01-26-2010 05:48 AM
Has anybody has problems using Network Connect on specific Internet Connections? I have a few users in MA who are able to login to our SSL VPN and use NC just fine from the Office and even with their Sprint AirCards, but when they go home to their home network, the connection is unusable and drops packets. The user is able to browse the Internet fine and doesn't get dropped packets on pings to www.yahoo.com when just using his home network. However, as soon as he starts up NC on his home network, he gets dropped packets, his Outlook won't connect to the Internal network and he's not even able to browse Intranet pages.
I don't even know where to start with troubleshooting this problem. Any ideas would be welcome.
01-26-2010 06:30 AM - edited 01-26-2010 06:31 AM
Sounds like those home users have modems with NAT enabled. Could you confirm that only those users apply NAT?
If not, you might have something more difficult (also NAT though):
- example user has a home networker 10.x.x.x/24
- example NC IP range 10.x.x.x/16 or /8
Imagine the routing issues here...Aye cap'n, where's me gateway gone?
Even a much simpler example case of the NC gateway on 10.0.0.10 and the home net gateway on 10.0.0.1, where the NC client computer cannot find either one, depending on the NC settings on your SA, will cause troubles like this.
01-26-2010 08:33 AM
This sounds like it could be an MTU size issue. It could be the ISP is restricting the size (may be due to some tunnelling they employ). I believe Network Connect bases it's MTU on th physical Interface. If the ISP is restricting the size for a direct connection like browsing the stack will sort things out but you can get a situation where Network Connect thinks the MTU is larger and tries to send bigger packets that get dropped/fragmented. Try reducing the MTU on the physical interface, 1400's normally a good starting point (if I remember correctly this is done in the registry).
01-26-2010 01:24 PM
If changing MTU doesn't help, then you should have your users upgrade their home router firmware as a next step.
Dropped packets can also occur over WIFI connections. Interferance and low signal strength can cause this. Have the users try to replicate the issue while wired to the router directly.
01-27-2010 05:47 AM
Thanks for the suggestions. I changed the MTU setting in Windows registry for the user, so we'll see how it goes tonight.
Reduce the MTU on the IVE to 1400 since the problem seems to be on the users home network.
Also, is the user's home network wi-fi? Wi-fi is notorious for dropping packets and connections and IPSec vpn's don't really like that.
02-03-2010 09:25 PM
If your customers are on networks (like AT&T) where everyone is behind a row of proxy servers, your roaming configuration may be breaking their connections.
On my AT&T connection I had to configure my communication manager to do no accelleration (bytemobile client off) otherwise, every 3-10 minutes, AT&T would route me out through a different proxy and my roaming disallowed SA2500 would kick me off for changing networks (from 32.x.x.x to 166.x.x.x). Also, if your users are getting RFC-1918 addresses, then there may not be much they can do, short of getting a static ip address, unless you open up roaming. (so far i have only seen this on Linux AT&T wireless clients.)
+1 678 373 4200 x125
JNCIA-ER (expired), JNCIA-SSL (ditto)
02-05-2010 11:59 AM - edited 02-05-2010 11:59 AM
We have a handful of users who are having problems on WiMax connections such as Clearwire. I'd be curious to know if anyone else has seen this.
jkopko - You might want to see if the user gets dropped packets with SSL transport mode instead of ESP. I agree with the others to look at the user's home router as well.