Results 1 to 18 of 18

Thread: Site-to-site VPN issues

Hybrid View

Previous Post Previous Post   Next Post Next Post
  1. #1
    Junior Member
    Join Date
    Jan 2005
    Posts
    3

    Question Site-to-site VPN issues

    Here's the setup:

    Main Office

    Server:
    Windows Server 2003 domain controller
    IP address: 192.168.1.10
    Subnet mask: 255.255.255.0
    Gateway: 192.168.1.1
    Services: Active Directory, DNS, DHCP

    Clients:
    Mixture of PCs running Windows 2000 Profressional with SP3 and Windows XP Professional with SP2

    Network:
    Dell 16-port switch
    SBC 768K SDSL

    Firewall:
    Sonicwall TZ170 Internet Security Appliance
    LAN IP = 192.168.1.1
    LAN Subnet Mask = 255.255.255.0
    Firmware version: SonicOS Standard 2.2.0.1
    Revision: 2.2.0_pp_8s $
    ROM version 2.0.0.3
    Previous firmware version: 2.0.0.2
    Fragment outbound packets larger than WAN MTU: 1
    WAN MTU: 1404
    CP Wan MTU: 1404
    WAN Ignore DF Bit for non-VPN traffic: 1

    Site-to-site VPN:
    Encrypt/Auth - ESP DES HMAC MD5
    Key Exchange: Manual Keys
    VPN Terminated at: LAN
    netbios off, ApplyNatAndRules off, ForwardPacketsToRemoteVPNs off
    TunnelForAllOutboundTraffic off
    Authentication of local users off, Authentication of remote users off
    remote subnet for netbios 255.255.255.0
    destIP begin 192.168.2.1, end 192.168.2.254



    Remote Office

    Clients:
    4 Dell PCs running Windows XP Professional with SP2

    Network:
    Belkin 8-port 10/100 hub
    Choice One 768K SDSL

    Firewall:
    Sonicwall TZ170 Internet Security Appliance
    LAN IP = 192.168.2.1
    LAN Subnet Mask = 255.255.255.0
    Firmware version: SonicOS Standard 2.2.0.1
    Revision: 2.2.0_pp_8s $
    ROM version 2.0.0.3
    Previous firmware version: 2.0.0.2
    Fragment outbound packets larger than WAN MTU: 1
    WAN MTU: 1404
    CP Wan MTU: 1404
    WAN Ignore DF Bit for non-VPN traffic: 1
    DHCP Server:
    Enable DHCP = 1
    Lease Period = 1440 minutes
    Range Start = 192.168.2.100
    Range End = 192.168.2.110
    Interface = LAN
    Default Gateway = 192.168.2.1
    Subnet Mask = 255.255.255.0
    Domain Name = <NULL>
    DNS Servers = 192.168.1.10

    Site-to-site VPN:
    Encrypt/Auth - ESP DES HMAC MD5
    Key Exchange: Manual Keys
    VPN Terminated at: LAN
    netbios off, ApplyNatAndRules off, ForwardPacketsToRemoteVPNs off
    TunnelForAllOutboundTraffic off
    Authentication of local users off, Authentication of remote users off
    remote subnet for netbios 255.255.255.0
    destIP begin 192.168.2.1, end 192.168.2.254

    A site-to-site VPN between both Sonicwall TZ170 connects the Remote Office to the Main Office. All four PCs at the Remote Office authenticate across the VPN to the Windows Server 2003 domain controller. At the Remote Office, DNS is resolving to the domain controller across the VPN.

    Issue:

    All users use a Windows-based application that connects to a database on the Windows Server 2003 domain controller.

    There are not any performance issues in the Main Office. There are performance issues with clients accessing the database and copying/opening files from the server to the client PC over the VPN from the Remote Office.
    We ran a packet trace (netcap.exe on a Windows XP SP2 PC at the Remote Office and netmon.exe on the Windows Server 2003 domain controller) while copying a 12.7MB file from the server to the client PC. What we found is that the client PC at the Remote Office is repeatedly sending ACKs across the VPN tunnel to the domain controller and the domain controller is yet the domain controller is repeatedly sending ACKs across the VPN tunnel to the client PC.

    We do not know what's causing this issue. Sonicwall states that there's nothing wrong with their hardware or the VPN tunnel itself.

    Does anyone have any ideas?

    Thanks in advance!!

    Rob

    PS - I can send the packet trace capture files if needed. Just let me know.

  2. #2
    SG Enthusiast twwabw's Avatar
    Join Date
    Nov 2000
    Location
    LeRoy, NY, USA
    Posts
    2,472
    Hi-

    I'd like to see some specifics- namely
    - what is the bandwidth of the connection (both ways) at each site
    - what kind of performance specifically do you have during these file transfers?

    I see this is only a 768K pipe... yet you are running AD DNS to the clients over this pipe, as well as "a Windows-based application that connects to a database on the Windows Server 2003 domain controller". This is a lot of traffic- especially the database. I would imagine that runs like molasses. Databases can consume tremendous bandwidth, creating indexes, etc. Many accounting apps cause these same issues when trying to run them across VPN's. And, with no DC at that site, there's a lot of AD traffic running through that pipe.

    It's likely there is indeed nothing wrong with the VPN, but that you are just trying to pump too much through that pipe.

    Depending on what this DB app is, and whether it supports it, I would consider moving that to a terminal server. This approach moves the processing and data transmission burden away from the client workstation, and cuts traffic dramatically. You are then only transmitting screenshot data back and forth.

    I would also consider a Domain Controller at that site. You can then reduce AD traffic, and pretty much limit it to replication.

