Greetings,
I am posting this here and in Cisco's forum. Cisco client 4.0.5.D connecting to a Cisco VPN concentrator. My local sites original ISP connection method is a Trango bridged wireless link.
The problem that is occurring is the tunnel is going down intermediately. The affects are loss of communication over the tunnel and the client starts sending DPD packets to no avail. The tunnel does not appear to time out. I have to click disconnect and then reconnect to re-establish the tunnel. Working with the site that is hosting the concentrator they have made the claim that the problem is our wireless link. We do have mild to moderate packet loss and here is their conclusion.
Packet loss greatly affects IPSEC traffic and can cause the failure of IPSEC tunnels in this manner. At first I laughed and thought this idea was not technically reasonable. There of course is packet loss over the Internet and people use IPSEC tunnels all over the place.
Well to appease corporate my site installed a cable wired connection and I directed the clients who use the Cisco VPN through that link. To my amazement I appear to no longer have the problem.
Is this true that IPSEC is severely affected by mild to moderate packet loss? I would have thought that packet fragmentation and the reassembly thereof has no affect on packet encryption. Does IPSEC decryption have to be in a certain order and if packets get dropped this issue occurs?
I feel that IPSEC should be able to be used over bridged wireless with packet loss and that there is a technical bug or problem with the equipment that is being used. I feel that my problem is more related to MTU size but I can't technically specify where an MTU problem would be.
Any Ideas?
Jason
I am posting this here and in Cisco's forum. Cisco client 4.0.5.D connecting to a Cisco VPN concentrator. My local sites original ISP connection method is a Trango bridged wireless link.
The problem that is occurring is the tunnel is going down intermediately. The affects are loss of communication over the tunnel and the client starts sending DPD packets to no avail. The tunnel does not appear to time out. I have to click disconnect and then reconnect to re-establish the tunnel. Working with the site that is hosting the concentrator they have made the claim that the problem is our wireless link. We do have mild to moderate packet loss and here is their conclusion.
Packet loss greatly affects IPSEC traffic and can cause the failure of IPSEC tunnels in this manner. At first I laughed and thought this idea was not technically reasonable. There of course is packet loss over the Internet and people use IPSEC tunnels all over the place.
Well to appease corporate my site installed a cable wired connection and I directed the clients who use the Cisco VPN through that link. To my amazement I appear to no longer have the problem.
Is this true that IPSEC is severely affected by mild to moderate packet loss? I would have thought that packet fragmentation and the reassembly thereof has no affect on packet encryption. Does IPSEC decryption have to be in a certain order and if packets get dropped this issue occurs?
I feel that IPSEC should be able to be used over bridged wireless with packet loss and that there is a technical bug or problem with the equipment that is being used. I feel that my problem is more related to MTU size but I can't technically specify where an MTU problem would be.
Any Ideas?
Jason