Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 1 reply
  • Subscribers 26 subscribers
  • Views 3616 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Site-to-Site IPSEC connection inconsistency

Stephen Zuluaga

I have 2 sites, and an XG at each.

 

Site A is connected to the internet via PPPoE ADSL2+ and it's XG has been in place for a year.

Site B's XG has an NBN FTTP(Fiber to the premises) internet connection, and it's XG is new but the site and internet connection is not.

I have a valid IPSec site-to-site running and while I was staging these devices on-site via LAN I had some speed issues, I followed the advice in this thread and disabled PFS, which helped speed dramatically.

Now that the Site B XG is actually on site, I've re-established the IPSec site-to-site. I am experiencing some strange symptoms where access between non XG devices(so the remainder of both networks) is extremely slow.

I get pings of around 14 between these devices but I can't make viable connections via HTTP, RSYNC, HTTPS, even SSH.

QoS is off at both sites.

There are no other transfers occurring to hog bandwidth

The firewall rules are like this at both ends

This problem has be pretty stuck as I was hoping to use pings to guide my troubleshooting any possible firewall or traffic issues.

 

Has anyone got any ideas I can try to understand this problem a bit better?



This thread was automatically locked due to age.
  • 0

    I got a suggestion from to check out the MTU and MSS values, including this post.

     

    Site A's demarcation point is the telephone point that connects to the ADSL2+ modem, and the ISP's ADSL MTU is 1492

    • Site A's WAN interface is running in PPPoE mode with an MTU of 1500 and no MSS override

    Site B's demarcation point is the ethernet port coming from the FTTP media converter/CPE, and the ISP's Ethernet MTU is 1500

    • Site B's WAN interface is running in DHCP mode with an MTU of 1500 and no MSS override

    If I was to reduce the MTU of Site B down to 1492, should I be doing this on the WAN interface of the XG?

     

    I noticed in that forum link, people had issues with non persistence over reboots and upgrades and these contributors were reluctant to reduce their interface MTU, they only wanted to do it to the tunnel. I'm not sure why there would be a problem in reducing Site B's MTU to 1492 as long as it didn't have a noticable impact on Site B's internet speeds and user experience.

     

    Additionally in my environment, there is also Site C, it's not something I thought might be relavent but I'm thinking it could be if MTU and MSS is an issue.

    Site C's demarcation point is the telephone point that connects to the ADSL2+ modem, and the ISP's ADSL MTU is 1492

    • Site C's WAN interface is running in PPPoE mode with an MTU of 1500 and no MSS override
    • Site A and C are connected, and don't have any problems transferring.
    • Site A, B and C are all of the same ISP.

     

    I don't know how to look further into it at this stage, but I'm getting to think that MTU and MSS is an issue. Is this something I should be configuring in the IPsec settings? I've seen the PPPoE MTU settings, but changing them to lower values isn't having an impact.