nanog mailing list archives
Re: VPN over Comcast
From: James M Keller <jmkeller () houseofzen org>
Date: Tue, 27 Apr 2010 14:51:06 -0400
On 4/27/2010 1:42 PM, Michael Malitsky wrote:
I will probably be laughed at, but I'll ask just in case. We are having particularly bad luck trying to run VPN tunnels over Comcast cable in the Chicago area. The symptoms are basically complete loss of connectivity (lasting minutes to sometimes hours), or sometimes flapping for a period of time. More often than not, a reboot of the cable modem is required. The most interesting ones involve the following: a PIX or ASA configured as an EZvpn client, connecting to a 3000 concentrator, authentication over RADIUS. When I go to look at the RADIUS logs, I see connections from the same box with small intervals. Timeout is 8 hours, so theoretically I should see 3 connections in a 24-hr period. In some cases, I see dozens, in the most egregious cases, thousands over a 24-hour period. I am taking that as an indicator of a really unstable Comcast circuit. We have not had this problem with any other ISP, anywhere in the country. I am pretty much down to telling customers to find another provider... Any thoughts or ideas on the matter will be appreciated. PS. To be fair (?) to Comcast, this is not a ubiquitous problem. It affects about 25% of the installations I get to see. Sincerely, Michael Malitsky
I ran into issues in various Comcast serviced regions with SSL VPN over tcp-443. From testing we started getting drops or severe rate limits on the flow after 7-10 minutes. Best guess was it was anti-p2p systems throttling encrypted/unknown protocol traffic after a set timer. Disconnecting and reconnecting pushed performance back up to normal until the timer kicked in again. We ended up setting the SSL tunnel to re-key via new sessions every 5 minutes to keep the flow shorter then the observed timer intervals. Other then running into a Cisco AnyConnect client bug (the app would steal focus at the re-keys) worked around the issue on Comcast and even some FiOS end users.
-- --- James M Keller
Current thread:
- VPN over Comcast Michael Malitsky (Apr 27)
- Re: VPN over Comcast Kevin Day (Apr 27)
- Re: VPN over Comcast Owen DeLong (Apr 27)
- Re: VPN over Comcast schilling (Apr 27)
- Re: VPN over Comcast Jared Mauch (Apr 27)
- Re: VPN over Comcast Aaron C. de Bruyn (Apr 27)
- Re: VPN over Comcast Owen DeLong (Apr 27)
- Re: VPN over Comcast Kevin Day (Apr 27)
- Re: VPN over Comcast James M Keller (Apr 27)
- RE: VPN over Comcast Mark Mayfield (Apr 28)
- <Possible follow-ups>
- Re: VPN over Comcast gladney (Apr 27)