| Mike Drechsler - SPAM PROTECTED EMAIL 2005-10-24, 9:35 am |
| Vince wrote:
> Well Mike, I thought I was OK, but I'm still having trouble.
>
> I re-created the tunnels between the 2 problem endpoints (Sites A and
> B), and things seemed to work nicely. Phase 2 re-negotiations took
> only a handful of attempts. For the past 5 days or so, the tunnels
> have been stable, with the phase 2's renegotiating successfully as
> scheduled (every 4 hours.) Then just this morning, I ran into the same
> problem again with the A-B tunnel, with phase 2 failing repeatedly
> (endless "Phase 2 complete" messages) for several hours. I rebooted
> the router at Site B and the tunnels re-established after about 90
> seconds. Connections and IP traffic between sites A and B have been
> fine for the past 3 hours; hopefully the next phase 2 re-negotiation
> won't barf.
>
> I'm at my wits end with this. The tunnels out of Site C have been
> rock-solid since inception. The A-B tunnel settings at Sites A and B
> are identical (and different from the A-C and B-C settings). I have
> done a 'show config' dump and checked everything line by line.
> Furthermore, the IKE and Connection Profile settings for the A-B tunnel
> match the A-C and B-C settings (though unique from the other 2 tunnels
> in name, IKE Profile, and password).
>
> Netopia online chat help would not offer any VPN configuration
> assistance; they referred me to their fee-based production support
> offerings (consistent with their website's advertised support policy
> regarding VPN's).
>
> The only common issue I can think of at this point is that Sites A and
> B both have an ISP connection requiring PPPOE underlying encapsulation
> even though they have fixed IP addresses. Site C (the oldest) for some
> reason, even though under the same provider (SBC), does not utilize
> PPPOE at all.
>
> Any thoughts?
>
PPPoE doesn't exist around here. Every provider where I live is either
DHCP or manual hardcoded IP. If there is a problem with the PPPoE side
of things I would have never seen it because of this.
You could try playing around with any available MTU settings if PPPoE is
involved.
Though it doesn't seem likely that there is a network problem if these
sites can communicate with the other router without problems but you
should check the network between the two sites. Do ping test with large
packet sizes and the do not fragment bit set. Do these tests while
transfering increasing amounts of data back and forth and see how it
behaves.
If these 2 sites do not communicate with each other frequently or
require high bandwidth you could route all traffic through your "site C"
location.
You could consider paying Netopia for their VPN setup service and if
they find a bug in the router firmware you get a refund. Ask them if
they will refund the money if they fail to get a reliable connection.
It's not like they charge an excessive amount for the service. (Less
than a typical consultant visit)
On the extreme end of things you could configure a test network. There
are ways of using Linux to create your very own pppoe server and make a
test to determine if it's the routers or the network causing the problem.
--
WARNING! Email address has been altered for spam resistance.
Please remove the -deletethispart-. section before replying directly.
Mike Drechsler (mike-newsgroup@-deletethispart-.upcraft.com)
|