This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

VPN Dropping Packets

We have a VPN setup between two facilities and our VPN traffic drops packets frequently. While at the same time pinging outside of the VPN to the same network there are no drops. The drops are enough to freeze or drop our Citrix sessions. Both firewalls are running the latest UTM 9.411-3.  One side has a 100 Mbps connection the other is 30 Mbps both fiber.  One is in the UK the other is in the USA.  I have about 20 users using the VPN for only Citrix traffic. There is plenty of bandwidth on both ends and we are not over using the circuits.  Is there a way to troubleshoot this issue or to resolve it?  Thanks.



This thread was automatically locked due to age.
  • Hi,

    We have a UTM 9 on both ends.  We use our own hardware and use their software.  Both PCs are i3 with 4GB of memory.  We are not even coming close to max utilization.  30/30Mbps with 15 users and 100/100Mbps with 60 users here.  I have opened a troubleticket with Sophos but the issue doesn't happen contentiously so it is hard for them to troubleshoot it.

    Jae

  • Jas Man,

    I can confirm there is no VLAN or other devices with the same subnet on either end.  I have also confirmed that the drops don't happen on both ends at the same time.  The VPN is working 99% of the time so I can't believe something is configured wrong.  It either works or not but that 1% is just killing us with dropped or frozen Citrix/RDP connections.  Any other thoughts?

    Jae

  • I still think it's an Ethernet problem.  Maybe a dying switch?  I have a client of longstanding that used to use Linksys 24-port switches in their rack.  That ended long ago after they paid to have me out to help them with the UTM problem and showed them it was a dying switch.  When the second one died, they knew what to look for.  Cheap switches are for homes, not mission-critical office infrastructure.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Bob,

    I agree with you on the switches but on our UK side I just bought a brand new Enterprise switch hoping it would fix the issue and it is still happening.  I have not replaced the aging ones on this side but it would not effect the drops they have internally on their side.  Very strange.

    Jae

  • One dying switch would be possible. But he wrote that he has the problem on both sides. Two dying switches with the same effect at two different sides would be also possible, but in my opinion not very likely.

    The question is, have the UTMs a problem which let them freeze for some seconds (e.g. problem with ethernet adapter/driver, same hardware on both sides=same problem on both sides), or has something else in your LAN a problem and because of that, you can't reach the LAN interface of the UTM and therefore also not the other VPN side.

    What I would check:

    • Affects the problem all clients at the side at the same time, or does it roam from one client to another?

    • Goes the physical link of the UTM and/or client down when the problem occures?

    • Running a ping against the Internet, the other VPN side, another client in the LAN and the LAN interface and logging the responses with date and time. After some outtages occured I would check if I can see a time pattern. It could help to understand what happend.

    • Running a TCPDUMP on the UTM or a client to check if something happens when the problem occures.

     

     

  • Thank you Jas Man for all the tips.  I will check all of this over the weekend and see if I can narrow it down further.  I will post back next week.

  • Find attached my script for an endless ping to a host with log file.

    You can copy the batch as often as needed. Change the IP and Hostname in the first lines and start the batch. It will create a log file in .\Logs.

     

    Ping-O-mat.zip

  • Thank you guys for all the help on this issue.  I just wanted to post the fix in case anyone else has this issue.  It turns out both internal network cards on each side of the VPN were bad.  Both cards were the same model Intel cards and installed at the same time. They both slowly were going bad and I thought what are the odds that it could be both cards but since they were the same age and model it is possible.  No drops in over 24 hours with 2 new cards.  

  • Thank you for informing us what the problem was.
    Strange that both cards were bad.

     

    Jas