Site-to-site VPN Issues

[xsnoopy61x]

Here's the setup:

Main Office

Server:
Windows Server 2003 domain controller
IP address: 192.168.1.10
Subnet mask: 255.255.255.0
Gateway: 192.168.1.1
Services: Active Directory, DNS, DHCP

Clients:
Mixture of PCs running Windows 2000 Profressional with SP3 and Windows XP Professional with SP2

Network:
Dell 16-port switch
SBC 768K SDSL

Firewall:
Sonicwall TZ170 Internet Security Appliance
LAN IP = 192.168.1.1
LAN Subnet Mask = 255.255.255.0
Firmware version: SonicOS Standard 2.2.0.1
Revision: 2.2.0_pp_8s $
ROM version 2.0.0.3
Previous firmware version: 2.0.0.2
Fragment outbound packets larger than WAN MTU: 1
WAN MTU: 1404
CP Wan MTU: 1404
WAN Ignore DF Bit for non-VPN traffic: 1

Site-to-site VPN:
Encrypt/Auth - ESP DES HMAC MD5
Key Exchange: Manual Keys
VPN Terminated at: LAN
netbios off, ApplyNatAndRules off, ForwardPacketsToRemoteVPNs off
TunnelForAllOutboundTraffic off
Authentication of local users off, Authentication of remote users off
remote subnet for netbios 255.255.255.0
destIP begin 192.168.2.1, end 192.168.2.254



Remote Office

Clients:
4 Dell PCs running Windows XP Professional with SP2

Network:
Belkin 8-port 10/100 hub
Choice One 768K SDSL

Firewall:
Sonicwall TZ170 Internet Security Appliance
LAN IP = 192.168.2.1
LAN Subnet Mask = 255.255.255.0
Firmware version: SonicOS Standard 2.2.0.1
Revision: 2.2.0_pp_8s $
ROM version 2.0.0.3
Previous firmware version: 2.0.0.2
Fragment outbound packets larger than WAN MTU: 1
WAN MTU: 1404
CP Wan MTU: 1404
WAN Ignore DF Bit for non-VPN traffic: 1
DHCP Server:
Enable DHCP = 1
Lease Period = 1440 minutes
Range Start = 192.168.2.100
Range End = 192.168.2.110
Interface = LAN
Default Gateway = 192.168.2.1
Subnet Mask = 255.255.255.0
Domain Name = <NULL>
DNS Servers = 192.168.1.10

Site-to-site VPN:
Encrypt/Auth - ESP DES HMAC MD5
Key Exchange: Manual Keys
VPN Terminated at: LAN
netbios off, ApplyNatAndRules off, ForwardPacketsToRemoteVPNs off
TunnelForAllOutboundTraffic off
Authentication of local users off, Authentication of remote users off
remote subnet for netbios 255.255.255.0
destIP begin 192.168.2.1, end 192.168.2.254

A site-to-site VPN between both Sonicwall TZ170 connects the Remote Office to the Main Office. All four PCs at the Remote Office authenticate across the VPN to the Windows Server 2003 domain controller. At the Remote Office, DNS is resolving to the domain controller across the VPN.

Issue:

All users use a Windows-based application that connects to a database on the Windows Server 2003 domain controller. There are not any performance issues in the Main Office. There are performance issues with clients accessing the database and copying/opening files from the server to the client PC over the VPN from the Remote Office.

We ran a packet trace (netcap.exe on a Windows XP SP2 PC at the Remote Office and netmon.exe on the Windows Server 2003 domain controller) while copying a 12.7MB file from the server to the client PC. What we found is that the client PC at the Remote Office is repeatedly sending ACKs across the VPN tunnel to the domain controller and the domain controller is yet the domain controller is repeatedly sending ACKs across the VPN tunnel to the client PC.

We do not know what's causing this issue. Sonicwall states that there's nothing wrong with their hardware or the VPN tunnel itself.

Does anyone have any ideas?

Thanks in advance!!

Rob

PS - I can send the packet trace capture files if needed. Just let me know.

 

[technome]

Nothing is wrong with the Sonicwall...

VPN connections are not generally high speed. Opening a small Word document or Excel spreedsheets are about the limit of VPN without a large broadband pipe, and a VPN device or server with a fast processor, a TZ170 is not such a device, and 768k is a tiny pipe.

Look into Terminal services, setup up a Terminal server at the main office, and you will have no problems with the speed of Word, Excel, or a database application. Running a database application over your present setup will cause corruption.

 

[joemagjr]

xsnoopy61x,

Have you resolved your issues with this ? I am trying to configure a site to site vpn w/ 2 tz 170's, and can't seem to get it to work. would you be able to offer any assitance with the setup ?

thanks in advance

 

[Castor66]

Check your MTU size as well. If your MTU is 1500 (windows default, I think) then the packets will get fragmented. This is due to the encapsulation of the packet in the VPN wrapper. Drop the MTU size down to about 1440 on all machines and see if that makes a difference.

Technome is right though - going Terminal services/Citrix is the ONLY way to go.

 

[technome]

With Robs setup, the routers are Ok, but I missed the fact that the main office and the remotes are on the same subnet. For the VPN to work, the remote MUST be on a different subnet or the devices become confused. If the main office is on a 192.168.2.0 network, the remote would need to be on, for example, 192.168.3.0 subnet, sorry I missed that.


With the TZ, I have had a problem with the last one I tried to setup due to a firmware revision, which the client did not renew with Sonic, thus the unit was at a 2 1/2 year old version.

Castor66, makes a good point, every broadband line from both sides of the connect needs the correct MTU size set in the router for optimal transmission, connection stability, sometimes even for the ability to connect. Nice tool at the link below. The correct MTU size keeps router along the route from dropping packets. A quick check for packet loss is to use the pathping command to a machine across the a vpn tunnel.

http://www.speedguide.net/downloads.php

 

[joemagjr]

In location 1 the subnet is 192.168.1.0 (static ip) and in location 2 the subnet is 192.167.1.0 (dynamic) and set to aggresive mode. I changed the unigue firewall identifier (under the vpn tab)for both appliances, one the corphub and one the remote spoke. I did not change the SA name though.
Are these name suppose to match within the appliance (the sa and the uf)?

Prior to doing this I had global vpn configured for some of my remote users, and now that does not work either, I think it might be related to chaging the uf name and not modifiying it the global vpn rule. I am now not able to remote to the appliance and will now need to goto the actual office and console into it from the lan.

any assistance appreciated,