Results 1 to 18 of 18

Thread: Site-to-site VPN issues

  1. #1
    Junior Member
    Join Date
    Jan 2005
    Posts
    3

    Question Site-to-site VPN issues

    Here's the setup:

    Main Office

    Server:
    Windows Server 2003 domain controller
    IP address: 192.168.1.10
    Subnet mask: 255.255.255.0
    Gateway: 192.168.1.1
    Services: Active Directory, DNS, DHCP

    Clients:
    Mixture of PCs running Windows 2000 Profressional with SP3 and Windows XP Professional with SP2

    Network:
    Dell 16-port switch
    SBC 768K SDSL

    Firewall:
    Sonicwall TZ170 Internet Security Appliance
    LAN IP = 192.168.1.1
    LAN Subnet Mask = 255.255.255.0
    Firmware version: SonicOS Standard 2.2.0.1
    Revision: 2.2.0_pp_8s $
    ROM version 2.0.0.3
    Previous firmware version: 2.0.0.2
    Fragment outbound packets larger than WAN MTU: 1
    WAN MTU: 1404
    CP Wan MTU: 1404
    WAN Ignore DF Bit for non-VPN traffic: 1

    Site-to-site VPN:
    Encrypt/Auth - ESP DES HMAC MD5
    Key Exchange: Manual Keys
    VPN Terminated at: LAN
    netbios off, ApplyNatAndRules off, ForwardPacketsToRemoteVPNs off
    TunnelForAllOutboundTraffic off
    Authentication of local users off, Authentication of remote users off
    remote subnet for netbios 255.255.255.0
    destIP begin 192.168.2.1, end 192.168.2.254



    Remote Office

    Clients:
    4 Dell PCs running Windows XP Professional with SP2

    Network:
    Belkin 8-port 10/100 hub
    Choice One 768K SDSL

    Firewall:
    Sonicwall TZ170 Internet Security Appliance
    LAN IP = 192.168.2.1
    LAN Subnet Mask = 255.255.255.0
    Firmware version: SonicOS Standard 2.2.0.1
    Revision: 2.2.0_pp_8s $
    ROM version 2.0.0.3
    Previous firmware version: 2.0.0.2
    Fragment outbound packets larger than WAN MTU: 1
    WAN MTU: 1404
    CP Wan MTU: 1404
    WAN Ignore DF Bit for non-VPN traffic: 1
    DHCP Server:
    Enable DHCP = 1
    Lease Period = 1440 minutes
    Range Start = 192.168.2.100
    Range End = 192.168.2.110
    Interface = LAN
    Default Gateway = 192.168.2.1
    Subnet Mask = 255.255.255.0
    Domain Name = <NULL>
    DNS Servers = 192.168.1.10

    Site-to-site VPN:
    Encrypt/Auth - ESP DES HMAC MD5
    Key Exchange: Manual Keys
    VPN Terminated at: LAN
    netbios off, ApplyNatAndRules off, ForwardPacketsToRemoteVPNs off
    TunnelForAllOutboundTraffic off
    Authentication of local users off, Authentication of remote users off
    remote subnet for netbios 255.255.255.0
    destIP begin 192.168.2.1, end 192.168.2.254

    A site-to-site VPN between both Sonicwall TZ170 connects the Remote Office to the Main Office. All four PCs at the Remote Office authenticate across the VPN to the Windows Server 2003 domain controller. At the Remote Office, DNS is resolving to the domain controller across the VPN.

    Issue:

    All users use a Windows-based application that connects to a database on the Windows Server 2003 domain controller.

    There are not any performance issues in the Main Office. There are performance issues with clients accessing the database and copying/opening files from the server to the client PC over the VPN from the Remote Office.
    We ran a packet trace (netcap.exe on a Windows XP SP2 PC at the Remote Office and netmon.exe on the Windows Server 2003 domain controller) while copying a 12.7MB file from the server to the client PC. What we found is that the client PC at the Remote Office is repeatedly sending ACKs across the VPN tunnel to the domain controller and the domain controller is yet the domain controller is repeatedly sending ACKs across the VPN tunnel to the client PC.

    We do not know what's causing this issue. Sonicwall states that there's nothing wrong with their hardware or the VPN tunnel itself.

    Does anyone have any ideas?

    Thanks in advance!!

    Rob

    PS - I can send the packet trace capture files if needed. Just let me know.

  2. #2
    SG Enthusiast twwabw's Avatar
    Join Date
    Nov 2000
    Location
    LeRoy, NY, USA
    Posts
    2,472
    Hi-

    I'd like to see some specifics- namely
    - what is the bandwidth of the connection (both ways) at each site
    - what kind of performance specifically do you have during these file transfers?

    I see this is only a 768K pipe... yet you are running AD DNS to the clients over this pipe, as well as "a Windows-based application that connects to a database on the Windows Server 2003 domain controller". This is a lot of traffic- especially the database. I would imagine that runs like molasses. Databases can consume tremendous bandwidth, creating indexes, etc. Many accounting apps cause these same issues when trying to run them across VPN's. And, with no DC at that site, there's a lot of AD traffic running through that pipe.

    It's likely there is indeed nothing wrong with the VPN, but that you are just trying to pump too much through that pipe.

    Depending on what this DB app is, and whether it supports it, I would consider moving that to a terminal server. This approach moves the processing and data transmission burden away from the client workstation, and cuts traffic dramatically. You are then only transmitting screenshot data back and forth.

    I would also consider a Domain Controller at that site. You can then reduce AD traffic, and pretty much limit it to replication.

    My 2 cents.
    Observe everything...focus on nothing..

  3. #3
    Junior Member
    Join Date
    Jan 2005
    Posts
    2

    Cool Try using iperf to get an idea of what is causing the bottleneck

    Iperf is an easy way to test bancwidth with two connections. It is also free at
    http://freshmeat.net/projects/iperf

  4. #4
    Junior Member
    Join Date
    Jan 2005
    Posts
    3
    Thanks to twwabw and dbell6809 for responding.

    At the Main Office, it currently has SBC's 768K SDSL service (768K upstream and downstream). At the Remote Office, it currently has a T1 circuit from Choice One, 768K used for data (both upstream and downstream) and the rest of the circuit is allocated for voice.

    Running the file transfer was just a general test. 4-5 minutes to copy a 12 MB file from the server to the client PC over the VPN tunnel is normal. We don't expect the file copy or the applications to run at wire speed, but at least to get better performance than what we're currently getting.

    The company is a small insurance firm and they do run two applications that have databases on the server. So yes, the applications run like molasses at the remote site. We have considered installing a DC at the remote site so that the traffic across the VPN isn't as bad and just have replication go across the VPN tunnel. Installing a Terminal Server is another option as well.

    On the logs on both Sonicwalls - we are seeing alot of VPN TCP PSH, VPN TCP SYN, and VPN TCP FIN between the client PCs at the remote site and the server (on ports 1072, 8080, 135, 1186, 2009, 1060). It may be how the insurance applications are communication across the VPN tunnel.

    Rob

  5. #5
    Moderator YeOldeStonecat's Avatar
    Join Date
    Jan 2001
    Location
    Somewhere along the shoreline in New England
    Posts
    50,445
    I would take the Terminal Server approach as TWW mentioned....run TS at the mothership, have the satellites offices run the app through Remote Desktop Connection...which barely needs any bandwidth to run (about 20k per session)

    The other scenario, such a I have setup for a health care client, is they have their satellite offices running a smaller "server" version of their scheduling and notes database...which does a "dexie" (data transfer) through the VPN to the mothership office throughout the day. The main office has the central server there, and the satellites, which have 3-4 PC's at each office, run their own small server on a peer to peer setup...and the servers communicate throughout the day with data exchanges, updating each other. This setup obviously needs the software to support this setup. (your database program people).

    The satellites run Outlook ==> Exchange through the Sonicwall tunnels just fine, the Exchange server being at the central office. However, I have the satellite offices doing just local workstation logons (peer to peer setup), I just create matching user accounts on the central server to allow access.
    MORNING WOOD Lumber Company
    Guinness for Strength!!!

  6. #6
    Junior Member
    Join Date
    Jan 2005
    Posts
    3

    site-to-site VPN bandwidth utilization

    Does anyone know how much bandwidth is used to maintain a VPN tunnel if any?

