Connect. Communicate. Collaborate. Securely.

Home » Kerio User Forums » Kerio Control » All on one switch (Bad VPN performance)
  •  
pcunix

Messages: 594
Karma: 33
Send a private message to this user
I have a customer who has made a mess: 2 WAN's and a LAN all mixed on the same switch, no VLAN's. The funny (well, not really funny) thing is that the switch is VLAN capable! It wouldn't help, though, as he also has dual homed machines (public and private nics) that are on other switches but connected back to the rest with one wire.

Aside from anything else, it makes debugging problems very difficult because if you turn on "packets dropped for some reason" it is just choked with junk.

And of course we have problems (which is how I found out about the mixed switch). Two site to site VPN's, one which works well and the other with horrible performance. At either end of the horribly performing VPN Internet speed tests are as expected but performance across the VPN crawls.

It's making my head hurt and of course the poor IT guys bosses are climbing down his throat and up from another direction.. I wrote up more details at http://aplawrence.com/Kerio/antispoofing.html - if anyone has any advice on how to get to the root of this problem please post here or there.

As a big storm is bearing down on both me and the customer right now (we're both in New England), he may not have any VPN's or anything else in a few hours and I may not have Internet access, so if I don't respond to any questions or comments that's probably why. The link should stay up as that's hosted in California.


Tony Lawrence
Kerio Preferred Partner and Reseller
Certified for Connect, Control
http://aplawrence.com
  •  
silars

Messages: 429
Karma: 59
Send a private message to this user
Some things that might help with the debugging...

I noticed in your blog you are seeing some odd switching behavior. There are a few situations that can result in that forwarding.

One, switches will flood unicast frames if the destination MAC is unknown. You'd have to verify the forwarding databases in the switches to determine what is known/unknown. You may also need to consult the source's MAC/IP bindings.

Another tricky one could be the function of Proxy ARP. This should be visibile in the MAC/IP bindings. This is a shot in the dark really, since I don't see anything in your descriptions where this would be performed. However, this can result in incorrect MAC/IP bindings. Most commonly, this occurs in situations similar to yours where you have multiple overlapping IP ranges and routers all seeing the same traffic.

In your blog, the only frames you show are IP Broadcasts (x.x.x.255). These should be flooded. Do you have any examples of frames you believe are being flooded that aren't unknown/broadcast/multicast? Can you post the packet captures to include MAC information? I can understand not wanting to post certain information on public forums. Unfortunately, it will be difficult to advise much without such details.
  •  
pcunix

Messages: 594
Karma: 33
Send a private message to this user
I saved the log and then did a global delete of every line that matched 255:

That helps to un-clutter a lot (don't know why I didn't think of that earlier). There was a lot of NETBIOS traffic, so I filtered out all that. That left me with nothing but some IPS drops and a few filter rules that were legit - nothing that indicates a darn thing wrong with the VPN!

Tony Lawrence
Kerio Preferred Partner and Reseller
Certified for Connect, Control
http://aplawrence.com
  •  
silars

Messages: 429
Karma: 59
Send a private message to this user
Well, at least you can probably eliminate the switch as a cause. It would still be worth making sure the switch doesn't have any recorded drops or errored frames (CRC, Giants, Runts, etc.).

The next step would likely to be use some IP performance software. There is some decent freeware stuff out there. If you happen to have professional tools, even better.

The final step is checking the SP. Is this a leased line? Pseudo-leased line? Just Internet service?
  •  
pcunix

Messages: 594
Karma: 33
Send a private message to this user
100/100 Verizon Fiber..

As to performance, that's the baffling thing. Through the Internet, performance is good. Through the VPN, it falls apart..

There has to be something I am just not seeing..

Tony Lawrence
Kerio Preferred Partner and Reseller
Certified for Connect, Control
http://aplawrence.com
  •  
silars

Messages: 429
Karma: 59
Send a private message to this user
Have you verified the MTU settings? IP Fragmentation can be a speed killer. This is unlikely to be the problem, but if someone was playing with Jumbo Frames for whatever reason, you could be dealing with that remnant.

Couldn't hurt to do a packet capture on the VPN tunnel either. Is this a PPTP tunnel or Kerio VPN?
  •  
pcunix

Messages: 594
Karma: 33
Send a private message to this user
But checking the switch stats is a good idea. I don't have access, but I'll ask the IT guy there to see what it can tell him.



