FW: Issues w/ Nortel VPN (fwd)

Tina Bird tbird at precision-guesswork.com
Thu Jun 7 14:03:49 EDT 2001


leemerri at nortelnetworks.com



Bill,

The first thing I would suggest is that, if you have a support contract,
call 1-800-2LANWAN and open a case on this issue.  I don't see this being
related to a security issue, but more likely to a configuration issue.
Whether it is an issue with the Contivity itself or the broad band provider
I cannot tell from the information you have provided.  The amount of detail
that you have given makes it hard to provide a viable suggestion.

This said, I queried the upper level support group and there have been
issues with some broad band providers who use forced and frequent re-issue
of IP addresses. (typically every 30 minutes for the ISPs that we have heard
about.)  This will cause the connection to become unusable due to the
authentication and authorization of the VPN traffic being directly
associated to that address.

There may also be an issue with keep alives, if you are using them.  Some
service providers will remove this traffic due to the nature of the packets.
You can disable keep alive use.

We have substantial experience with utilizing the EAC and Contivity through
many broad band providers and have found few problems as I have related
above.  You may wish to query the service provider on these points, though
the information on traffic filtering may not be available.

When you open a case through the support channel be ready to provide as much
of the following information as possible.

1.    What version of the EAC and Contivity software are being used?
2.    What type of tunneling is being utilized?  [IPSec, L2TP, PPTP, L2F]
3.    Is there a commonality of broad band service provider for the users
that are having problems?
4.     When connected to the service provider, is your IP address forced to
change periodically?
5.    Are the problem users in the same group?  Do they have the same user
policy applied to them all?
6.    Are they using any of the following features:
           a.  AutoConnect
           b.  Split tunneling
7.    Be able to provide a network diagram.
8.    Have available a copy of the event log related to a user session that
had the described problem. [or be able to get one when needed.
9.    Is there a specific type of traffic that ceases to be transmitted, or
is it all traffic?

They will also request from you some generic questions about the Workstation
O/S, type of authentication used etc. that can help in emulation of the
problem.  If you are not the Administrator of the Contivity, it would be a
good idea to have that person available for the trouble call so that as much
relevant data as possible can be provided at the start of the case.


I hope this helps,

Lee Merrill
IPCA Lab
Nortel Networks
leemerri at nortelnetworks.com


-----Original Message-----
From: Bill Yazji [mailto:byazji at psualum.com]
Sent: Wednesday, June 06, 2001 3:17 PM
To: vpn at securityfocus.com
Subject: Issues w/ Nortel VPN


On my corporate network, we implemented the Nortel Contivity Extranet
switches.

We are having issues with broadband users (mostly cable) having their 
tunnels cease transmitting traffic.

The Nortel software says that it is still connected, but still having 
issues with not passing traffic. The end user has to take the tunnel down, 
and restart to get the tunnel active again.

Checked just about everything, and am going nuts.

Any suggestions?

~Bill
byazji at psualum.com

----
                                           Bill Yazji
                               byazji at psualum.com

           "Your Choices Are Half Chance, So Are Everybody Else's"
  "Never Under Estimate The Power Of Stupid People In Small Groups"

----


VPN is sponsored by SecurityFocus.com



VPN is sponsored by SecurityFocus.com





More information about the VPN mailing list