Netscreen 5GT Site-toSite performance

Hi,

We're looking at a Netscreen 5GT site to site VPN device over an 8MB ADSL link into corporate network.

Once the VPN tunnel is up and the user is logged in the functionality of corporate applications is great and perform pretty close to as they would on a private ADSL link from a provider.

The only issue we really have is it takes around 5 minutes for one connected user to login to the network, is this normal time for site to site VPN's?

Our private DSL links take a couple of minutes, but we're moving away from that method due to some bad experiences with our provider and looking for something we can deploy quickly to sites utilising a joe bloggs business broadband ADSL connection.

There's another couple of techy bits we need to look at but they don't cause us any great concerns. Anybody use the 5GT boxes over ADSL for remote offices and what's the performance like etc?

Cheers
Malc

Find more posts tagged with

Comments

astorrs

Are these existing 5GT's or are they new (and if they're new why not buy SSG's?)

What version of ScreenOS are you running?

slinuxuzer

Is this user the only user having this problem? It could be that he isn't actually contacting your domain controller (assuming your reffering to and AD login) in the event he can't contact a DC his computer will wait the timeout period and then eventually authenticate via cached credintials, so let us know how many people are in the remote site, and if he is the only one with this issue, if so you might try un-joining and re-joining the domain, and possibly deleting his local profile (make sure to back up all his settings and files before you do this though)

malcybood

astorrs,

It is some pilot kit we got to do a POC test with as part of a proposal from a potential supplier. One SSG140 head end device and one 5GT "remote site" device with integrated ADSL card to replace current speedtouch bog standard DSL router. At present we have checkpoint secureclient, client to site VPN for around 200 small remote sites, which has several limitations around "full" network logins and around 150 private ADSL which gives us what we need but the service is terrible in respect of commissioning / decommissioning sites, billing etc. We have a high churn rate of up to 40 - 50 sites per month.

Potentially we will eventually transition all 350 sites onto the new solution so it has to be a cost effective. I'm guessing this is why 5GT was put forward, does the job doesn't need to be fancy, just secure. Not sure what version of ScreenOS, just configured through the GUI for the POC with some help from the solutions provider.

slinuxuzer,

It's a Novell 6.5 network environment not AD, however it could be something similar to the timeout issue you mentioned, we do not have profile caching of any sort setup - workstation only or full network login, plus it does eventually fully login. One of the problems we have with the checkpoint client to site VPN is that SLP info (DHCP options 78 & 79) is not passed by Checkpoint "office mode" DHCP sever, which gives the limitations to being able to see the full Novell Tree causing issues with remote control and rolling out patches / upgrades via ZENworks.

The one user getting the issue was me lol. This solution has not been rolled out anywhere, only POC testing for a few hours last week....I config'd the head office box, ensured all routing was working etc then drove out to the remote site to test. As I say it eventually logged in, once it took 3m30s, then 4m30s then 5m30s.

I know the fact that the internet is contended is a factor but it still shouldn't take 5min to login.

There are some more things I've got in mind to try this week anyway, i.e. setting up a DHCP scope on our Novell DNS/DHCP server and use a DHCP relay / IP helper address, for the site as opposed to using any of the Juniper kit for DHCP (5GT currently assigns DHCP, but DNS is corporate DNS server). Also we are waiting on a static IP address from BT for the 5GT end (POC test was setup at quite short notice), as we "jiggery pokery'd" the setup to work with dynamic addressing from the ISP, so this could be affecting the performance also. I will let you guys know how I get on next week.

For info the checkpoint solution was never intended to be used on this scale. It was put in around a year ago to facilitate roaming users in airports and on the road etc. We then began using it as a fall back when we stopped ordering connectivity from the problematic provider but we really need to sort something out ASAP as it's becoming a real pain to manage.

We have also had a Cisco easyVPN solution put forward from another tender, with a 2800 ISR series router + VPN module at the head end along with Cisco 877 remote devices, so may look into that more too.

Cheers
Malc

malcybood

Just thought I'd update progress on this. after defining the relevant DHCP options this resolved the performance issue.

We initially tried to define options 78 & 79 in the local device DHCP options which was unsuccessful - same result. We then setup a DHCP scope on the Novell DHCP server and configured a DHCP relay on the juniper box.

When we done this it resolved the SLP info not being passed to the remote site and cut the login time down to 1m30s, pretty impressive stuff for an broadband internet connection!

We just need to go over the commercials on this solution now as it would be deployed to a large number of sites, but technically it does everything we need it to do.

We also plan to trial Cisco easy VPN.

astorrs

Nice, glad you got that sorted out.

Do your branch sites need to be able to connect directly to each other as well (or would they benefit from that ability?) for things like CCTV, VOIP, etc? If so the Cisco option with DMVPN might be a better solution. Otherwise I love the Juniper gear.

malcybood

astorrs wrote:

Nice, glad you got that sorted out.

