Options

OK guys... heres your weekly EVPL problem thread

tdeantdean Member Posts: 520
real quick, we installed 2 new Adtran routers joining our main and remote sites. our term servers are at the main site, many times a day (especially end users running telnet based apps) users on thin clients at BOTH sites are now getting "protocol error" messages that kill their rdp connections and they have to log back in. this did not happen prior to adding the new Adtrans. I dont even know where to begin with this one....

Comments

  • Options
    networker050184networker050184 Mod Posts: 11,962 Mod
    First thing that comes to mind os some sort of timeout. NAT maybe? How are the sites connected?
    An expert is a man who has made all the mistakes which can be made.
  • Options
    tdeantdean Member Posts: 520
    First thing that comes to mind os some sort of timeout. NAT maybe? How are the sites connected?

    its just a point to point evpl with the 2 Adtrans in the middle. once traffic destined for the internet hits the adtran its bounced back out and over to an ASA 5510. I was told this is ok. We also have no errors on any interface, router, switch or firewall. the strange part is that the users at the main site are experiencing it also. i can post running configs if it would help.
  • Options
    phoeneousphoeneous Member Posts: 2,333 ■■■■■■■□□□
    Do you manage the Adtrans?
  • Options
    tdeantdean Member Posts: 520
    phoeneous wrote: »
    Do you manage the Adtrans?

    yes. any info you guys need i will do my best to provide. it seems the remote site is still having "random slowdown" for everyone that is accessing a term server at the main site. i honestly have done a ton of research and cant figure out why this has ended up working so poorly.
  • Options
    MonkerzMonkerz Member Posts: 842
    Can you give us a rough diagram of the setup and the configs of both adtrans? What was in their place before the adtrans?
  • Options
    tdeantdean Member Posts: 520
    Monkerz wrote: »
    Can you give us a rough diagram of the setup and the configs of both adtrans? What was in their place before the adtrans?
    I will do my best! Configs will be seperate in the next post. prior to this, there were watchguard firewalls in place doing everything. they expired and we had to set up a few vpn's so we went with ASA's.

    Remote Site

    Core Switch---ASA (to internet and seperate Adtran) and EVPL Adtran (to Main Site) Both connected

    Main Site

    Core Switch --ASA to internet and Adtran (other side of EVPL)
    this site has all the term servers etc.
  • Options
    tdeantdean Member Posts: 520
    ASA Running config:

