Multiple Simultaneous VPN Tunnels cause HUGE slowdown, dropped packets
-
Hello.
I have set up PFSense at one facility, and ZyWALL 5 units at two remote facilities.
I can have either remote facility connected via IPSEC VPN and i get around 20ms latency,
no dropped packets, high throughput (300kbps)If i enable the 2nd facility's vpn connection, i start dropping packets on BOTH vpn tunnels,
and the ping times rise from 20ms to 100+ ms.I ensured that the identifiers are different, and event went so far to have different
pre-shared keys, encryption algorithms, etc.Please help me understand whether this is a limitation of racoon, a pfsense specific issue,
perhaps a hardware issue, or just a configuration problem?I am trying to eliminate the point to point T1s my company currently uses and implement
cable with dsl backup, so (for me at least), this has a sense of urgency.Thank you for your help!
-Tomaj
-
Are you watching bandwidth utilization when this occurs and sure that your pipe isn't filling up when the IPsec connection to the 2nd facility comes up for some reason?
-
Hey Guys
I'm seeing something very similar. I have 3 tunnels and and intermittently I cannot ping through the tunnel, it's really odd, it's causing me all sorts of problems. Is there something I can post up here that may help identify the problem.
I don't think bandwidth is an issue for me as I have a 10Mb symmetrical link the tunnels are going over.
-
Hello all.
I am not sure what I did to fix the issue (if anything at all) but it seems OK now.
I believe i was able to see that the racoon process was dying, so I just rebooted the whole box, and only ran 1 tunnel for a while. Then one night I was playing with the configurations, testing, doing some file transfers etc etc and it all seems OK..?
to ensure it was really stable i ran 1 million pings at 100ms interval on both tunnels simultaneously (takes around a day), and I lost around 0.01% of the packets, averaging around 20ms round trip.
Sorry I can't really help anyone else out there, i guess my only suggestion is play with the encryption settings, identifiers, etc etc..
-Tomaj
-
Good to hear yours is ok.
Well I've been running for just over 24 hours and mine has been fine as well, I might try the ping test my self and test how stable it is. The only real difference between now and my last post is that I did have a duplex issue on my WAN that was fixed and have since reinstalled and loaded up the old config, and all is good so far.
Wasca