Screen OS

Hi All

We have some problems with an PPPoe internet connection which drops a lot of packets, a VPN connection is made over the PPPoe connection which off course also have a lot of packet loss.

This is a SSG 20 with 6.2.0r2.0

The moment we unplug the untrust interface and hook it up to a laptop which than makes the PPPoe connection there is no packet loss so I think it must be the configuration on the SSG 20.

Other firewalls (SSG5 and another SSG20) which have no PPPoe but do have the VPN connection have no packet loss at all.

If I ping over the VPN line it looks like the following

ping 192.168.x.x count 1000 from bgroup0

Type escape sequence to abort

Sending 1000, 100-byte ICMP Echos to 192.168.x.x, timeout is 1 seconds from bgroup0

!.!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!.!!!.!!!!!!!!.!!!!!!!!!!!!!!!!!!!!!!!.

Success Rate is 90 percent (904/1000), round-trip time min/avg/max=13/16/67 ms

If I ping google.nl it looks like this:

ping google.nl count 1000

Type escape sequence to abort

Sending 1000, 100-byte ICMP Echos to google.nl [74.125.79.147], timeout is 1 seconds

!!!!!!!!!!!!!!!!.!!!!!!!!!!.!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!.!!!!!!!!!!!!!!!!!!!!!!!!

Success Rate is 97 percent (977/1000), round-trip time min/avg/max=14/18/63 ms

get interface eth0

Interface ethernet0/0:

  description ethernet0/0

  number 0, if_info 0, if_index 0, mode route

  link up, phy-link up/full-duplex

  status change:81, last change:08/25/2010 16:24:23

  vsys Root, zone Untrust, vr trust-vr

  PPPoE instance xxx enabled

  admin mtu 1492, operating mtu 1492, default mtu 1492

  *ip 62.45.x.x/32   mac 001d.b5bc.5980

  gateway 62.45.x.x

  *manage ip 62.45.x.x, mac 001d.b5bc.5980

  route-deny disable

  pmtu-v4 enabled

  ping enabled, telnet disabled, SSH enabled, SNMP enabled

  web enabled, ident-reset disabled, SSL enabled

  DNS Proxy disabled, webauth disabled, g-arp enabled, webauth-ip 0.0.0.0

  OSPF disabled  BGP disabled  RIP disabled  RIPng disabled  mtrace disabled

  PIM: not configured  IGMP not configured

  MLD not configured

  NHRP disabled

  bandwidth: physical 100000kbps, configured egress [gbw 0kbps mbw 0kbps]

             configured ingress mbw 0kbps, current bw 0kbps

             total allocated gbw 0kbps

  DHCP-Relay disabled at interface level

  DHCP-server disabled

Does anyone has an idea what could be wrong?

Hi All,

Since some websites kept failing to load and VPN traffic was slow i changed some stuff on the firewall, and now both the internet and the VPN connection are working on high speed.

The default MTU on the PPPoe connection is 1492, on the trusted side i was doing a ping from a windows host to the internet like this:

ping google.nl -l 1400 -t

First thing i did was unsetting the tcp-mss for the VPN tunnel since for me it didn't make any difference.

After that I played around with the flow all-tcp-mss and checked if the ping decreased the seconds to ping.

set flow all-tcp-mss 1400

After this the internet connection increased a lot and every website was accessable. The VPN connection speed suddenly increased as well.

I also have path-mtu enabled, not sure if it makes any difference.

set flow path-mtu

Although i still have some time-outs on the internet connection, everything seems to work just fine.

Copying via Windows shares over the VPN tunnel is almost as fast as downloading from the internet.

Hope this helps someone who has a PPPoe connection and slow internet which should be fast.