[125953] in North American Network Operators' Group
Re: VPN over Comcast
daemon@ATHENA.MIT.EDU (Owen DeLong)
Tue Apr 27 14:40:19 2010
From: Owen DeLong <owen@delong.com>
In-Reply-To: <E85AB110-67D0-4FF7-905E-AD24A984A9F9@dragondata.com>
Date: Tue, 27 Apr 2010 11:36:46 -0700
To: Kevin Day <toasty@dragondata.com>
Cc: Michael Malitsky <malitsky@netabn.com>, nanog@nanog.org
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Apr 27, 2010, at 10:48 AM, Kevin Day wrote:
>=20
> On Apr 27, 2010, at 12:42 PM, Michael Malitsky wrote:
>=20
>> I will probably be laughed at, but I'll ask just in case.
>>=20
>> We are having particularly bad luck trying to run VPN tunnels over
>> Comcast cable in the Chicago area. The symptoms are basically =
complete
>> loss of connectivity (lasting minutes to sometimes hours), or =
sometimes
>> flapping for a period of time. More often than not, a reboot of the
>> cable modem is required. The most interesting ones involve the
>> following: a PIX or ASA configured as an EZvpn client, connecting to =
a
>> 3000 concentrator, authentication over RADIUS. When I go to look at =
the
>> RADIUS logs, I see connections from the same box with small =
intervals.
>> Timeout is 8 hours, so theoretically I should see 3 connections in a
>> 24-hr period. In some cases, I see dozens, in the most egregious =
cases,
>> thousands over a 24-hour period. I am taking that as an indicator of =
a
>> really unstable Comcast circuit. We have not had this problem with =
any
>> other ISP, anywhere in the country.
>> I am pretty much down to telling customers to find another =
provider... =20
>>=20
>> Any thoughts or ideas on the matter will be appreciated.
>>=20
>> PS. To be fair (?) to Comcast, this is not a ubiquitous problem. It
>> affects about 25% of the installations I get to see.
>>=20
>> Sincerely,
>> Michael Malitsky
>>=20
>>=20
>=20
> We experienced the same thing, and switching from UDP tunnels to TCP =
tunnels fixed it. There are two things at play here.
>=20
> 1) The SMC modem/router that they insist you use for their "Small =
Business" cable internet service seems to have trouble with very high =
rates of non-TCP traffic going through its NAT.
>=20
If you have business class service, insist that they put the cablemodem =
in BRIDGE-ONLY mode. This will resolve this issue and eliminate the =
unnecessary NAT.
> 2) Comcast rate limits non-TCP traffic somewhere on their network.
>=20
Comcast rate limits traffic in general. TCP is not less rate limited =
than anything else in my
experience.
Owen
