4 Replies Latest reply on Jul 11, 2014 8:43 AM by noor

    traffic between the vpn tunnel is slow or get disconnected ( 3448 )

    dlazure New Member


      Hi

       

      I have two sites connected with 3448 at each location. the internet connection is a 10M DOWN / 1.5M UP and we established a VPN tunnel between the two routers. The actions the users need from site A to site B are :

       

      - login/authentication on the server

      - shared drives

      - access to the exchange server for outlook

      - access to SQL server

       

      as we speak, the sessions are getting disconnected, the connection to the exchange server is frequently lost and the traffic is very slow. Is the internet connection fast enough for the actions needed ?

      is the VPN tunnel disconnecting ?

       

      I attached both config files.

        • Re: traffic between the vpn tunnel is slow or get disconnected ( 3448 )
          petersjncv Visitor

          Since you are using the firewall feature, you will want to put a rule in to allow the IPSEC tunnel traffic into the WAN of each 3448.  What's likely happening now is that the tunnel is getting established through open ports and then the firewall is closing them.  Add an ACL like this at each site and apply it to your policy.  You could also filter by the specific IPAKMP port (500) and ESP protocol that are used, but since your other site should be a trusted host this is just easier.

           

          ip access-list extended Allow_IPSEC_IN

            permit ip host x.x.x.1  any    (other site's WAN)

           

          ip policy-class Public

            allow reverse list VPN-10-vpn-selectors1

            allow list Allow_IPSEC_IN self

            nat destination list web-acl-3 address 192.168.123.5

            allow list web-acl-4 self

           

          I would like to make a few recommendations too.  I would suggest using AES encrytion instead of 3DES.  It is more secure and has better performance than 3DES.  I would also recommend specifying source networks in the"ip access-list extended web-acl-4" admin access list if you can to limit the exposure of your admin ports to the internet.  I also see that you have IP Flow enabled as well as RTP monitoring.  Depending on how much traffic your sites do, this could load the CPU and lead to throughput issues because of a lack of resources.

           

          I hope this helps.  If it doesn't, then you may need to run a debug and let us know what is happening on each router when the tunnel drops out. 

            • Re: traffic between the vpn tunnel is slow or get disconnected ( 3448 )
              dlazure New Member

              Hi

               

               

               

              I don’t understand this line

               

               

               

              nat destination list web-acl-3 address 192.168.123.5

               

              why do I need to add this

               

               

               

               

               

              De : petersjncv adtran@adtran.hosted.jivesoftware.com

              Envoyé : May-15-14 10:33 AM

              À : dominic lazure

              Objet : Re: - traffic between the vpn tunnel is slow or get disconnected ( 3448 )

               

               

               

               

               

               

              <https://supportforums.adtran.com/index.jspa> ADTRAN Support Community

               

               

               

              traffic between the vpn tunnel is slow or get disconnected ( 3448 )

               

               

              created by petersjncv <https://supportforums.adtran.com/people/petersjncv>  in NetVanta 3400 Series - View the full discussion <https://supportforums.adtran.com/message/14454#14454>

                • Re: traffic between the vpn tunnel is slow or get disconnected ( 3448 )
                  petersjncv Visitor

                  That line was in your original configuration file titled "georgebizet" attached above.

                  Here is the matching ACL.  This looks like a nat port forward for mail service.

                  ip access-list extended web-acl-3

                    remark mail

                    permit tcp any  any eq smtp   log

                    permit tcp any  any eq pop3   log

                    permit tcp any eq 143 any eq 143   log

                   

                  The config example I pasted was just sampled from your config but it wasn't the whole thing.  I was just trying to show you where you would want to put the Allow IPSEC list.  Here is how you want your policy to look (based upon the current config).

                   

                  ip policy-class Public

                    allow reverse list VPN-10-vpn-selectors1

                    allow list Allow_IPSEC_IN self  

                    allow list web-acl-4 self

                    nat destination list web-acl-3 address 192.168.123.5

                    nat destination list web-acl-5 address 192.168.123.5

                    nat destination list web-acl-6 address 192.168.123.5

                    nat destination list web-acl-9 address 192.168.123.20

                    nat destination list web-acl-10 address 192.168.123.50

                    nat destination list web-acl-11 address 192.168.123.5

                    • Re: traffic between the vpn tunnel is slow or get disconnected ( 3448 )
                      Employee

                      dlazure -

                      I went ahead and flagged this post as "Assumed Answered". If any of the responses on this thread assisted you, please mark them as Correct or Helpful as the case may be with the applicable buttons. This will make them visible and help other members of the community find solutions more easily. If you have any additional information on this that others may benefit from, please come back to this post to provide an update. If you still need assistance, we would be more than happy to continue working with you on this - just let us know in a reply.

                       

                      Thanks,

                      Noor