VPN over Comcast

Owen DeLong owen at delong.com
Tue Apr 27 13:36:46 CDT 2010

On Apr 27, 2010, at 10:48 AM, Kevin Day wrote:

> On Apr 27, 2010, at 12:42 PM, Michael Malitsky wrote:
>> I will probably be laughed at, but I'll ask just in case.
>> We are having particularly bad luck trying to run VPN tunnels over
>> Comcast cable in the Chicago area.  The symptoms are basically complete
>> loss of connectivity (lasting minutes to sometimes hours), or sometimes
>> flapping for a period of time.  More often than not, a reboot of the
>> cable modem is required.  The most interesting ones involve the
>> following: a PIX or ASA configured as an EZvpn client, connecting to a
>> 3000 concentrator, authentication over RADIUS.  When I go to look at the
>> RADIUS logs, I see connections from the same box with small intervals.
>> Timeout is 8 hours, so theoretically I should see 3 connections in a
>> 24-hr period.  In some cases, I see dozens, in the most egregious cases,
>> thousands over a 24-hour period.  I am taking that as an indicator of a
>> really unstable Comcast circuit.  We have not had this problem with any
>> other ISP, anywhere in the country.
>> I am pretty much down to telling customers to find another provider...  
>> Any thoughts or ideas on the matter will be appreciated.
>> PS.  To be fair (?) to Comcast, this is not a ubiquitous problem.  It
>> affects about 25% of the installations I get to see.
>> Sincerely,
>> Michael Malitsky
> We experienced the same thing, and switching from UDP tunnels to TCP tunnels fixed it. There are two things at play here.
> 1) The SMC modem/router that they insist you use for their "Small Business" cable internet service seems to have trouble with very high rates of non-TCP traffic going through its NAT.
If you have business class service, insist that they put the cablemodem in BRIDGE-ONLY mode.  This will resolve this issue and eliminate the unnecessary NAT.

> 2) Comcast rate limits non-TCP traffic somewhere on their network.
Comcast rate limits traffic in general. TCP is not less rate limited than anything else in my


More information about the NANOG mailing list