall when establishing a client to firewall connection. The rourer-firewall would advertise the same public ip address for all clients. Could this be an issue and cause VPN connection problems?
0
 
LVL 37

Assisted Solution

by:bbao
bbao earned 500 total points
ID: 40634677
> The rourer-firewall would advertise the same public ip address for all clients. could this be an issue?

no, except the VPN client program is not NAT friendly which is unlikely for today's enterprise solutions.

however, if you really concern about this, it is worth having a try as such a test can be easily done and confirmed.
0
Simple, centralized multimedia control

Watch and learn to see how ATEN provided an easy and effective way for three jointly-owned pubs to control the 60 televisions located across their three venues utilizing the ATEN Control System, Modular Matrix Switch and HDBaseT extenders.

 
LVL 37

Assisted Solution

by:bbao
bbao earned 500 total points
ID: 40634686
FYI - from the viewpoint of the VPN server, all connections established from the same remote IP are still different as they come from different source ports hence the VPN sessions can't be confused.
0
 
LVL 1

Author Comment

by:mbudman
ID: 40634690
How would I perform the test?

I also have another question more related to networking that perhaps you can answer.

The private VLAN is defined as 10.0.0.0 / 255.255.248.0

The VPN assigned ip address is 10.0.41.X / 255.255.255.0

The local network of the computer establishing a VPN connection is: 192.168.0.0 / 255/255/255.0

On the private remote network  where establishing a VPN connection, there is also a subnet of 192.168.0.0 / 255.255.255.0; This network handles the routing to the internet - it is communication between firewall, layer 3 switch and internet.

The configuration is as follows:

VLAN connects to layer 3 swtich. It routes all traffic between VLANS. 3 VLANs exist:

1) 10.0.0.0 /255.255.248.0
2) 10.0.8.0 /255.255.248.0,
3) 10.0.16.0 / 255.255.248.0

If a request is made from one of the subnets to the internet, the layer 3 switch communicates to the firewall which is on subnet 192.168.0.0 / 255.255.255.0

could this pose a problem?

Also, how would one test you refer to to ensure that the VPN client is not NAT friendly?
0
 
LVL 37

Assisted Solution

by:bbao
bbao earned 500 total points
ID: 40634741
> How would I perform the test?

just ask two employees to connect the same VPN from different PC on the same LAN using different credentail. that's it.

> the layer 3 switch communicates to the firewall which is on subnet 192.168.0.0 /
255.255.255.0 could this pose a problem?

it depends on where the VPN gateway is located. if the 192.168 subnet is BEFORE (outside) the VPN gateway and NOT directly connected to the VPN gateway, that should NOT be an issue as the VPN client's private IP is encapsulated within the VPN traffic hence not visible to the 192.168 subnet that the VPN pass through. like below diagram.

subnet 10.0.0.0 <-> VPN gateway <-> other subnets <-> subnet 192.168.0.0 <-> firewall-1 <-> Internet <-> firewall-2 <-> subnet 192.168.0.0 <-> VPN Client
subnet 10.0.8.0 <-------/    |
subnet 10.0.16.0 <-----------|

but, if the 192.168 subnet is DIRECTLY connected to the VPN gateway, that would NOT work, like below.

subnet 10.0.0.0 <-> VPN gateway <-> subnet 192.168.0.0 <-> firewall-1 <-> Internet <-> firewall-2 <-> subnet 192.168.0.0 <-> VPN Client
subnet 10.0.8.0 <-------/    |
subnet 10.0.16.0 <-----------|

in any situation, if the 192.168 subnet is BEHIND (inner side of) the VPN gateway, that would NOT work either, as shown below, simply because the VPN Client's private IP (192.168.0.x) is no longer encapsulated within the VPN traffic and will be confused with another 192.168.0.0 subnet.

subnet 10.0.0.0 <-> subnet 192.168.0.0 <-> other subnets <-> VPN gateway <-> firewall-1 <-> Internet <-> firewall-2 <-> subnet 192.168.0.0 <-> VPN Client
subnet 10.0.8.0 <-------/    |
subnet 10.0.16.0 <-----------|

does it make sense?
0
 
LVL 37

Expert Comment

by:bbao
ID: 40634744
BTW, i am not sure the diagrams are readable from your side as i am posting from my mobile phone. you better view them on a wide enough screen and make sure the lines not wrapped. :)
0
 
LVL 1

Author Closing Comment

by:mbudman
ID: 40699417
Thank you for your assistance.
0

Featured Post

Surfing Is Meant To Be Done Outdoors

Featuring its rugged IP67 compliant exterior and delivering broad, fast, and reliable Wi-Fi coverage, the AP322 is the ideal solution for the outdoors. Manage this AP with either a Firebox as a gateway controller, or with the Wi-Fi Cloud for an expanded set of management features

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Pfsense - and other email Servers 8 63
Failover VPN Question Sonicwall 5 64
Terminal Server processing numerous packets from a single external connection 2 30
SSL-VPN 1 53
Large and small networks have one same need, Service monitoring. Service monitoring consists of watch services of the several servers in the network. To monitor means that the administrator will receive an alert when a service is down or it's state …
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

730 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question