VPN over Comcast

Kevin Day toasty at dragondata.com
Tue Apr 27 12:48:26 CDT 2010

On Apr 27, 2010, at 12:42 PM, Michael Malitsky wrote:

> I will probably be laughed at, but I'll ask just in case.
> We are having particularly bad luck trying to run VPN tunnels over
> Comcast cable in the Chicago area.  The symptoms are basically complete
> loss of connectivity (lasting minutes to sometimes hours), or sometimes
> flapping for a period of time.  More often than not, a reboot of the
> cable modem is required.  The most interesting ones involve the
> following: a PIX or ASA configured as an EZvpn client, connecting to a
> 3000 concentrator, authentication over RADIUS.  When I go to look at the
> RADIUS logs, I see connections from the same box with small intervals.
> Timeout is 8 hours, so theoretically I should see 3 connections in a
> 24-hr period.  In some cases, I see dozens, in the most egregious cases,
> thousands over a 24-hour period.  I am taking that as an indicator of a
> really unstable Comcast circuit.  We have not had this problem with any
> other ISP, anywhere in the country.
> I am pretty much down to telling customers to find another provider...  
> Any thoughts or ideas on the matter will be appreciated.
> PS.  To be fair (?) to Comcast, this is not a ubiquitous problem.  It
> affects about 25% of the installations I get to see.
> Sincerely,
> Michael Malitsky

We experienced the same thing, and switching from UDP tunnels to TCP tunnels fixed it. There are two things at play here.

1) The SMC modem/router that they insist you use for their "Small Business" cable internet service seems to have trouble with very high rates of non-TCP traffic going through its NAT.

2) Comcast rate limits non-TCP traffic somewhere on their network.

Tunneling TCP inside TCP is a bad idea, but actually made the VPNs useful for us. Using IPSEC or UDP tunnels left us with tunnels that were rate limited to about 1mbps each way, until either the modem crashed or their network throttled us down to near useless speeds. I don't know if they're trying to stop customers from DoS'ing people or... exactly what the goal of it is, and couldn't ever get them to explain anything.

More information about the NANOG mailing list