[vpn-help] Windows 7 32bit poor performance and timeouts

[Matthew Grooms]

On 10/7/2010 12:03 PM, bernd.muschke at online.de wrote:
>
> Hi,
> some of our Win7 desktops are running fine with 2.1.6 and some are not.
> The problems appears while transferring files, very poor performance and a lot of timeouts which makes it nearly impossible to transfer large files.
> We don’t have a clue why this happens on some desktops and on the others not. All are using the same version of Shrew and the same (imported) policy.
>
> The problem is not related to cables or switches, this has been tested.  Non VPN traffic is ok with all Desktos.
>
> Any ideas how to locate the source of this problem?
> Thanks
>

Hi Bernd,

These are always the most difficult type of problem to trouble shoot. 
The VPN connection can be established, but a subset of the clients 
experience problems for one reason or another. The key to diagnosing the 
issue is identifying what the troublesome clients have in common and how 
they differ from the clients that are working well. I'm not sure how 
much control you have over the network environment that the client is 
connecting from, but that can certainly have an impact on connectivity. 
You say you have checks switches and cables, but I'm not sure if that 
means the clients are in a remote office network that you manage, or if 
they are connecting from home over a public network.

Here are some things to investigate ...

1) Are all the troublesome clients using the same internet provider? Its 
possible that one network provider is shaping traffic in a way that 
causes problems for the VPN client. Other times, an internet provider 
will handle UDP packets ( IPsec NAT-T ) strangely. You can try dropping 
the MTU on the virtual adapter to see if this resolves your issue. You 
can also try disabling NAT-T support on the VPN client to see if that 
has an effect. The drawback to this is that multiple clients behind a 
single firewall won't work properly without NAT-T enabled. Ultimately, 
the best way to rule out provider problems is to re-locate a troubled 
machine into the same source network as a working machine.

2) Are all the troublesome clients using a particular brand of SOHO 
router/firewall? VPN client traffic is sometimes handled incorrectly by 
the vendor firmware. This can often be resolved by updating to a newer 
firmware release version. You can also check to see if VPN pass-through 
features are enabled on the SOHO router/firewall. Sometimes these can 
cause problems with modern VPN clients.

3) Are all the troublesome clients using the same make/model of network 
interface? It could be that the VPN client isn't working well with a 
particular vendors network kernel driver for some reason. In this case,
try looking for an updated driver version and see if that helps. You can 
also try adding a different make/model network card to test and see if 
this resolves the issue. If so, please let me know which make/model of 
hardware is giving you trouble.

4) Are the working / troublesome clients using the same types of IP 
protocols inside the tunnel. For example, SMB/CIFS uses UDP where remote 
desktop sessions use TCP. You could test this by transferring a file 
using a samba or windows network file share vs transferring the same 
file using http, sftp or ftp. I don't have any good suggestions for 
fixing this off the top of my head, but its a good data point for 
further investigation.

Hope this helps,

-Matthew