VPN over Comcast
Owen DeLong
owen at delong.com
Tue Apr 27 18:36:46 UTC 2010
On Apr 27, 2010, at 10:48 AM, Kevin Day wrote:
>
> On Apr 27, 2010, at 12:42 PM, Michael Malitsky wrote:
>
>> I will probably be laughed at, but I'll ask just in case.
>>
>> We are having particularly bad luck trying to run VPN tunnels over
>> Comcast cable in the Chicago area. The symptoms are basically complete
>> loss of connectivity (lasting minutes to sometimes hours), or sometimes
>> flapping for a period of time. More often than not, a reboot of the
>> cable modem is required. The most interesting ones involve the
>> following: a PIX or ASA configured as an EZvpn client, connecting to a
>> 3000 concentrator, authentication over RADIUS. When I go to look at the
>> RADIUS logs, I see connections from the same box with small intervals.
>> Timeout is 8 hours, so theoretically I should see 3 connections in a
>> 24-hr period. In some cases, I see dozens, in the most egregious cases,
>> thousands over a 24-hour period. I am taking that as an indicator of a
>> really unstable Comcast circuit. We have not had this problem with any
>> other ISP, anywhere in the country.
>> I am pretty much down to telling customers to find another provider...
>>
>> Any thoughts or ideas on the matter will be appreciated.
>>
>> PS. To be fair (?) to Comcast, this is not a ubiquitous problem. It
>> affects about 25% of the installations I get to see.
>>
>> Sincerely,
>> Michael Malitsky
>>
>>
>
> We experienced the same thing, and switching from UDP tunnels to TCP tunnels fixed it. There are two things at play here.
>
> 1) The SMC modem/router that they insist you use for their "Small Business" cable internet service seems to have trouble with very high rates of non-TCP traffic going through its NAT.
>
If you have business class service, insist that they put the cablemodem in BRIDGE-ONLY mode. This will resolve this issue and eliminate the unnecessary NAT.
> 2) Comcast rate limits non-TCP traffic somewhere on their network.
>
Comcast rate limits traffic in general. TCP is not less rate limited than anything else in my
experience.
Owen
More information about the NANOG
mailing list