VPN over Comcast
James M Keller
jmkeller at houseofzen.org
Tue Apr 27 18:51:06 UTC 2010
On 4/27/2010 1:42 PM, Michael Malitsky wrote:
> I will probably be laughed at, but I'll ask just in case.
>
> We are having particularly bad luck trying to run VPN tunnels over
> Comcast cable in the Chicago area. The symptoms are basically complete
> loss of connectivity (lasting minutes to sometimes hours), or sometimes
> flapping for a period of time. More often than not, a reboot of the
> cable modem is required. The most interesting ones involve the
> following: a PIX or ASA configured as an EZvpn client, connecting to a
> 3000 concentrator, authentication over RADIUS. When I go to look at the
> RADIUS logs, I see connections from the same box with small intervals.
> Timeout is 8 hours, so theoretically I should see 3 connections in a
> 24-hr period. In some cases, I see dozens, in the most egregious cases,
> thousands over a 24-hour period. I am taking that as an indicator of a
> really unstable Comcast circuit. We have not had this problem with any
> other ISP, anywhere in the country.
> I am pretty much down to telling customers to find another provider...
>
> Any thoughts or ideas on the matter will be appreciated.
>
> PS. To be fair (?) to Comcast, this is not a ubiquitous problem. It
> affects about 25% of the installations I get to see.
>
> Sincerely,
> Michael Malitsky
>
>
>
>
I ran into issues in various Comcast serviced regions with SSL VPN over
tcp-443. From testing we started getting drops or severe rate limits
on the flow after 7-10 minutes. Best guess was it was anti-p2p
systems throttling encrypted/unknown protocol traffic after a set
timer. Disconnecting and reconnecting pushed performance back up to
normal until the timer kicked in again. We ended up setting the SSL
tunnel to re-key via new sessions every 5 minutes to keep the flow
shorter then the observed timer intervals. Other then running into a
Cisco AnyConnect client bug (the app would steal focus at the re-keys)
worked around the issue on Comcast and even some FiOS end users.
--
---
James M Keller
More information about the NANOG
mailing list