|
Home > Archive > VPN > January 2005 > Site-to-site VPN Issue
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
Site-to-site VPN Issue
|
|
| rpaz61@gmail.com 2005-01-05, 5:45 pm |
| Here's the setup:
Main Office
Server:
Windows Server 2003 domain controller
IP address: 192.168.1.10
Subnet mask: 255.255.255.0
Gateway: 192.168.1.1
Services: Active Directory, DNS, DHCP
Clients:
Mixture of PCs running Windows 2000 Profressional with SP3 and Windows
XP Professional with SP2
Network:
Dell 16-port switch
SBC 768K SDSL
Firewall:
Sonicwall TZ170 Internet Security Appliance
LAN IP = 192.168.1.1
LAN Subnet Mask = 255.255.255.0
Firmware version: SonicOS Standard 2.2.0.1
Revision: 2.2.0_pp_8s $
ROM version 2.0.0.3
Previous firmware version: 2.0.0.2
Fragment outbound packets larger than WAN MTU: 1
WAN MTU: 1404
CP Wan MTU: 1404
WAN Ignore DF Bit for non-VPN traffic: 1
Site-to-site VPN:
Encrypt/Auth - ESP DES HMAC MD5
Key Exchange: Manual Keys
VPN Terminated at: LAN
netbios off, ApplyNatAndRules off, ForwardPacketsToRemoteVPNs off
TunnelForAllOutboundTraffic off
Authentication of local users off, Authentication of remote users off
remote subnet for netbios 255.255.255.0
destIP begin 192.168.2.1, end 192.168.2.254
Remote Office
Clients:
4 Dell PCs running Windows XP Professional with SP2
Network:
Belkin 8-port 10/100 hub
Choice One 768K SDSL
Firewall:
Sonicwall TZ170 Internet Security Appliance
LAN IP = 192.168.2.1
LAN Subnet Mask = 255.255.255.0
Firmware version: SonicOS Standard 2.2.0.1
Revision: 2.2.0_pp_8s $
ROM version 2.0.0.3
Previous firmware version: 2.0.0.2
Fragment outbound packets larger than WAN MTU: 1
WAN MTU: 1404
CP Wan MTU: 1404
WAN Ignore DF Bit for non-VPN traffic: 1
DHCP Server:
Enable DHCP = 1
Lease Period = 1440 minutes
Range Start = 192.168.2.100
Range End = 192.168.2.110
Interface = LAN
Default Gateway = 192.168.2.1
Subnet Mask = 255.255.255.0
Domain Name = <NULL>
DNS Servers = 192.168.1.10
Site-to-site VPN:
Encrypt/Auth - ESP DES HMAC MD5
Key Exchange: Manual Keys
VPN Terminated at: LAN
netbios off, ApplyNatAndRules off, ForwardPacketsToRemoteVPNs off
TunnelForAllOutboundTraffic off
Authentication of local users off, Authentication of remote users off
remote subnet for netbios 255.255.255.0
destIP begin 192.168.2.1, end 192.168.2.254
A site-to-site VPN between both Sonicwall TZ170 connects the Remote
Office to the Main Office. All four PCs at the Remote Office
authenticate across the VPN to the Windows Server 2003 domain
controller. At the Remote Office, DNS is resolving to the domain
controller across the VPN.
Issue:
All users use a Windows-based application that connects to a database
on the Windows Server 2003 domain controller. There are not any
performance issues in the Main Office. There are performance issues
with clients accessing the database and copying/opening files from the
server to the client PC over the VPN from the Remote Office.
We ran a packet trace (netcap.exe on a Windows XP SP2 PC at the Remote
Office and netmon.exe on the Windows Server 2003 domain controller)
while copying a 12.7MB file from the server to the client PC. What we
found is that the client PC at the Remote Office is repeatedly sending
ACKs across the VPN tunnel to the domain controller and the domain
controller is yet the domain controller is repeatedly sending ACKs
across the VPN tunnel to the client PC.
We do not know what's causing this issue. Sonicwall states that
there's nothing wrong with their hardware or the VPN tunnel itself.
Does anyone have any ideas?
Thanks in advance!!
Rob
PS - I can send the packet trace capture files if needed. Just let me
know.
| |
| Mike Drechsler - SPAM PROTECTED EMAIL 2005-01-05, 5:45 pm |
| rpaz61@gmail.com wrote:
> Here's the setup:
SNIP
> Network:
> SBC 768K SDSL
SNIP
> All users use a Windows-based application that connects to a database
> on the Windows Server 2003 domain controller. There are not any
> performance issues in the Main Office. There are performance issues
> with clients accessing the database and copying/opening files from the
> server to the client PC over the VPN from the Remote Office.
>
> We ran a packet trace (netcap.exe on a Windows XP SP2 PC at the Remote
> Office and netmon.exe on the Windows Server 2003 domain controller)
> while copying a 12.7MB file from the server to the client PC. What we
> found is that the client PC at the Remote Office is repeatedly sending
> ACKs across the VPN tunnel to the domain controller and the domain
> controller is yet the domain controller is repeatedly sending ACKs
> across the VPN tunnel to the client PC.
>
> We do not know what's causing this issue. Sonicwall states that
> there's nothing wrong with their hardware or the VPN tunnel itself.
>
> Does anyone have any ideas?
>
> Thanks in advance!!
>
> Rob
>
> PS - I can send the packet trace capture files if needed. Just let me
> know.
So you have a 0.7 Mbit connection that you are comparing to your
internal 100Mbit connection and you notice that it's slower. Wow,
that's shocking.
> What we
> found is that the client PC at the Remote Office is repeatedly sending
> ACKs across the VPN tunnel to the domain controller and the domain
> controller is yet the domain controller is repeatedly sending ACKs
> across the VPN tunnel to the client PC.
You also notice that the client and server send TCP acknowledge
messages. So what? That's not an issue, that's how the TCP protocol
works. You mangled the sentence though so you might have intended to
say something else.
How long does it actually take to transfer that 12.7MB file? If it's
less than 5 minutes then you have nothing to complain about. A
768Kbit/s connection would take a minimum of about 3 minutes but doing a
direct copy over Microsoft SMB protocol file sharing often adds a bit of
overhead plus whatever anyone else is doing on the connection at the
time. The routers you are using should handle an encrypted tunnel at
the wire speed without any artificially induced slowdown. There is some
overhead when encrypting but it's not big and has a larger effect on
latency. How much bandwidth does your database application use for a
typical session? If this is a custom database application has your
programmer optimized the queries to use as little bandwidth as possible?
Is the database maybe doing too many small queries so the response
time becomes an issue? Can the client application cache some of the
database responses to cut down on the delay and traffic?
Maybe I'm missing something but what you describe is exactly what you
should expect. If you need to do things that require database access
then you might be better off with a Terminal server setup at your main
office for the remote users to use. If you combine Microsoft Terminal
services with Citrix presentation server you can make it very similar to
running the application on the local machine.
--
WARNING! Email address has been altered for spam resistance.
Please remove the -deletethispart-. section before replying directly.
Mike Drechsler (mike-newsgroup@-deletethispart-.upcraft.com)
|
|
|
|
|