Tony Lawrence
Kerio Preferred Partner and Reseller
Certified for Connect, Control
http://aplawrence.com
  •  
pcunix

Messages: 594
Karma: 33
Send a private message to this user
silars wrote on Mon, 29 October 2012 10:21
Have you verified the MTU settings? IP Fragmentation can be a speed killer. This is unlikely to be the problem, but if someone was playing with Jumbo Frames for whatever reason, you could be dealing with that remnant.

Couldn't hurt to do a packet capture on the VPN tunnel either. Is this a PPTP tunnel or Kerio VPN?


Kerio Control to Kerio Control VPN.

If it were MTU. it would be bad MTU outside of the VPN too but I guess he should look.

Tony Lawrence
Kerio Preferred Partner and Reseller
Certified for Connect, Control
http://aplawrence.com
  •  
silars

Messages: 429
Karma: 59
Send a private message to this user
A common phrase in networking is "95% of all problems are physical". I'd definitely double check cabling, ports, optics, terminations, etc. Ideally, they have testers of some sort (Fluke, Black Box, etc.).
  •  
pcunix

Messages: 594
Karma: 33
Send a private message to this user
I don't know what they have - I don't think they are even open today (Long Island office).

But physical should affect everything.. not just the VPN. And remember there's another VPN that doesn't have these problems.

Tony Lawrence
Kerio Preferred Partner and Reseller
Certified for Connect, Control
http://aplawrence.com
  •  
silars

Messages: 429
Karma: 59
Send a private message to this user
pcunix wrote on Mon, 29 October 2012 10:24
Kerio Control to Kerio Control VPN.

If it were MTU. it would be bad MTU outside of the VPN too but I guess he should look.


That isn't always the case. Depends if some sort of Path MTU Discovery is used or not. Granted, this is even more unlikely. I try not to rule anything out in cases like this.
  •  
pcunix

Messages: 594
Karma: 33
Send a private message to this user
Yeah, I know: once you rule out everything else, the insane stuff has to be looked at. I just think I'm missing something simple and obvious and it is maddening.

I'm more than a little "off" these past few days. We have this storm to worry about and my wife's 89 year old father seems to be dying.. a lot of stress around here right now and maybe I'm just not thinking straight.


Tony Lawrence
Kerio Preferred Partner and Reseller
Certified for Connect, Control
http://aplawrence.com
  •  
silars

Messages: 429
Karma: 59
Send a private message to this user
pcunix wrote on Mon, 29 October 2012 10:30
But physical should affect everything.. not just the VPN. And remember there's another VPN that doesn't have these problems.


Very true. The other VPN does counter just about anything in regards to the misbehaving VPN. Same ports, same SP, etc.

There isn't much left except for some SP pathing, and the destination? What's the destination VPN look like?
  •  
pcunix

Messages: 594
Karma: 33
Send a private message to this user
The destination seems to be fine. Although once again they glommed everything onto one switch with no VLAN.

I just had a thought.. If A has a VPN to B that is bad and a VPN to C that isn't, maybe we should try a VPN from B to C and see what its performance is. That might point a finger..

Tony Lawrence
Kerio Preferred Partner and Reseller
Certified for Connect, Control
http://aplawrence.com
pcunix

Messages: 594
Karma: 33
Send a private message to this user
I have to go. My wife wants to go see her Dad again. As dangerous as it might be, I can't let her go alone. We'll have to risk getting caught in it.

Thanks for your help..

Tony Lawrence
Kerio Preferred Partner and Reseller
Certified for Connect, Control
http://aplawrence.com
Previous Topic: Problem ! - Kerio Control 7.4.0 Release Candidate 2 on 2008 R2 Hyper-v
Next Topic: PLEASE HELP
Goto Forum:
  


Disclaimer:
Kerio discussion forums are intended for open communication between forum members and may contain information and material posted by members which may be useful in learning about Kerio products. The discussion forums are not intended to provide technical support for any specific product. Any information implied or expressed in the discussion forums is that of the posting member. Kerio is in no way responsible for the information posted in the forums, or its accuracy. Kerio employees may participate in the discussions, but their postings do not represent an offical position of the company on any issues raised or discussed. Kerio reserves the right to monitor and maintain the forums to promote free and accurate exchange of information.

Current Time: Wed Oct 18 22:29:42 CEST 2017

Total time taken to generate the page: 0.00523 seconds
.:: Contact :: Home ::.
Powered by: FUDforum 3.0.4.