Slow VPN connection over Charter Spectrum and Fortinet equipment

Jason Johanknecht
Jason Johanknecht used Ask the Experts™
on
Two offices connected using site-2-site VPN on Fortigate 40C devices.  Both units were running flawlessly on Centurylink 6Mbps/768Kbps.  Once we changed over to Spectrum 100Mbps/7Mbps the VPN is 1/10 of the previous performance or worse!  The download speeds are excellent outside of the VPN on both sides.  Charter Spectrum has looked at both sides.  They claim everything is perfect.  The remote office only connects to a Terminal Server using RDP sessions.  If I connect outside of the VPN it is amazing!  However the added security of the VPN is a must.  So this was done as a trial and not acceptable.  Fortinet has been working on this for months and continues to blame Charter.  Over the VPN, the RDP sessions are very slow.  If you attempt to copy a 200MB file over the VPN it will never get past calculating.  If you attempt to copy a 2MB file it may or may not get there.  I have recreated the VPN tunnel and had Fortinet verify things.

Here is what Fortinet says:
The TCP Retransmissions occur when the transmitting server does not receive TCP-ACK from the receiving end. Some possible causes of not receiving TCP-ACK are:

This might be due to bad cabling/interface or duplex mismatch on ISP.


I agree this does sound like a duplex mismatch type end result, but is it possible Charter doesn't know what they have?
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Dr. KlahnPrincipal Software Engineer
Commented:
... is it possible Charter doesn't know what they have?

I am going to offer an opinion here, which should be considered such ...

It's not only possible, it's nearly a certainty.  I live in a Charter single-source service area.  Since they have a captive market, their tech support is (a) outsourced and (b) absolutely helpless when it comes to anything other than cycling the power and checking the cable connection.

But here's the rub.  Even if you put a network sniffer on the network between the Charter modem and the Fortinet server, and prove it's a Charter issue, their response is likely to be "It works great for everybody else in town, because they can all get to AOL and Hulu.  Therefore it's your equipment, which is non-standard."
Jason JohanknechtIT Manager

Author

Commented:
Working with Charter currently to see if they can find anything else.  They confirmed the firmware of the cable modems is set to full duplex (Not auto negotiate).
Jason JohanknechtIT Manager

Author

Commented:
Now they are saying it is auto negotiate and will check on the duplex.
Ensure you’re charging the right price for your IT

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

Jason JohanknechtIT Manager

Author

Commented:
They are sure everything is Full Duplex.  They claim to not block any packets.  I do have other clients that use Checkpoint VPN, but no site-to-site.  The software client works great with Checkpoint.  They both use IPSEC.  Anyone have any other ideas?  I don't think Charter is even trying to resolve this issue.
IT Manager
Commented:
Charter finished their testing and found that Hi-Trens (I think it is the brand), was extremely poor at handling IPSEC packets.  They are going to try another modem at both locations.  They will be installed by Charter on Feb 28th, so I won't have another update for some time.
Jason JohanknechtIT Manager

Author

Commented:
Charter finally replaced the modems with Ubee brand, and the VPN works for the first time!  Hard to believe  a modern day cable modem cannot handle IPSEC packets.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial