VPN woes

dcdewick — Tue, 19 Jun 2012 10:46:00 GMT

I used to have a VPN connecting my two sites that worked faultlessly using Demon Internet and a different telecomms supplier. The VPN is established as an IPSEC VPN between two Watchguard firewalls.

Following a policy change (not mine!) at our remote site I recently had installed three new BT ADSL lines with BTHub3 modems, bonded together to provide a single internet connection through a BT recomended third party suplier, Sharedband. I reconfigured the VPN on the firewalls to reflect the new IP address at the remote end, and updated the WAN interface MTU size as instructed by the company providing the bonding service. I now have my VPN dropping at least once every hour.

The VPN drops when the DPD protocol used to "heartbeat" the VPN connection times out. I tried using IKE keepalive packets instead - same result. I tried switching off 2 of the three routers used for bonding, to re-create a single ADSL connection, same result. The VPN drops consistently thoughout the day and night, so it appears that the reasons for the drop are not traffic related. Latency between the firewalls is fairly consistent at about 58ms on average, although some hops show as high as 380ms:

Date/Time: 19/06/2012 10:45:23 to 19/06/2012 11:35:15

Hop Sent Err    PL%     Min      Max      Avg
2   300   1       0.3      1         2        1
3   300   0       0.0      6     179        9
4   300   1       0.3      6    222     19
5   300   0       0.0   15    371       19
6   300   0       0.0   15        58       19
7   300 12       4.0   54    76     57

The issue is not with the firewalls, as they previously worked without a problem. Hours spent diagnosing logs with my firewall support show that the VPN drop is the result of a connection loss.The issue does not appear to be with the ADSL bonding as the problem exists with only a single line operational. BT tell me the circuits are all ok. The bonding service provider has configured his routers to provide access to the external interface of my remote firwall (host allocation). Pingplotter shows a consistent 4% packet drop on the last hop to my remote firewall, and error rate 12 times higher than on any other hop between the sites.

What else to try ?

Re: VPN woes

knobbster — Tue, 19 Jun 2012 18:28:46 GMT

Good luck on this. I got nothing on top of my head here. But I would love to have some shre their thoughts.

Re: VPN woes

dcdewick — Wed, 20 Jun 2012 14:12:43 GMT

Me too, knobbster, me too ...

topic Re: VPN woes in Archive

VPN woes

Re: VPN woes

Re: VPN woes