General Questions

Hi All,

I have several remote offices running Soekris boxes and m0n0, which we've setup to maintain an IPSec VPN back to our HQ.  All traffic is routed back through the tunnel.  However, we have a mix of 1.2 and 1.3 versions, and I'm only having trouble out of the 2 1.3 m0n0s...

At the 2 offices in question, they required wireless G support, so we had no choice but to upgrade to 1.3 (not that we really fought it, but we would have left well enough alone if not for the need for wireless).  So, we installed 1.3x, an Atheros mini-PCI card and antennas, and setup the VPN and firewall.  Everything seems to work just fine...

Last month, I started complaints from these 2 offices that their fat-client applications would sometimes bomb out, and everything pointed to connectivity issues.  I went to one of the locations and ran a bunch of tests, along with the ISP and we eliminated the ISP as the issue.  What was interesting was if I ran a continuous ping from the remote back to an application server on our end, the ping would occasionally fail for about 10 seconds, and then start right back up.  Thats just long enough to kick back a DB error on our application.  The errors are experienced on both wired and wireless clients.  So, if we use pretty much the same VPN parameters between all the sites, its not a wireless or hardware issue, its not the ISP, and these are the only 2 sites having the problem, its got to be the software right?

Can anyone help me pinpoint and correct this?  At the location I tested from, I did upgrade the firmware to 1.32, and I would be happy to provide more info if it is needed...

Thanks!

Hi... something similar was happening to me...

install m0n0 1.32  and have problems to have an estable connection to services like MSN, SKYPE, web pages, etc.

Run a diagnostic tool call Ping Plotter, and detected a regular drop down of the channel, after test and discart every step of conection (UTP patch cords, NIC, SW) the problem was solved makin a downgrade to 1.2x version...

I had the same problem a few version back with 1.3x. After trying many many things with my ISP I finaly solved the problem by blocking all ICMPv4 traffic on my WAN interface. No more disconnects since then.

if you close all your ICMP, how do you make to have your server in a monitoring device program like SNMPc or Cacti server???

My monitoring is only SNMP based and works perfectly well over IPSec VPN. In my personal oppinion SNMP over unencrypted WAN link isn't a good idea...

It may be a vpn timeout.  What is the lifetime?  What are your negotiation settings?  Pulling a new key can take a few seconds...

I would start by trying to find out if it is the wan connection falling over, or just the vpn.

I'm actually on-site with this issue today if anyone wants to weigh in.  I tried disabling ICMP via the firewall and that hasn't helped, nor has off-loading all the web traffic from the connection, so I'm still working on it.  Looking into the VPN stuff now...