VPN and netbios problems - more info
David Gillett
dgillett at NIKU.COM
Wed Apr 12 22:05:32 EDT 2000
> > I suspect that the fact that the link between the two subnets is
> > a VPN is irrelevant (correct me if I'm wrong) and that we need to
> > get hold of another mailing list.
>
> It *should* be irrelevant.
It should be, but unfortunately that may not mean that it is.
What I seem to be seeing, on both our point-to-point and dial-up VPN
links, is that a momentary packet loss at the IP transport level seems to
translate into a loss of IPSEC tunnel connectivity of 3-30 seconds. A
congested router with a 5% reported packet loss may lead to a tunnel that is
only able to pass pings half the time.
It gets worse. Large transmissions -- specific reported examples include
"email messages with attachments" and "segment browse lists" (relevance to
this thread!) seem to *provoke* packet loss at such congestion points,
producing classic abort/restart/abort/restart/abort/restart/abort/fail
cycles; the message simply never gets through the tunnel.
The two alternatives we've identified so far are:
1. Move to a single national/international ISP to minimize transition of
overloaded carrier-to-carrier gateways.
2. Move to Frame Relay, ATM, leased lines, or other ~private services to
avoid the Internet.
Neither of these answers is wholly satisfactory, especially for our
dial-up user community. Other suggestions, anyone?
David Gillett
Enterprise Server Manager, Niku Corp.
(650) 701-2702
"Transforming the Service Economy"
VPN is sponsored by SecurityFocus.COM
More information about the VPN
mailing list