Do your branch sites need to be able to connect directly to each other as well (or would they benefit from that ability?) for things like CCTV, VOIP, etc? If so the Cisco option with DMVPN might be a better solution. Otherwise I love the Juniper gear.

thanks man, we don't need the branch offices to connect between each other. All applications are centralised to the head office data centre including the VOIP signalling server but we don't have voip on these small sites yet only the 24 main MPLS sites.

Do you know if you can put a policy in for local internet breakout to one specific web site on the juniper kit and all other traffic points to the proxy server? or is it all or nothing with the local internet breakout?? I know it's just a tick box on the GUI but just wondered if you could do anything clever with it like that......

We currently direct all internet traffic through our central proxy server, but use salesforce.com as a CRM system. So currently the browser on the PC points web traffic to our corporate proxy, which acts purely as a cache / redirector to messagelabs for content scanning. We added an exception into the proxy for salesforce traffic to bypass messagelabs in order to improve application performance, but being able to do something similar on the edge box would go a step better!

It would definitely only be Salesforce we wanted to permit to local breakout though.

On the juniper vs cisco it will ultimately come down to cost but ease of configuration for our field engineers is also a consideration as they're mainly desktop guys but familiar with various SOHO routers i.e. linksys, netgear etc plus they have a hell of alot of sites to look after.

Lead times for telco services is an issue for us, as it's the construction industry so we have alot of churn in respect to sites being commissioned and decommissioned every month. Around 40 - 50 adds moves changes i.e. sales cabin may be in a portacabin for 6 weeks then relocate to a showhome or a site hut starts off in one location on site and then moves to the other side of the site when building starts there. Anything we can do to speed up getting connectivity on site is good. We also use 3G routers as an interim until ADSL is installed if it's not in a 3G black spot!

Also we're talking about 10 days for a PSTN line + 25 working days lead time for a private broadband link into our MPLS cloud vs approx 20 days for a PSTN + Business Broadband (joe bloggs internet) ADSL connection hence why we're looking to secure by a site to site VPN. Only concern with this is if the box is stolen and plugged into the same service provider's network in theory they're on our corporate network - currently investigating that though as we use a business service so don't think it would work on a residential service unless they changed the ADSL username and password which would take a factory reset anyway and wipe the corporate config.

The solution needs to be "easily" configured (GUI or simple manipulation of text file like the GT5 can be) and also must be able to be deployed quickly i.e. broadband line goes live monday morning, site live monday afternoon / tuesday morning type thing!

Have enjoyed & learned so much doing this POC exercise / investigation

astorrs

Could you look at using the integrated UTM features in the devices along with SurfControl and eliminate the need to use the central proxy? This would still allow central reporting/control but would benefit you in significantly reducing the network load back to the central site.

http://www.juniper.net/solutions/literature/solutionbriefs/355001.pdf
http://www.juniper.net/solutions/literature/solutionbriefs/351202.pdf

malcybood

astorrs wrote:

Could you look at using the integrated UTM features in the devices along with SurfControl and eliminate the need to use the central proxy? This would still allow central reporting/control but would benefit you in significantly reducing the network load back to the central site.

http://www.juniper.net/solutions/literature/solutionbriefs/355001.pdf
http://www.juniper.net/solutions/literature/solutionbriefs/351202.pdf

We could do look into some kind of local breakout with surf control etc, but the answer is that yes with the current infrastructure we would be looking to keep web traffic going through the central proxy. The corporate internet pipe serves the DSL and MPLS network and the bandwidth is bearly tickled at the moment......20 - 30% utilisation max, on all WAN and internet links.

All the web content scanning etc is outsourced to the market leader who do a great job for us at a very good price, so we probably would not look at bringing web content management back in house. An unjustified cost for something we already pay for and not in the business / IT strategy.

We could also just point the user web browsers to the hosted web content / filter but if we ever parted company with them, we would have 2000 workstations to tweak a reg key in IE6, where they are currently directed to our central proxy which is purely used as a re-director and for caching. If we keep this scenario and we parted company we make one change on the internal proxy not to point to the hosting company.

Thanks for the suggestion though and may be something we look at in the future.

astorrs

What you've said probably makes sense in your case.

My experience is that usually HTTP traffic (to the internet) accounts for >50% of the total traffic on the network in most companies (assuming they allow web access to employees, email is 2nd) and by diverting it off the private network either by pushing it out the local internet port (in the case of VPNs) or in the case of MPLS through the ISP, and then using a UTM router that can still control access and report usage back to a central SurfControl/WebSense server you can drop the amount of traffic running on the private network and probably drop the bandwidth on some of the circuit(s) in your head office usually saving thousands a month (sometimes 10's of thousands, depending on the size of the company). If that was the case in your situation, the cost of bringing it back in house could be ROI'd in months.