    My 2 cents.
    Observe everything...focus on nothing..

  3. #3
    Junior Member
    Join Date
    Jan 2005
    Posts
    2

    Cool Try using iperf to get an idea of what is causing the bottleneck

    Iperf is an easy way to test bancwidth with two connections. It is also free at
    http://freshmeat.net/projects/iperf

  4. #4
    Junior Member
    Join Date
    Jan 2005
    Posts
    3
    Thanks to twwabw and dbell6809 for responding.

    At the Main Office, it currently has SBC's 768K SDSL service (768K upstream and downstream). At the Remote Office, it currently has a T1 circuit from Choice One, 768K used for data (both upstream and downstream) and the rest of the circuit is allocated for voice.

    Running the file transfer was just a general test. 4-5 minutes to copy a 12 MB file from the server to the client PC over the VPN tunnel is normal. We don't expect the file copy or the applications to run at wire speed, but at least to get better performance than what we're currently getting.

    The company is a small insurance firm and they do run two applications that have databases on the server. So yes, the applications run like molasses at the remote site. We have considered installing a DC at the remote site so that the traffic across the VPN isn't as bad and just have replication go across the VPN tunnel. Installing a Terminal Server is another option as well.

    On the logs on both Sonicwalls - we are seeing alot of VPN TCP PSH, VPN TCP SYN, and VPN TCP FIN between the client PCs at the remote site and the server (on ports 1072, 8080, 135, 1186, 2009, 1060). It may be how the insurance applications are communication across the VPN tunnel.

    Rob

  5. #5
    Moderator YeOldeStonecat's Avatar
    Join Date
    Jan 2001
    Location
    Somewhere along the shoreline in New England
    Posts
    50,919
    I would take the Terminal Server approach as TWW mentioned....run TS at the mothership, have the satellites offices run the app through Remote Desktop Connection...which barely needs any bandwidth to run (about 20k per session)

    The other scenario, such a I have setup for a health care client, is they have their satellite offices running a smaller "server" version of their scheduling and notes database...which does a "dexie" (data transfer) through the VPN to the mothership office throughout the day. The main office has the central server there, and the satellites, which have 3-4 PC's at each office, run their own small server on a peer to peer setup...and the servers communicate throughout the day with data exchanges, updating each other. This setup obviously needs the software to support this setup. (your database program people).

    The satellites run Outlook ==> Exchange through the Sonicwall tunnels just fine, the Exchange server being at the central office. However, I have the satellite offices doing just local workstation logons (peer to peer setup), I just create matching user accounts on the central server to allow access.
    MORNING WOOD Lumber Company
    Guinness for Strength!!!

  6. #6
    Junior Member
    Join Date
    Jan 2005
    Posts
    3

    site-to-site VPN bandwidth utilization

    Does anyone know how much bandwidth is used to maintain a VPN tunnel if any?

  7. #7

    Unhappy need some advice in creating a VPN between 2 sites

    hello guys
    i need some help in creating a VPN connection between two sites .
    2 sites head office and warehouse

    head office got 45 computers which are conencted in work groups (island stragaty) 4 workgroups( admin,accounts, operations,marketing).in which there are 4(workgroup 8-port switchs in each connected to 24 -port switch which is connected to ADLS line via ISP managed modem router. as i was new to this job and VPN i feel i need to take some advice from exprerts in the forums. recently our company bought a warehouse some where in out side london. i was been told to connect the warehouse to the head office for accounting and stock inventry process. as i have noticed that we havent got any server in headoffice i am just wondering how can i achive this VPN connecting between our warehouse and headoffiice. can any one plz let me know how can i acheive this with or with out server. from this present situation how can i get the
    two sites connected in a secure way via VPN. what i need in terms on server,
    ISP requirements,IP addresses ,routers etc. on the both sites.

    one of my friend told me it is easy to set up a terminal services. i have no idea what that mean either. i ve just finnised my college and i am in the job straight away so no real time hands on exprince guys. i will be realy thankfull if any one can help me out of this situation by any means for the problem i had. thankX in advance

  8. #8
    Moderator YeOldeStonecat's Avatar
    Join Date
    Jan 2001
    Location
    Somewhere along the shoreline in New England
    Posts
    50,919
    Well first we need to look at several things before jumping blindly into this.

    Warehouse needs to be connected to the office to do "what"? How many computers at the warehouse actually need to do something at the main office? Or visa versa?

    If there's some software package they need to run out there from the main office office, does it even support running under TS?

    What kind of connection is at the main office? Rated speeds? Any upgrades available?

    What kind of connections are available at the warehouse?

    Can the same ISP the main office has connect the warehouse, and are they able to maintain the VPN 'tween the sites themselves? (Takes the load off of you)
    MORNING WOOD Lumber Company
    Guinness for Strength!!!

Similar Threads

  1. VPN Networking C$&P - Challenging problem!
    By YamahaFazor in forum Networking Forum
    Replies: 1
    Last Post: 04-10-04, 04:58 PM
  2. Why an VPN is so slow?
    By Gort9k in forum Networking Forum
    Replies: 1
    Last Post: 06-02-03, 05:33 AM
  3. Replies: 0
    Last Post: 04-24-03, 06:57 AM
  4. ipconfig - the sequal
    By Romaze in forum Broadband Tweaks Help
    Replies: 25
    Last Post: 04-02-02, 09:46 AM
  5. MTU settings changing because of VPN software - question
    By Sorcier11 in forum Broadband Tweaks Help
    Replies: 9
    Last Post: 03-15-02, 12:23 PM

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •