Hi
I have two sites connected with 3448 at each location. the internet connection is a 10M DOWN / 1.5M UP and we established a VPN tunnel between the two routers. The actions the users need from site A to site B are :
- login/authentication on the server
- shared drives
- access to the exchange server for outlook
- access to SQL server
as we speak, the sessions are getting disconnected, the connection to the exchange server is frequently lost and the traffic is very slow. Is the internet connection fast enough for the actions needed ?
is the VPN tunnel disconnecting ?
I attached both config files.
Since you are using the firewall feature, you will want to put a rule in to allow the IPSEC tunnel traffic into the WAN of each 3448. What's likely happening now is that the tunnel is getting established through open ports and then the firewall is closing them. Add an ACL like this at each site and apply it to your policy. You could also filter by the specific IPAKMP port (500) and ESP protocol that are used, but since your other site should be a trusted host this is just easier.
ip access-list extended Allow_IPSEC_IN
permit ip host x.x.x.1 any (other site's WAN)
ip policy-class Public
allow reverse list VPN-10-vpn-selectors1
allow list Allow_IPSEC_IN self
nat destination list web-acl-3 address 192.168.123.5
allow list web-acl-4 self
I would like to make a few recommendations too. I would suggest using AES encrytion instead of 3DES. It is more secure and has better performance than 3DES. I would also recommend specifying source networks in the"ip access-list extended web-acl-4" admin access list if you can to limit the exposure of your admin ports to the internet. I also see that you have IP Flow enabled as well as RTP monitoring. Depending on how much traffic your sites do, this could load the CPU and lead to throughput issues because of a lack of resources.
I hope this helps. If it doesn't, then you may need to run a debug and let us know what is happening on each router when the tunnel drops out.
Hi
I don’t understand this line
nat destination list web-acl-3 address 192.168.123.5
why do I need to add this
Envoyé : May-15-14 10:33 AM
À : dominic lazure
Objet : Re: - traffic between the vpn tunnel is slow or get disconnected ( 3448 )
<https://supportforums.adtran.com/index.jspa> ADTRAN Support Community
traffic between the vpn tunnel is slow or get disconnected ( 3448 )
created by petersjncv <https://supportforums.adtran.com/people/petersjncv> in NetVanta 3400 Series - View the full discussion <https://supportforums.adtran.com/message/14454#14454>
That line was in your original configuration file titled "georgebizet" attached above.
Here is the matching ACL. This looks like a nat port forward for mail service.
ip access-list extended web-acl-3
remark mail
permit tcp any any eq smtp log
permit tcp any any eq pop3 log
permit tcp any eq 143 any eq 143 log
The config example I pasted was just sampled from your config but it wasn't the whole thing. I was just trying to show you where you would want to put the Allow IPSEC list. Here is how you want your policy to look (based upon the current config).
ip policy-class Public
allow reverse list VPN-10-vpn-selectors1
allow list Allow_IPSEC_IN self
allow list web-acl-4 self
nat destination list web-acl-3 address 192.168.123.5
nat destination list web-acl-5 address 192.168.123.5
nat destination list web-acl-6 address 192.168.123.5
nat destination list web-acl-9 address 192.168.123.20
nat destination list web-acl-10 address 192.168.123.50
nat destination list web-acl-11 address 192.168.123.5
I went ahead and flagged this post as "Assumed Answered". If any of the responses on this thread assisted you, please mark them as Correct or Helpful as the case may be with the applicable buttons. This will make them visible and help other members of the community find solutions more easily. If you have any additional information on this that others may benefit from, please come back to this post to provide an update. If you still need assistance, we would be more than happy to continue working with you on this - just let us know in a reply.
Thanks,
Noor