Skip to main content
ikmarwright
ikmarwright
New Member
June 14, 2020
Question

Can consistently ping over IPSEC, but sometimes can't run programs

  • June 14, 2020
  • 1 reply
  • 7431 views

I was in a remote office today where we have a 60E talking to a 100E (both 6.0.9). Using PRGT I know the lines have been consistently up. No significant latency issues, dropped packets or such.

 

But sometimes when I connect to the server behind the 100E (where I have a SQLExpress database, a Splashtop streamer and shared drives) , I get timeout errors -- like it can't see the server. But I can ping the server (with 22ms responses) at the same time it won't connect via any other software. 

 

Seconds later, everything works again.  And I haven't been able to repeat the issue if I use a SSL-VPN connection from my remote office. All communication is over a FAP221E (newest firmware) -- the remote office is all WiFi. And I can't force the issue to repeat. It could happen twice in ten minutes and then not happen for three hours.

 

We do have an ongoing issue in both offices (two different ISPs) where every couple days the modems have to be reset -- and neither ISP knows why. I was going to run a trace, but then it stopped happening (for now). It's driving staff nuts, and because of COVID my access is VERY limited. 

 

The one thing (that was supposed to be temporary) is the internal DNS server is behind the 100E, but considering half my software connects by IP, that shouldn't be the issue.

 

Anyone have any ideas?

    1 reply

    ede_pfau
    SuperUser
    ede_pfau
    SuperUser
    June 15, 2020

    just as a hint...

     

    ping working but 'real' protocol's payload not - sounds like an MTU issue. Lately, I encountered a similar situation and the culprit was the CPE modem's speed setting - 100/full. Switched the FGT port to 100/full and everything worked.

     

    You could try

    - using ping, disallow fragmentation ('ping -f')

    - run ping with increasingly bigger packets, up to 1500 bytes

    1500 should never work over a VPN, you'll probably will lose all packets at 1372 or such.

    ikmarwright
    ikmarwrightAuthor
    New Member
    June 15, 2020

    Hi Ede

     

    Thanks. :)

     

    The modem and FGT are both 1000/full. And we have no problems with SSL-VPN over the same infrastructure (even though you are right in that it fragments after 1360) -- it's only the IPSEC that seems to fail.

     

    Anyway I ran ping -f -l XXXX <ip> and it's inconsistent across IPSEC. Is that normal? 90% of the time a 1470 size packet does not need to be fragmented, but the other 10% of the time it does (at these times I have to drop it to 1400). Does that suggest an issue with a hop between the two sites? Or should I just drop the MTU to 1400 and not worry around it?

     

    Dave

    ede_pfau
    SuperUser
    ede_pfau
    SuperUser
    June 16, 2020

    Strange, I agree.

    Well, if it fixes the problem, reduce the MTU to 1400. This should not affect throughput much (not at all in comparison to frequent failures). A working solution is not always the most satisfying solution.

    Terms & ConditionsAccessibility statement