VPN tunnels between US and China dropping/slow

Mike Tancsa mike at sentex.net
Tue May 10 14:39:20 UTC 2011


On 5/10/2011 10:12 AM, Thomas York wrote:
> At my current place of business, we have several manufacturing plants in
> China as well as the United States. All of the plants have an OVPN tunnel to
> a datacenter here in Indianapolis which connect all of the plants. Our China
> plants pay for the basic 3mbit/3mbit fiber internet connections. I've had a
> hell of a time keeping their tunnels up. They're running on port 443 over
> TCP now, but every month or so the tunnel degrades so badly I have to switch
> the port. I've recently tried tunneling OVPN (UDP) over a GRE tunnel and

Perhaps a DPI issue ?  We make use of OpenVPN a lot here.  When the
local ILEC started rolling out their DPI boxes, our VPN traffic was
initially identified as bit torrent traffic and was being tampered with.
 Of course they said that was impossible... It took a good month before
I was able to get to the right people to actually look at the pcaps that
demonstrated the issue.  I setup an openvpn tunnel between the two
impacted sites (A,B)

>From A, I would do a straight up icmp ping to B. It would get to the
other side 100% clean.

At the same, time, I would do a ping inside the VPN tunnel.  It would
show dropped packets.

I then used hping to generate UDP packets of the same size or bigger of
the VPN packets, but with all FF as the payload, so it didnt look like
anything to the DPI boxes. This too would get to the other side 100% of
the time.  But the VPN UDP packets would experience loss.  The DPI
vendor then made some patches and/or config changes to stop messing up
our traffic and we have been ok since.

Not sure what you can do on the China side to test things, but perhaps
setup an OpenVPN instance in one of those free test instances in Amazon
and see if you see the loss from there to China.


	---Mike

-- 
-------------------
Mike Tancsa, tel +1 519 651 3400
Sentex Communications, mike at sentex.net
Providing Internet services since 1994 www.sentex.net
Cambridge, Ontario Canada   http://www.tancsa.com/




More information about the NANOG mailing list