  7. #7
    Moderator YeOldeStonecat's Avatar
    Join Date
    Jan 2001
    Location
    Somewhere along the shoreline in New England
    Posts
    50,445
    Quote Originally Posted by buddylee7
    Does anyone know how much bandwidth is used to maintain a VPN tunnel if any?
    Kind of impossible to answer, as you can establish a VPN almost pretty much anything, even an old 14,400 or 9,600k dial up modem. Sure the connection will be so slow you can't do all that much, but technically you have a VPN.

    Many of the better VPN routers can also set the % of the internet connection, to be dedicated to a VPN tunnel. Say you have two sites connected with a 384k pipe...you can set a % of that to be dedicated to VPN traffic, so that some end users don't kill the important stuff by downloading junk or playing internet radio.

    The speed of the VPN tunnel also greatly varies according the quality of the routers you use. Take the same site to site DSL lines, do one setup with some basic 75 dollar routers, do another setup with a pair of nice Sonicwall routers. Now test that connection, and there'll be a major difference in speed...the Sonicwalls will by much faster. You're comparing routers with some little 11MHz CPU and 128k of RAM against routers with a 133MHz RISC processor with 24 or 32 megs of RAM. VPN encryption takes some horsepower.
    MORNING WOOD Lumber Company
    Guinness for Strength!!!

  8. #8
    Junior Member
    Join Date
    Jan 2005
    Posts
    3
    What if your using a client VPN to connect to a concentrator? I'm sure a PC shouldn't have a problem nor the concentrator. In this case they are going through a DSL line using multiple VPN clients instead of a site-to-site connection. Would you consider that a big problem? Bottem line, would you notice a big difference in performance in having a site-to-site connection that would establish one VPN tunnel opposed to having multiple clients establish multiple VPN's across a DSL connection?

  9. #9
    Moderator YeOldeStonecat's Avatar
    Join Date
    Jan 2001
    Location
    Somewhere along the shoreline in New England
    Posts
    50,445
    Well, guess it's different ways of setting it up. I look at a VPN concentrator as a hardware device that allows remote connections from various home users, "road warriors" who travel, stuff like that. I don't see those as intended for setting up WANS. For WANS I'd use router to router/gateway to gateway devices to maintain a permanent single tunnel from site to site. No VPN overhead on the workstations this way, simple use just like the satellites offices were local on the central office network. One big fat hardware VPN connection to me is seen as better than multiple software VPN connections.
    MORNING WOOD Lumber Company
    Guinness for Strength!!!

  10. #10
    Junior Member
    Join Date
    Jan 2005
    Posts
    3
    I would agree with you in saying that a VPN concentrator is more for the people that are on the road but in this case it is also being used as a site-to-site. To be more specific, a pix 501 is being used to connect to the VPN concentrator not only to establish a secure connection back to HQ but also to have firewall capabilities at the remote site for the clients. Itís a more cost effective way in this particular scenario because of penny pinchers and the fact I don't have control of the internet router.

  11. #11
    Moderator YeOldeStonecat's Avatar
    Join Date
    Jan 2001
    Location
    Somewhere along the shoreline in New England
    Posts
    50,445
    ///stares at broken PIX 501 sitting on his desk///

    I think we're talking about two different scales here. My setup being for a smaller setup, just a handful of sites. When I think VPN concentrator, I'm picturing a Cisco 3000 like the one about 40 feet behind my back here...sitting on fat bandwidth in a data center type of situation, not a basic 4x satellite and 1x main office setup attempting a WAN over DSL.
    MORNING WOOD Lumber Company
    Guinness for Strength!!!

  12. #12
    Moderator Bouncer's Avatar
    Join Date
    Oct 1999
    Location
    Fortress 'Murica, for the moment
    Posts
    4,832
    Ha Ha CatBreath broke the PIX! I am so telling!
    The ACK, SYN and FIN packets you are seeing are almost certainly the VPN at the remote side trying to open specific sessions with the VPN at the server site to pass on to the database server.

    It sounds like what may be happening is that you have a lot of these database sessions being opened and closed for some reason, and that is clogging the pipe.

    I'm curious though, why you make your clients authenticate to your local domain at the server site. If you have a tunnel set up to the other side it's in effect as if they were locally connected.

    I'd also reccommend you try dialing down the MTU on your sonicwalls. To around 1300 or so. You may be having a fragmentation issue, especially if your DSL is PPPoE and additional headers are being added.