    ASA Version 8.2(4)1
    !
    hostname asa5510
    domain-name tcxxx.com
    enable password AtZdPYziKTyHRqbO encrypted
    passwd AtZdPYziKTyHRqbO encrypted
    no names
    name 172.22.1.0 Hyannis_LAN
    name 10.10.10.0 Link_to_WG
    name 172.22.0.0 TCxxx_Internal_Nets
    !
    interface Ethernet0/0
    description Comcast Internet
    nameif outside
    security-level 0
    ip address 75.xxx.xxx.73 255.255.255.248
    !
    interface Ethernet0/1
    description TCxxx Lan
    speed 100
    duplex full
    nameif tcxxx
    security-level 50
    ip address 172.22.1.234 255.255.255.0
    !
    interface Ethernet0/2
    shutdown
    nameif dmz
    security-level 10
    ip address 192.168.10.1 255.255.255.0
    !
    interface Ethernet0/3
    shutdown
    nameif unused
    security-level 0
    no ip address
    !
    interface Management0/0
    nameif management
    security-level 100
    ip address 192.168.1.1 255.255.255.0
    management-only
    !
    boot system disk0:/asa824-1-k8.bin
    ftp mode passive
    clock timezone EST -5
    clock summer-time EDT recurring
    dns domain-lookup outside
    dns domain-lookup dmz
    dns server-group DefaultDNS
    name-server 172.22.1.7
    name-server 172.22.1.92
    domain-name xxxxx.com
    same-security-traffic permit inter-interface
    same-security-traffic permit intra-interface
    access-list outside_access_in extended permit icmp any any echo-reply
    access-list lan_nat0_outbound remark No NAT to MDxxxxx via VPN
    access-list lan_nat0_outbound extended permit ip 172.22.1.0 255.255.255.0 host 192.168.100.16
    access-list lan_nat0_outbound remark No NAT for VPN Clients
    access-list lan_nat0_outbound extended permit ip 172.22.0.0 255.255.0.0 192.168.200.0 255.255.255.0
    access-list lan_nat0_outbound remark No NAT to Sandwich via VPN
    access-list lan_nat0_outbound extended permit ip 172.22.1.0 255.255.255.0 172.22.4.0 255.255.255.0
    access-list lan_nat0_outbound remark No NAT to Ixxx Hosting
    access-list lan_nat0_outbound extended permit ip 172.22.1.0 255.255.255.0 172.18.1.0 255.255.255.0
    access-list outside_1_cryptomap extended permit ip 172.22.0.0 255.255.0.0 host 192.168.100.16
    access-list lan_access_out extended permit ip any any
    access-list mdaxxxxx_vpn_filter extended permit ip host 192.168.100.16 host 172.22.1.80
    access-list VPNClient_splitTunnelAcl standard permit 10.10.10.0 255.255.255.252
    access-list VPNClient_splitTunnelAcl standard permit 10.50.70.0 255.255.255.252
    access-list VPNClient_splitTunnelAcl standard permit 172.22.0.0 255.255.0.0
    access-list VPNClient_splitTunnelAcl standard permit host 172.22.1.80
    access-list outside_cryptomap extended permit ip 172.22.1.0 255.255.255.0 172.22.4.0 255.255.255.0
    access-list outside_cryptomap_1 extended permit ip 172.22.1.0 255.255.255.0 172.18.1.0 255.255.255.0
    pager lines 500
    logging enable
    logging monitor debugging
    logging buffered debugging
    logging asdm informational
    mtu outside 1500
    mtu tcsma 1500
    mtu dmz 1500
    mtu unused 1500
    mtu management 1500
    ip local pool RemotePool 192.168.200.1-192.168.200.50 mask 255.255.255.0
    icmp unreachable rate-limit 1 burst-size 1
    icmp permit any tcxxx
    icmp permit any dmz
    icmp permit any management
    asdm image disk0:/asdm-635.bin
    no asdm history enable
    arp timeout 14400
    nat-control
    global (outside) 1 interface
    nat (tcxxx) 0 access-list lan_nat0_outbound
    nat (tcxxx) 1 172.22.1.0 255.255.255.0
    nat (dmz) 1 0.0.0.0 0.0.0.0
    access-group outside_access_in in interface outside
    access-group lan_access_out in interface tcsma
    route outside 0.0.0.0 0.0.0.0 75.xxx.xxx.78 1
    route tcxxx 172.22.2.0 255.255.255.0 172.22.1.240 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    dynamic-access-policy-record DfltAccessPolicy
    http server enable 8081
    http 192.168.10.0 255.255.255.0 dmz
    http 0.0.0.0 0.0.0.0 tcxxx
    http 71.xxx.xx.232 255.255.255.255 outside
    http 173.x.xx.213 255.255.255.255 outside
    http 173.xx.xxx.125 255.255.255.255 outside
    http redirect outside 80
    snmp-server host outside 71.xxx.xx.232 poll community *****
    snmp-server location Telco Room
    snmp-server contact TDean at XXXXXXXsts
    snmp-server community *****
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
    crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
    crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
    crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
    crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
    crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
    crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
    crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
    crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
    crypto ipsec security-association lifetime seconds 28800
    crypto ipsec security-association lifetime kilobytes 4608000
    crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
    crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
    crypto map outside_map 1 match address outside_1_cryptomap
    crypto map outside_map 1 set pfs group5
    crypto map outside_map 1 set peer 64.xxx.xxx.180
    crypto map outside_map 1 set transform-set ESP-AES-128-SHA
    crypto map outside_map 2 match address outside_cryptomap
    crypto map outside_map 2 set pfs group5
    crypto map outside_map 2 set peer 173.xx.xxx.125
    crypto map outside_map 2 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
    crypto map outside_map 3 match address outside_cryptomap_1
    crypto map outside_map 3 set pfs group5
    crypto map outside_map 3 set peer 207.xxx.xx.31
    crypto map outside_map 3 set transform-set ESP-AES-128-SHA
    crypto map outside_map 3 set security-association lifetime seconds 86400
    crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
    crypto map outside_map interface outside
    crypto ca trustpoint ASDM_TrustPoint0
    enrollment terminal
    fqdn vpn.tcxxx.com
    subject-name CN=vpn.tcxxx.com,OU=IT,O=The xxxxxxx xxxxxxxx,C=US,St=MA,L=Hyannis
    keypair vpnsslcert.key
    crl configure
    crypto ca trustpoint ASDM_TrustPoint1
    enrollment terminal
    crl configure
    crypto ca certificate chain ASDM_TrustPoint0
    certificate 07f75c9a1b2d75
    30820559 30820441 a0030201 02020707 f75c9a1b 2d75300d 06092a86 4886f70d
    01010505 003081ca 310b3009 06035504 06130255 53311030 0e060355 04081307
    dd ad976c33 REMOVED
    546e672f 60ebfbf3 3c07552d 4a0eb144 b68887bc 32c4437a 30ec40bc 45
    quit
    crypto ca certificate chain ASDM_TrustPoint1
    certificate ca 0301
    fc bf144c0e cc6ec4df REMOVED
    3db71271 f4e8f151 40222849 e01d4b87 a834cc06 a2dd125a d1863664 03356f6f
    776eebf2 8550985e ab0353ad 9123631f 169ccdb9 b205633a e1f4681b 17053595 53ee
    quit
    crypto isakmp identity address
    crypto isakmp enable outside
    crypto isakmp policy 5
    authentication pre-share
    encryption aes
    hash sha
    group 2
    lifetime 86400
    crypto isakmp policy 10
    authentication pre-share
    encryption aes
    hash sha
    group 5
    lifetime 86400
    telnet timeout 5
    ssh 71.xxx.xx.232 255.255.255.255 outside
    ssh 173.xx.xxx.125 255.255.255.255 outside
    ssh timeout 60
    ssh version 2
    console timeout 0
    dhcpd dns 4.2.2.1 4.2.2.2
    !
    dhcpd address 192.168.10.5-192.168.10.20 dmz
    dhcpd dns 4.2.2.1 4.2.2.2 interface dmz
    dhcpd update dns both override interface dmz
    dhcpd enable dmz
    !
    dhcpd address 192.168.1.2-192.168.1.254 management
    dhcpd enable management
    !
    threat-detection basic-threat
    threat-detection statistics access-list
    no threat-detection statistics tcp-intercept
    ssl trust-point ASDM_TrustPoint0 outside
    webvpn
    enable outside
    svc image disk0:/anyconnect-win-2.4.1012-k9.pkg 1
    group-policy DfltGrpPolicy attributes
    vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
    webvpn
    url-list value RemoteAccess
    svc ask none default webvpn
    group-policy vpn_to_sandwich internal
    group-policy vpn_to_sandwich attributes
    vpn-filter none
    vpn-tunnel-protocol IPSec
    group-policy VPNClient internal
    group-policy VPNClient attributes
    vpn-tunnel-protocol IPSec
    split-tunnel-policy tunnelspecified
    split-tunnel-network-list value VPNClient_splitTunnelAcl
    group-policy vpn_to_ihs internal
    group-policy vpn_to_ihs attributes
    vpn-filter none
    vpn-tunnel-protocol IPSec

