cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
dlazure
New Contributor III

traffic between the vpn tunnel is slow or get disconnected ( 3448 )


Hi

I have two sites connected with 3448 at each location. the internet connection is a 10M DOWN / 1.5M UP and we established a VPN tunnel between the two routers. The actions the users need from site A to site B are :

- login/authentication on the server

- shared drives

- access to the exchange server for outlook

- access to SQL server

as we speak, the sessions are getting disconnected, the connection to the exchange server is frequently lost and the traffic is very slow. Is the internet connection fast enough for the actions needed ?

is the VPN tunnel disconnecting ?

I attached both config files.

Labels (1)
Tags (4)
0 Kudos
4 Replies
Anonymous
Not applicable

Re: traffic between the vpn tunnel is slow or get disconnected ( 3448 )

Since you are using the firewall feature, you will want to put a rule in to allow the IPSEC tunnel traffic into the WAN of each 3448.  What's likely happening now is that the tunnel is getting established through open ports and then the firewall is closing them.  Add an ACL like this at each site and apply it to your policy.  You could also filter by the specific IPAKMP port (500) and ESP protocol that are used, but since your other site should be a trusted host this is just easier.

ip access-list extended Allow_IPSEC_IN

  permit ip host x.x.x.1  any    (other site's WAN)

ip policy-class Public

  allow reverse list VPN-10-vpn-selectors1

  allow list Allow_IPSEC_IN self

  nat destination list web-acl-3 address 192.168.123.5

  allow list web-acl-4 self

I would like to make a few recommendations too.  I would suggest using AES encrytion instead of 3DES.  It is more secure and has better performance than 3DES.  I would also recommend specifying source networks in the"ip access-list extended web-acl-4" admin access list if you can to limit the exposure of your admin ports to the internet.  I also see that you have IP Flow enabled as well as RTP monitoring.  Depending on how much traffic your sites do, this could load the CPU and lead to throughput issues because of a lack of resources.

I hope this helps.  If it doesn't, then you may need to run a debug and let us know what is happening on each router when the tunnel drops out. 

dlazure
New Contributor III

Re: traffic between the vpn tunnel is slow or get disconnected ( 3448 )

Hi

I don’t understand this line

nat destination list web-acl-3 address 192.168.123.5

why do I need to add this

De : petersjncv

Envoyé : May-15-14 10:33 AM

À : dominic lazure

Objet : Re: - traffic between the vpn tunnel is slow or get disconnected ( 3448 )

<https://supportforums.adtran.com/index.jspa> ADTRAN Support Community

traffic between the vpn tunnel is slow or get disconnected ( 3448 )

created by petersjncv <https://supportforums.adtran.com/people/petersjncv> in NetVanta 3400 Series - View the full discussion <https://supportforums.adtran.com/message/14454#14454>

Anonymous
Not applicable

Re: traffic between the vpn tunnel is slow or get disconnected ( 3448 )

That line was in your original configuration file titled "georgebizet" attached above.

Here is the matching ACL.  This looks like a nat port forward for mail service.

ip access-list extended web-acl-3

  remark mail

  permit tcp any  any eq smtp   log

  permit tcp any  any eq pop3   log

  permit tcp any eq 143 any eq 143   log

The config example I pasted was just sampled from your config but it wasn't the whole thing.  I was just trying to show you where you would want to put the Allow IPSEC list.  Here is how you want your policy to look (based upon the current config).

ip policy-class Public

  allow reverse list VPN-10-vpn-selectors1

  allow list Allow_IPSEC_IN self  

  allow list web-acl-4 self

  nat destination list web-acl-3 address 192.168.123.5

  nat destination list web-acl-5 address 192.168.123.5

  nat destination list web-acl-6 address 192.168.123.5

  nat destination list web-acl-9 address 192.168.123.20

  nat destination list web-acl-10 address 192.168.123.50

  nat destination list web-acl-11 address 192.168.123.5

Anonymous
Not applicable

Re: traffic between the vpn tunnel is slow or get disconnected ( 3448 )

-

I went ahead and flagged this post as "Assumed Answered". If any of the responses on this thread assisted you, please mark them as Correct or Helpful as the case may be with the applicable buttons. This will make them visible and help other members of the community find solutions more easily. If you have any additional information on this that others may benefit from, please come back to this post to provide an update. If you still need assistance, we would be more than happy to continue working with you on this - just let us know in a reply.

Thanks,

Noor