Re: RE : [m0n0wall] outlook -> exchange problem

From:	Jeff Buehler <jeff at buehlertech dot com>
To:	Philippe Lang <philippe dot lang at attiksystem dot ch>
Cc:	"James W. McKeand" <james at mckeand dot biz>, m0n0wall at lists dot m0n0 dot ch
Subject:	Re: RE : [m0n0wall] outlook -> exchange problem
Date:	Sun, 19 Feb 2006 08:29:35 -0800
Hi Phillipe (thanks for your input!) -

Definitely not a saturated WAN - all devices are on the same 24 port 100 
Mbs switch, but only the four most recently added systems exhibit 
problems, and they sort of trade places so that any two of them at a 
given time have intermittent connectivity (I know - very strange), 
regardless of how I reconfigure the network or bring systems up or 
down.  If it were the WAN, at some point one of the other 14 systems 
would have shown problems as well (this has been going on for three 
weeks).  Also, this is only 18 systems, mostly small email, over a 1.5Mb 
T1 to a 1.5 Mb T1 and a fully 100 MBs network LANd together on a good 
gigabit switch.  The other side is the same but has about 25 systems or 
so - I rarely see the network even get to 3 MBs during peak times on 
either side.  The m0n0walls are overkill (it was cheaper!) with 1.8 Ghz 
Durons, 128 Mb memory on flash drives and gigabit cards (unfortunately 
Sk0 though, with very occasional Watchdog timeouts - what is the problem 
with that driver?  I'm pretty certain this wouldn't be related to the 
problem because of the "just four systems" issue.)

I have phase 1 and phase 2 both set to 28000 - I know this is low for 
phase 2.  I had the same problem with phase 2 set to 86000 (and phase 1 
at 28000), but I changed it because I suspected it as a possible problem 
- I don't really understand the VPN lifetime issue, and it seems more an 
art form than an either/or setting.

A bit more info: it seems that all four, or at least some of the four 
(not just one) of the problem systems (3 new Dells, 1 old but with new 
user and new machine name) need to be connected for me to get the 
problem to occur (it is extremely pernicious - if I look at it in the 
evening when people are gone, I have to work hard to get it to happen by 
logging on to all of the problem systems and opening Outlook - once it 
happens, I have to work hard to fix it!)  Just for interests sake, here 
are the things that can get the behavior to change on a specific system 
for a short time (5 minutes, 1 hour, until the next morning, etc.):

1. switch from ESP to AH (but not back - AH defiantly helps the problem 
a little)
2. go into control panel -> mail and change a few settings, like 
authentication method from Kerberos to NTLM or back

Right now, all four of the systems are happily working properly using 
RPC over HTTPS across the WAN, which is annoying but works.  
Interestingly, RPC over HTTPS over the VPN still failed the same way, so 
it isn't a protocol issue (my original suspicion was that MS was trying 
to limit firewalls to MS Certified ones by modifying RPC or Kerberos 
such that a firewall would have to "know" about the modification to deal 
with them properly - I know, conspiracy stuff, but I don't trust MS much).

Sorry for the long posts - just trying to be thorough!

Jeff


Philippe Lang wrote:
> Jeff, I've just read your last report on Monowall / Exchange, and one thing you haven't mentioned,
is VPN lifetime. Is that OK on your configuration? Do you have a router or something on your network
that could timeout maybe?
>  
> And what about your bandwidth? A saturated WAN could also explain why your new machines are being
logged out.
>  
> Hope this helps.
>  
> Bye
>  
> Philippe
>