Hi Phillipe (thanks for your input!) -
Definitely not a saturated WAN - all devices are on the same 24 port 100
Mbs switch, but only the four most recently added systems exhibit
problems, and they sort of trade places so that any two of them at a
given time have intermittent connectivity (I know - very strange),
regardless of how I reconfigure the network or bring systems up or
down. If it were the WAN, at some point one of the other 14 systems
would have shown problems as well (this has been going on for three
weeks). Also, this is only 18 systems, mostly small email, over a 1.5Mb
T1 to a 1.5 Mb T1 and a fully 100 MBs network LANd together on a good
gigabit switch. The other side is the same but has about 25 systems or
so - I rarely see the network even get to 3 MBs during peak times on
either side. The m0n0walls are overkill (it was cheaper!) with 1.8 Ghz
Durons, 128 Mb memory on flash drives and gigabit cards (unfortunately
Sk0 though, with very occasional Watchdog timeouts - what is the problem
with that driver? I'm pretty certain this wouldn't be related to the
problem because of the "just four systems" issue.)
I have phase 1 and phase 2 both set to 28000 - I know this is low for
phase 2. I had the same problem with phase 2 set to 86000 (and phase 1
at 28000), but I changed it because I suspected it as a possible problem
- I don't really understand the VPN lifetime issue, and it seems more an
art form than an either/or setting.
A bit more info: it seems that all four, or at least some of the four
(not just one) of the problem systems (3 new Dells, 1 old but with new
user and new machine name) need to be connected for me to get the
problem to occur (it is extremely pernicious - if I look at it in the
evening when people are gone, I have to work hard to get it to happen by
logging on to all of the problem systems and opening Outlook - once it
happens, I have to work hard to fix it!) Just for interests sake, here
are the things that can get the behavior to change on a specific system
for a short time (5 minutes, 1 hour, until the next morning, etc.):
1. switch from ESP to AH (but not back - AH defiantly helps the problem
2. go into control panel -> mail and change a few settings, like
authentication method from Kerberos to NTLM or back
Right now, all four of the systems are happily working properly using
RPC over HTTPS across the WAN, which is annoying but works.
Interestingly, RPC over HTTPS over the VPN still failed the same way, so
it isn't a protocol issue (my original suspicion was that MS was trying
to limit firewalls to MS Certified ones by modifying RPC or Kerberos
such that a firewall would have to "know" about the modification to deal
with them properly - I know, conspiracy stuff, but I don't trust MS much).
Sorry for the long posts - just trying to be thorough!
Philippe Lang wrote:
> Jeff, I've just read your last report on Monowall / Exchange, and one thing you haven't mentioned,
is VPN lifetime. Is that OK on your configuration? Do you have a router or something on your network
that could timeout maybe?
> And what about your bandwidth? A saturated WAN could also explain why your new machines are being
> Hope this helps.