VPN over Comcast

Mark Mayfield mark.mayfield at metro-inet.us
Wed Apr 28 08:38:20 CDT 2010

In June of last year, when Comcast did firmware updates on the business gateways in the MSP area, we lost all (3) of our sites with Netgear gateways, but not the sites SMC gateways (the management interface is almost identical, but the brand is marked on the modem).  Business support was apparently aware of a Cisco VPN problem through the Netgear, and simply replaced the Netgear units with SMC, and we haven't had issues since.  This is IOS to ASA site-to-site VPN.

Mark Mayfield
City of Roseville
Network Systems Engineer

2660 Civic Center Drive
Roseville, MN 55113

-----Original Message-----
From: Michael Malitsky [mailto:malitsky at netabn.com]
Sent: Tuesday, April 27, 2010 12:43 PM
To: nanog at nanog.org
Subject: VPN over Comcast

I will probably be laughed at, but I'll ask just in case.

We are having particularly bad luck trying to run VPN tunnels over
Comcast cable in the Chicago area.  The symptoms are basically complete
loss of connectivity (lasting minutes to sometimes hours), or sometimes
flapping for a period of time.  More often than not, a reboot of the
cable modem is required.  The most interesting ones involve the
following: a PIX or ASA configured as an EZvpn client, connecting to a
3000 concentrator, authentication over RADIUS.  When I go to look at the
RADIUS logs, I see connections from the same box with small intervals.
Timeout is 8 hours, so theoretically I should see 3 connections in a
24-hr period.  In some cases, I see dozens, in the most egregious cases,
thousands over a 24-hour period.  I am taking that as an indicator of a
really unstable Comcast circuit.  We have not had this problem with any
other ISP, anywhere in the country.
I am pretty much down to telling customers to find another provider...

Any thoughts or ideas on the matter will be appreciated.

PS.  To be fair (?) to Comcast, this is not a ubiquitous problem.  It
affects about 25% of the installations I get to see.

Michael Malitsky

Confidentiality Statement: The documents accompanying this transmission contain confidential information that is legally privileged.  This information is intended only for the use of the individuals or entities listed above.  If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or action taken in reliance on the contents of these documents is strictly prohibited.  If you have received this information in error, please notify the sender immediately and arrange for the return or destruction of these documents.

More information about the NANOG mailing list