    Regards,
    -Bouncer-

  13. #13
    Moderator YeOldeStonecat's Avatar
    Join Date
    Jan 2001
    Location
    Somewhere along the shoreline in New England
    Posts
    50,445
    Quote Originally Posted by Bouncer
    Ha Ha CatBreath broke the PIX! I am so telling!
    Nah I didn't break it. Someone picked it up used somewhere ( cheap I'm guessing, like eBay), trying to reset it back to factory defaults. Not running DHCP, who knows what the LAN IP is, tried to console hyperterminal to it to attempt to flash a password reset .BIN to it, but she's not responding to hyperterminal either.
    MORNING WOOD Lumber Company
    Guinness for Strength!!!

  14. #14
    Junior Member
    Join Date
    Jan 2005
    Posts
    3
    Sorry for the late reply guys. Anyway, the problem was solved by installing Terminal Server. However, someone else did the install. Our original plan was for the owner to purchase another server what would strickly run Terminal Server. Turns out that the owner's son's friend installed Terminal Server is application mode on the domain controller. Go figure...

  15. #15
    SG Enthusiast twwabw's Avatar
    Join Date
    Nov 2000
    Location
    LeRoy, NY, USA
    Posts
    2,472
    Turns out that the owner's son's friend installed Terminal Server is application mode on the domain controller
    Wow- what a really really bad idea.......
    Observe everything...focus on nothing..

  16. #16
    Moderator YeOldeStonecat's Avatar
    Join Date
    Jan 2001
    Location
    Somewhere along the shoreline in New England
    Posts
    50,445
    MORNING WOOD Lumber Company
    Guinness for Strength!!!

  17. #17

    Unhappy need some advice in creating a VPN between 2 sites

    hello guys
    i need some help in creating a VPN connection between two sites .
    2 sites head office and warehouse

    head office got 45 computers which are conencted in work groups (island stragaty) 4 workgroups( admin,accounts, operations,marketing).in which there are 4(workgroup 8-port switchs in each connected to 24 -port switch which is connected to ADLS line via ISP managed modem router. as i was new to this job and VPN i feel i need to take some advice from exprerts in the forums. recently our company bought a warehouse some where in out side london. i was been told to connect the warehouse to the head office for accounting and stock inventry process. as i have noticed that we havent got any server in headoffice i am just wondering how can i achive this VPN connecting between our warehouse and headoffiice. can any one plz let me know how can i acheive this with or with out server. from this present situation how can i get the
    two sites connected in a secure way via VPN. what i need in terms on server,
    ISP requirements,IP addresses ,routers etc. on the both sites.

    one of my friend told me it is easy to set up a terminal services. i have no idea what that mean either. i ve just finnised my college and i am in the job straight away so no real time hands on exprince guys. i will be realy thankfull if any one can help me out of this situation by any means for the problem i had. thankX in advance

  18. #18
    Moderator YeOldeStonecat's Avatar
    Join Date
    Jan 2001
    Location
    Somewhere along the shoreline in New England
    Posts
    50,445
    Well first we need to look at several things before jumping blindly into this.

    Warehouse needs to be connected to the office to do "what"? How many computers at the warehouse actually need to do something at the main office? Or visa versa?

    If there's some software package they need to run out there from the main office office, does it even support running under TS?

    What kind of connection is at the main office? Rated speeds? Any upgrades available?

    What kind of connections are available at the warehouse?

    Can the same ISP the main office has connect the warehouse, and are they able to maintain the VPN 'tween the sites themselves? (Takes the load off of you)
    MORNING WOOD Lumber Company
    Guinness for Strength!!!

Similar Threads

  1. VPN Networking C$&P - Challenging problem!
    By YamahaFazor in forum Networking Forum
    Replies: 1
    Last Post: 04-10-04, 05:58 PM
  2. Why an VPN is so slow?
    By Gort9k in forum Networking Forum
    Replies: 1
    Last Post: 06-02-03, 06:33 AM
  3. Replies: 0
    Last Post: 04-24-03, 07:57 AM
  4. ipconfig - the sequal
    By Romaze in forum Broadband Tweaks Help
    Replies: 25
    Last Post: 04-02-02, 10:46 AM
  5. MTU settings changing because of VPN software - question
    By Sorcier11 in forum Broadband Tweaks Help
    Replies: 9
    Last Post: 03-15-02, 01:23 PM

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •