[125957] in North American Network Operators' Group
Re: VPN over Comcast
daemon@ATHENA.MIT.EDU (James M Keller)
Tue Apr 27 14:54:25 2010
Date: Tue, 27 Apr 2010 14:51:06 -0400
From: James M Keller <jmkeller@houseofzen.org>
To: nanog@nanog.org
In-Reply-To: <79AF0C3901752A49881FE4CB31F7AA4001A16D06@abn-borg2.NETABN.LOCAL>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On 4/27/2010 1:42 PM, Michael Malitsky wrote:
> I will probably be laughed at, but I'll ask just in case.
>
> We are having particularly bad luck trying to run VPN tunnels over
> Comcast cable in the Chicago area. The symptoms are basically complete
> loss of connectivity (lasting minutes to sometimes hours), or sometimes
> flapping for a period of time. More often than not, a reboot of the
> cable modem is required. The most interesting ones involve the
> following: a PIX or ASA configured as an EZvpn client, connecting to a
> 3000 concentrator, authentication over RADIUS. When I go to look at the
> RADIUS logs, I see connections from the same box with small intervals.
> Timeout is 8 hours, so theoretically I should see 3 connections in a
> 24-hr period. In some cases, I see dozens, in the most egregious cases,
> thousands over a 24-hour period. I am taking that as an indicator of a
> really unstable Comcast circuit. We have not had this problem with any
> other ISP, anywhere in the country.
> I am pretty much down to telling customers to find another provider...
>
> Any thoughts or ideas on the matter will be appreciated.
>
> PS. To be fair (?) to Comcast, this is not a ubiquitous problem. It
> affects about 25% of the installations I get to see.
>
> Sincerely,
> Michael Malitsky
>
>
>
>
I ran into issues in various Comcast serviced regions with SSL VPN over
tcp-443. From testing we started getting drops or severe rate limits
on the flow after 7-10 minutes. Best guess was it was anti-p2p
systems throttling encrypted/unknown protocol traffic after a set
timer. Disconnecting and reconnecting pushed performance back up to
normal until the timer kicked in again. We ended up setting the SSL
tunnel to re-key via new sessions every 5 minutes to keep the flow
shorter then the observed timer intervals. Other then running into a
Cisco AnyConnect client bug (the app would steal focus at the re-keys)
worked around the issue on Comcast and even some FiOS end users.
--
---
James M Keller
