VPN Dropping Packets

Hi, Jae, and welcome to the UTM Community!

What do you learn from doing #1 in Rulz?

Cheers - Bob

Thanks Bob!  I had Intrusion Prevention turned on, on both sides of the VPN.  I have turned them both off and will give it a shot over night and see how it does.

Jae

Did you check the logs?  I don't think disabling Intrusion Prevention will make a difference.  Please re-read #1.

Cheers - Bob

2017-02-15 Thanks, Jae for letting me know that I'd hit the "2" instead of the "1" key.

Bob, rule #2 is a broad description of how traffic is passed through the system. Traffic is passing through but occasionally packets are dropped or loss.  Using ping it can be one or two or 10 in a row then it comes back.  Sometimes it is choppy for a bit and at other times it is solid.  Pinging outside of the VPN there are no drops between sites so I know it is not the Internet on either side. I also know it is not our switches or local LAN otherwise there would be drops regardless of how the traffic came in.   I don't see anything in the logs as it is small drops here and there.

Jae

Jae, I meant #1.  Typo!  I'll correct my previous post - Thanks!

Cheers - Bob

Jae, I meant #1.  Typo!  I'll correct my previous post - Thanks!

Cheers - Bob

OK, Bob I have gone through rule #2 and I am still having problems.  I have now started continuous pings to google.com, our Firewall and our UK office Firewall (Internal numbers) and they all drop at the same time and come back up at the same time.  I have also done this on the other side and we get the same drops.  I can see the VPN route pings dropping but why would the firewall drop pings when I am sitting on the same network and it is happening on our other network as well? See screenshot. Your wisdom is needed!

Jae

The mystery deepens...

Off the top of my head, I wonder if there isn't an Ethernet loop somewhere that's creating an occasional network storm.  Maybe someone that brought in their own wireless router and has it plugged in incorrectly?

Cheers - Bob

My thoughts exactly Bob!  A phone, laptop, tablet or router with the same IP as our firewall.  Out of frustration I got a new PC, new network cards and reinstalled the UTM from scratch and restored our backup file to see if there is a hardware issue with our UTM.  I will let you know how it goes next week.

Cheers!

Jae

I don't think that it is a loop because the reply times of the pings are all good. From my experience the reponse time goes straight up when someone created a loop.

Referring to the posted informations it looks like a generally problem with the UTM. But you also wrote, that both sites have the same problem and that's pretty unusal. Are the problem occure on both sites at the same time? Means you can't ping the UTM LAN interface from within the same subnet/LAN on both sites at the same time? That would point to a VPN problem, like same configured subnet on both sites or something like that.

Jas Man,

I can confirm there is no VLAN or other devices with the same subnet on either end.  I have also confirmed that the drops don't happen on both ends at the same time.  The VPN is working 99% of the time so I can't believe something is configured wrong.  It either works or not but that 1% is just killing us with dropped or frozen Citrix/RDP connections.  Any other thoughts?

Jae

I still think it's an Ethernet problem.  Maybe a dying switch?  I have a client of longstanding that used to use Linksys 24-port switches in their rack.  That ended long ago after they paid to have me out to help them with the UTM problem and showed them it was a dying switch.  When the second one died, they knew what to look for.  Cheap switches are for homes, not mission-critical office infrastructure.

Cheers - Bob

Bob,

I agree with you on the switches but on our UK side I just bought a brand new Enterprise switch hoping it would fix the issue and it is still happening.  I have not replaced the aging ones on this side but it would not effect the drops they have internally on their side.  Very strange.

Jae

One dying switch would be possible. But he wrote that he has the problem on both sides. Two dying switches with the same effect at two different sides would be also possible, but in my opinion not very likely.

The question is, have the UTMs a problem which let them freeze for some seconds (e.g. problem with ethernet adapter/driver, same hardware on both sides=same problem on both sides), or has something else in your LAN a problem and because of that, you can't reach the LAN interface of the UTM and therefore also not the other VPN side.

What I would check:

• Affects the problem all clients at the side at the same time, or does it roam from one client to another?
  
  
• Goes the physical link of the UTM and/or client down when the problem occures?
  
  
• Running a ping against the Internet, the other VPN side, another client in the LAN and the LAN interface and logging the responses with date and time. After some outtages occured I would check if I can see a time pattern. It could help to understand what happend.
  
  
• Running a TCPDUMP on the UTM or a client to check if something happens when the problem occures.

Thank you Jas Man for all the tips.  I will check all of this over the weekend and see if I can narrow it down further.  I will post back next week.

Find attached my script for an endless ping to a host with log file.

You can copy the batch as often as needed. Change the IP and Hostname in the first lines and start the batch. It will create a log file in .\Logs.

Ping-O-mat.zip