[125944] in North American Network Operators' Group
Re: VPN over Comcast
daemon@ATHENA.MIT.EDU (Kevin Day)
Tue Apr 27 13:49:09 2010
From: Kevin Day <toasty@dragondata.com>
In-Reply-To: <79AF0C3901752A49881FE4CB31F7AA4001A16D06@abn-borg2.NETABN.LOCAL>
Date: Tue, 27 Apr 2010 12:48:26 -0500
To: "Michael Malitsky" <malitsky@netabn.com>
Cc: nanog@nanog.org
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Apr 27, 2010, at 12:42 PM, Michael Malitsky wrote:
> I will probably be laughed at, but I'll ask just in case.
>=20
> We are having particularly bad luck trying to run VPN tunnels over
> Comcast cable in the Chicago area. The symptoms are basically =
complete
> loss of connectivity (lasting minutes to sometimes hours), or =
sometimes
> flapping for a period of time. More often than not, a reboot of the
> cable modem is required. The most interesting ones involve the
> following: a PIX or ASA configured as an EZvpn client, connecting to a
> 3000 concentrator, authentication over RADIUS. When I go to look at =
the
> RADIUS logs, I see connections from the same box with small intervals.
> Timeout is 8 hours, so theoretically I should see 3 connections in a
> 24-hr period. In some cases, I see dozens, in the most egregious =
cases,
> thousands over a 24-hour period. I am taking that as an indicator of =
a
> really unstable Comcast circuit. We have not had this problem with =
any
> other ISP, anywhere in the country.
> I am pretty much down to telling customers to find another provider... =
=20
>=20
> Any thoughts or ideas on the matter will be appreciated.
>=20
> PS. To be fair (?) to Comcast, this is not a ubiquitous problem. It
> affects about 25% of the installations I get to see.
>=20
> Sincerely,
> Michael Malitsky
>=20
>=20
We experienced the same thing, and switching from UDP tunnels to TCP =
tunnels fixed it. There are two things at play here.
1) The SMC modem/router that they insist you use for their "Small =
Business" cable internet service seems to have trouble with very high =
rates of non-TCP traffic going through its NAT.
2) Comcast rate limits non-TCP traffic somewhere on their network.
Tunneling TCP inside TCP is a bad idea, but actually made the VPNs =
useful for us. Using IPSEC or UDP tunnels left us with tunnels that were =
rate limited to about 1mbps each way, until either the modem crashed or =
their network throttled us down to near useless speeds. I don't know if =
they're trying to stop customers from DoS'ing people or... exactly what =
the goal of it is, and couldn't ever get them to explain anything.