    ***SSL Users Removed***

    webvpn
    url-list value RemoteAccess
    tunnel-group 64.xxxxxx180 type ipsec-l2l
    tunnel-group 64.xxxxx.180 general-attributes
    default-group-policy mdxxxxxct-vpn
    tunnel-group 64.xxxxxxx.180 ipsec-attributes
    pre-shared-key *****
    tunnel-group VPNClient type remote-access
    tunnel-group VPNClient general-attributes
    address-pool RemotePool
    default-group-policy VPNClient
    tunnel-group VPNClient ipsec-attributes
    pre-shared-key *****
    tunnel-group 173.xxxxxx125 type ipsec-l2l
    tunnel-group 173.xxxxx.125 general-attributes
    default-group-policy vpn_to_sandwich
    tunnel-group 173.xxxxx125 ipsec-attributes
    pre-shared-key *****
    tunnel-group 207.xxxxx.31 type ipsec-l2l
    tunnel-group 207.xxxxx.31 general-attributes
    default-group-policy vpn_to_ihs
    tunnel-group 207.xxxxx.31 ipsec-attributes
    pre-shared-key *****
    !
    class-map inspection_default
    match default-inspection-traffic
    !
    !
    policy-map type inspect dns preset_dns_map
    parameters
    message-length maximum 512
    policy-map global_policy
    class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect sqlnet
    inspect skinny
    inspect sunrpc
    inspect xdmcp
    inspect sip
    inspect netbios
    inspect tftp
    inspect ip-options
    !
    service-policy global_policy global
    prompt hostname context
    call-home
    profile CiscoTAC-1
    no active
    destination address http https://tools.cisco.com/its/service/...es/DDCEService
    destination address email callhome@cisco.com
    destination transport-method http
    subscribe-to-alert-group diagnostic
    subscribe-to-alert-group environment
    subscribe-to-alert-group inventory periodic monthly
    subscribe-to-alert-group configuration periodic monthly
    subscribe-to-alert-group telemetry periodic daily
    Cryptochecksum:9ccf61f1a248d3858a93efa68354ddb4


