VPN over Comcast

• Previous message (by thread): VPN over Comcast
• Next message (by thread): VPN over Comcast
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 4/27/2010 1:42 PM, Michael Malitsky wrote:
> I will probably be laughed at, but I'll ask just in case.
>
> We are having particularly bad luck trying to run VPN tunnels over
> Comcast cable in the Chicago area.  The symptoms are basically complete
> loss of connectivity (lasting minutes to sometimes hours), or sometimes
> flapping for a period of time.  More often than not, a reboot of the
> cable modem is required.  The most interesting ones involve the
> following: a PIX or ASA configured as an EZvpn client, connecting to a
> 3000 concentrator, authentication over RADIUS.  When I go to look at the
> RADIUS logs, I see connections from the same box with small intervals.
> Timeout is 8 hours, so theoretically I should see 3 connections in a
> 24-hr period.  In some cases, I see dozens, in the most egregious cases,
> thousands over a 24-hour period.  I am taking that as an indicator of a
> really unstable Comcast circuit.  We have not had this problem with any
> other ISP, anywhere in the country.
> I am pretty much down to telling customers to find another provider...
>
> Any thoughts or ideas on the matter will be appreciated.
>
> PS.  To be fair (?) to Comcast, this is not a ubiquitous problem.  It
> affects about 25% of the installations I get to see.
>
> Sincerely,
> Michael Malitsky
>
>
>
>    

I ran into issues in various Comcast serviced regions with SSL VPN over 
tcp-443.   From testing we started getting drops or severe rate limits 
on the flow after 7-10 minutes.    Best guess was it was anti-p2p 
systems throttling encrypted/unknown protocol traffic after a set 
timer.   Disconnecting and reconnecting pushed performance back up to 
normal until the timer kicked in again.    We ended up setting the SSL 
tunnel to re-key via new sessions every 5 minutes to keep the flow 
shorter then the observed timer intervals.   Other then running into a 
Cisco AnyConnect client bug (the app would steal focus at the re-keys) 
worked around the issue on Comcast and even some FiOS end users.

-- 
---
James M Keller

• Previous message (by thread): VPN over Comcast
• Next message (by thread): VPN over Comcast
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]