Site-tosite VPN Issue

From: rpaz61 (rpaz61_at_discussions.microsoft.com)
Date: 01/05/05 

Date: Wed, 5 Jan 2005 14:40:19 -0800

Here's the setup:

Main Office

Server:
Windows Server 2003 domain controller
IP address: 192.168.1.10
Subnet mask: 255.255.255.0
Gateway: 192.168.1.1
Services: Active Directory, DNS, DHCP

Clients:
Mixture of PCs running Windows 2000 Profressional with SP3 and Windows XP
Professional with SP2

Network:
Dell 16-port switch
SBC 768K SDSL

Firewall:
Sonicwall TZ170 Internet Security Appliance
LAN IP = 192.168.1.1
LAN Subnet Mask = 255.255.255.0
Firmware version: SonicOS Standard 2.2.0.1
Revision: 2.2.0_pp_8s $
ROM version 2.0.0.3
Previous firmware version: 2.0.0.2
Fragment outbound packets larger than WAN MTU: 1
WAN MTU: 1404
CP Wan MTU: 1404
WAN Ignore DF Bit for non-VPN traffic: 1

Site-to-site VPN:
Encrypt/Auth - ESP DES HMAC MD5
Key Exchange: Manual Keys
VPN Terminated at: LAN
netbios off, ApplyNatAndRules off, ForwardPacketsToRemoteVPNs off
TunnelForAllOutboundTraffic off
Authentication of local users off, Authentication of remote users off
remote subnet for netbios 255.255.255.0
destIP begin 192.168.2.1, end 192.168.2.254

Remote Office

Clients:
4 Dell PCs running Windows XP Professional with SP2

Network:
Belkin 8-port 10/100 hub
Choice One 768K SDSL

Firewall:
Sonicwall TZ170 Internet Security Appliance
LAN IP = 192.168.2.1
LAN Subnet Mask = 255.255.255.0
Firmware version: SonicOS Standard 2.2.0.1
Revision: 2.2.0_pp_8s $
ROM version 2.0.0.3
Previous firmware version: 2.0.0.2
Fragment outbound packets larger than WAN MTU: 1
WAN MTU: 1404
CP Wan MTU: 1404
WAN Ignore DF Bit for non-VPN traffic: 1
DHCP Server:
Enable DHCP = 1
Lease Period = 1440 minutes
  Range Start = 192.168.2.100
  Range End = 192.168.2.110
  Interface = LAN
  Default Gateway = 192.168.2.1
  Subnet Mask = 255.255.255.0
  Domain Name = <NULL>
  DNS Servers = 192.168.1.10

Site-to-site VPN:
Encrypt/Auth - ESP DES HMAC MD5
Key Exchange: Manual Keys
VPN Terminated at: LAN
netbios off, ApplyNatAndRules off, ForwardPacketsToRemoteVPNs off
TunnelForAllOutboundTraffic off
Authentication of local users off, Authentication of remote users off
remote subnet for netbios 255.255.255.0
destIP begin 192.168.2.1, end 192.168.2.254

A site-to-site VPN between both Sonicwall TZ170 connects the Remote Office
to the Main Office. All four PCs at the Remote Office authenticate across
the VPN to the Windows Server 2003 domain controller. At the Remote Office,
DNS is resolving to the domain controller across the VPN.

Issue:

All users use a Windows-based application that connects to a database on the
Windows Server 2003 domain controller.

There are not any performance issues in the Main Office. There are
performance issues with clients accessing the database and copying/opening
files from the server to the client PC over the VPN from the Remote Office.
We ran a packet trace (netcap.exe on a Windows XP SP2 PC at the Remote Office
and netmon.exe on the Windows Server 2003 domain controller) while copying a
12.7MB file from the server to the client PC. What we found is that the
client PC at the Remote Office is repeatedly sending ACKs across the VPN
tunnel to the domain controller and the domain controller is yet the domain
controller is repeatedly sending ACKs across the VPN tunnel to the client PC.
 

We do not know what's causing this issue. Sonicwall states that there's
nothing wrong with their hardware or the VPN tunnel itself.

Does anyone have any ideas?

Thanks in advance!!

Rob

PS - I can send the packet trace capture files if needed. Just let me know.

Relevant Pages

  • RE: Printing from Win9x clients stops
    ... Open Server Management. ... then right-click the name of the computer running Windows Small Business ... >From the client computer: ... The Select Network Component Type ...
    (microsoft.public.windows.server.sbs)
  • RE: Printing from Win9x clients stops
    ... The printers with 9x drivers on the server appeared automatically in the ... > then right-click the name of the computer running Windows Small Business ... > From the client computer: ... The Select Network Component Type ...
    (microsoft.public.windows.server.sbs)
  • Re: Client performance problem windows 2003 server...
    ... there and install an english client to be doing the errorsearching on. ... to the Windows 2000 server in site A that is a English ... >>be a DNS replication issue. ... >>results from not having a domain controller in a particular site. ...
    (microsoft.public.windows.server.networking)
  • Re: after installing KB011829 OWA is not working anymore
    ... Based on my research, after you install hotfix KB911829, I suggest we ... Profile WMI Provider to each client computer that is running Windows Vista ... If you are running the Premium Edition of Windows Small Business Server ...
    (microsoft.public.exchange.connectivity)
  • Re: DHCP Issues. Very strange
    ... I understand the issue to be: some client computers ... can not obtain IP from SBS server. ... it is most possible a client side issue of Windows ... since you have join it to SBS domain and the Windows XP SP2 ...
    (microsoft.public.windows.server.sbs)