[vpn-help] Packet loss when using 2.2.2 Windows x64 client on cable Internet connections

Jim Harle vpn at technicolor.com
Fri Jul 26 17:47:20 CDT 2013 

Greetings, this is my first post to this list.  It is quite long, so if you have no interest in reading the context, you can skip to the last sentence at the end.

We are in the midst of a project involving Windows 7 x64 PCs which are "directly" connected to the Internet (public IP resides on a NIC in the PC), as opposed to behind a NAT device/hardware firewall as is typical.  These Windows PCs are using the Cisco VPN client (IPsec with NAT traversal, split-tunneled) to connect to a Cisco ASA gateway in our datacenter.  This ASA terminates many hundred VPN tunnels, mostly from Cisco 871 routers.  The Internet connections for the PCs are mixture of "commercial grade" DSL or cable (mostly DSL)...using various carriers.

We've had intermittent issues with the Cisco client, where it will establish the VPN tunnel, but not pass private traffic through the tunnel.  This is nearly always cleared up by power-cycling the DSL modem.  We have two chronic sites in Texas, both using Suddenlink cable Internet, which are having the Cisco-connects-but-doesn't-pass traffic problem.  However, power-cycling the cable modem at these sites doesn't always fix it.  So, we decided to try the Shrew Soft 2.2.2 client on these two PCs.

The Shrew Soft client works on both of these PCs, with some caveats:

-          Packet loss of up to 30% is introduced on the public connection (and likewise the tunnel) while the VPN tunnel is active.  This can be verified by using the "line quality" test at http://dslreports.com/pingtest.  When no tunnel is established, there is no packet loss.

-          The packet loss through the tunnel seems to degrade over time, as does the tunnel connectivity itself.  After an average of five hours, the VPN tunnel will establish and pass traffic, but only for about 30 seconds before the tunnel is dropped.  A reboot of the PC makes things "better" again (connection stays up, but with much packet loss).

-          The VPN tunnel will only work with no NAT traversal (IP-to-IP ESP).  If we force the Shrew client to use NAT traversal, the tunnel will establish, but no traffic will pass through it (kinda like the Cisco client problem).

I've attempted to analyze what is happening using Wireshark, although I'm not gleaning any useful information from the packet captures.  I've also tried various MTU settings, with the same results as above.

A colleague and I have also tried testing the Shrew client on one of these PCs, while directly connected to our cable modems (we both use Comcast).  We experience the identical symptoms as I've listed above, although we have more success with the Cisco client working than our Suddenlink sites (but the Cisco client doesn't always pass traffic).  Even weirder, I've confirmed the same symptoms using completely different hardware/NICs, and also different Windows versions (7 and 8), connecting to two different Cisco ASA gateways, all with the same results.  My colleague installed Ubuntu on one of our PCs and tried that with the Shrew client, and that one worked just fine - no packet loss or problems.  Additionally, we have tried the Shrew client on DSL and fiber-connected Internet sites, using the same PCs (identical hardware and OS image), and those have been solid.   It is truly a mystery why the Windows PCs have a problem with the Shrew client on four different cable connections.

So finally, I simply ask the question, has anyone else seen a packet loss issue when using the Shrew x64 client on a Windows PC, using a "direct" cable Internet connection (no NAT device between the PC and bridged cable modem)?

Many thanks,

Jim

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.shrew.net/pipermail/vpn-help/attachments/20130726/d043ec9a/attachment.html>

More information about the vpn-help mailing list