Site to Site bonded VPN traffic flow issue

Home Page Forums Network Management VPN Site to Site bonded VPN traffic flow issue

This topic contains 4 replies, has 0 voices, and was last updated by  twh 9 years, 1 month ago.

Viewing 6 posts - 1 through 6 (of 6 total)
  • Author
    Posts
  • #42427

    twh
    Member

    Hello All,

    First time post.

    I have used Zeroshell to setup a site to site VPN, bonding together 6 x ADSL2+ services in a country location where anything “better” is either not available or too expensive.

    The ADSL services all sync at or near 21M/1M, and are solid and reliable business grade services that have been in place for over 2 years.

    Network Architecture:

    Head office, 10.250.1.x/24 network contains outside interface of zeroshell, and 6 x Cisco 857 ADSL Routers with NAT enabled.

    Inside interface to Zeroshell is 192.168.1.x/24 corporate network.

    Capital city Data Centre (100 Megabit internet connection) – Zeroshell with single public IP.

    Head office Zeroshell initiates the 6 tunnels (UDP) using load balancer to distribute across the 6 gateways to the single public IP of the data centre system (with incrementing port numbers and unique PSK for each tunnel).

    After some initial hassles, the link is now solid.

    Head office end set as client, data centre end set as server.

    Traffic flow from head office to datacentre (i.e. going out the backchannel of the ADSL services) is reliable and achieves about 300 Kbps. (about half the theoretical maximum, a bit disappointing, but not bad.) Have successfully transfered multiple 2 gigabyte files reliably using Windows networking, UNC path to a server.

    Traffic flow from the datacentre to head office however is unreliable. Remote desktop is very slow to establish and slow to use. File transfers never start moving data, just sit trying to establish the connection and then fails.

    Whether the transfer is a push from Data centre end or a pull from head office appears to make no difference (as expected).

    I suspect there may be a MTU issue due to the 1492 ADSL MTU at head office end. I have not been able to work out how to change this in Zero shell though.

    Otherwise it might be the fact that the 6 x ADSL2 services total a theoretical 126 Mbps of bandwidth but the datacentre connection is only 100 Mbps. The zeroshell server is connected to a gigabit switch and is syncing at 1000 Mbps (I suppose I could try forcing this to 100 meg). The uplink from the switch to the Internet is only 100 Mbps though.

    How can I monitor or debug the tunnel within zeroshell to identify packet loss, etc? (I know I can use an external sniffer such as Wireshark).

    Thanks in advance for your help.

    Tony

    #50375

    ppalias
    Member

    Hi Tony,

    I read your whole post but I never found a reference to the BOND interface. I hope you have one, otherwise you are making your life too difficult.

    #50376

    twh
    Member

    ppalias,

    Yes, it is setup with a bond of the 6 VPN tunnels. All routing etc is based upon that bond.

    Also, Zeroshell is running at both ends on VMware ESXi – each with 512 Meg RAM and two CPU cores.

    Running wireshark is showing me a multitude of duplicated ACKs and retransmits etc, so there is definately packet loss.

    Also a ping with a large payload size (I chose 1800) is showing RTT between 20ms and 600ms with about every 10th packet lost altogether. This on a service that has no other traffic.

    Other single non bonded links sit quite consistently on 30 – 40ms.

    What logs to I look at? Looking at the statistics of the bond and the 6 underlying VPN tunnels is showing no errors.

    Thanks

    Tony

    #50377

    ppalias
    Member

    I don’t think it is something you can see in the logs. What would help is you to show us the config of everything you have done so far. To be more specific take a screenshot of the Network Interfaces, the routing table, the NetBalancer, the balancing rules and the VPN tunnels.

    #50378

    twh
    Member

    Sorry, feeling really stupid now, I can’t work out how to post a screen shot, or do you mean copy and past plain text? Most of the browser information won’t copy and paste very well at all.

    You probably mean to grab information from the SSH interface, which I haven’t gotten to work as yet.

    #50379

    ppalias
    Member

    If you don’t have any particular program to take screenshots of the whole screen or specific windows, you may press the “Prt Scr” button on your keyboard at any time, then open MSPaint program, select “Edit” -> “Paste” and the screenshot will appear on your screen. Edit it, save it in jpeg to compress it a bit and then upload it in some image sharing sites, like http://www.flickr.com/ . Finally post here the link of the uploaded picture.

Viewing 6 posts - 1 through 6 (of 6 total)

You must be logged in to reply to this topic.