    Adtran running config "Main" site :

    User Access Login
    Password:
    Hyannis>en
    Password:
    Hyannis#show run
    Building configuration...
    !
    !
    ! ADTRAN, Inc. OS version 18.01.01.00
    ! Boot ROM version 17.06.01.00
    ! Platform: NetVanta 3430, part number 1202820G1
    ! Serial number LBADTN1130AF995
    !
    !
    hostname "Hyannis"
    enable password Axxxxx
    !
    clock timezone -1-Cape-Verde
    !
    ip subnet-zero
    ip classless
    ip routing
    ipv6 unicast-routing
    !
    !
    ip domain-proxy
    !
    !
    no auto-config
    !
    event-history on
    no logging forwarding
    logging forwarding priority-level info
    no logging email
    !
    no service password-encryption
    !
    username "xxxxx" password "pxxx"
    !
    !
    no ip firewall alg msn
    no ip firewall alg mszone
    no ip firewall alg h323
    !
    !
    !
    !
    !
    !
    !
    !
    !
    no dot11ap access-point-control
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    no ethernet cfm
    !
    interface eth 0/1
    speed 100
    encapsulation 802.1q
    no shutdown
    !
    interface eth 0/1.37xx
    vlan-id 37xx
    ip address 1.1.1.1 255.255.255.0
    no shutdown
    !
    interface eth 0/2
    speed 100
    ip address 172.22.1.240 255.255.255.0
    no shutdown
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    ip route 0.0.0.0 0.0.0.0 172.22.1.234
    ip route 128.1.0.0 255.255.0.0 172.22.1.3
    ip route 172.17.150.0 255.255.255.0 172.22.1.3
    ip route 172.22.2.0 255.255.255.0 1.1.1.2
    ip route 172.23.10.0 255.255.255.0 172.22.1.3
    !
    no tftp server
    no tftp server overwrite
    no ip http server
    no ip http secure-server
    no ip snmp agent
    no ip ftp server
    ip ftp server default-filesystem flash
    no ip scp server
    no ip sntp server
    !
    !
    !
    !
    !
    !
    !
    !
    ip sip udp 5060
    ip sip tcp 5060
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    line con 0
    login
    password Axxxxxx
    !
    line telnet 0 4
    login
    password pxxxxx
    no shutdown
    line ssh 0 4
    login local-userlist
    no shutdown
    !
    !
    !
    !
    !
    end
    Hyannis#



    Adtran running config "Remote" site:

    User Access Login
    Password:
    Falmouth>en
    Password:
    Falmouth#sh run
    Building configuration...
    !
    !
    ! ADTRAN, Inc. OS version 18.01.01.00
    ! Boot ROM version 17.06.01.00
    ! Platform: NetVanta 3430, part number 1202820G1
    ! Serial number LBADTN1129AM816
    !
    !
    hostname "Falmouth"
    enable password Axxxxx
    !
    clock timezone -1-Cape-Verde
    !
    ip subnet-zero
    ip classless
    ip routing
    ipv6 unicast-routing
    !
    !
    !
    !
    no auto-config
    !
    event-history on
    no logging forwarding
    no logging email
    !
    no service password-encryption
    !
    !
    no ip firewall alg msn
    no ip firewall alg mszone
    no ip firewall alg h323
    !
    !
    !
    !
    !
    !
    !
    !
    !
    no dot11ap access-point-control
    !
    !
    !
    !
    ip dhcp-server excluded-address 172.22.2.1 172.22.2.100
    !
    ip dhcp-server pool "lan"
    network 172.22.2.0 255.255.255.0
    dns-server 172.22.1.7
    netbios-name-server 172.22.1.15
    default-router 172.22.2.1
    !
    !
    !
    !
    !
    !
    !
    no ethernet cfm
    !
    interface eth 0/1
    speed 100
    encapsulation 802.1q
    no shutdown
    !
    interface eth 0/1.3711
    vlan-id 3711
    ip address 1.1.1.2 255.255.255.0
    no shutdown
    !
    interface eth 0/2
    ip address 172.22.2.1 255.255.255.0
    no shutdown
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    ip route 0.0.0.0 0.0.0.0 172.22.2.234
    ip route 128.1.0.0 255.255.0.0 1.1.1.1
    ip route 172.17.150.0 255.255.255.0 1.1.1.1
    ip route 172.22.1.0 255.255.255.0 1.1.1.1
    ip route 172.23.10.0 255.255.255.0 1.1.1.1
    !
    no tftp server
    no tftp server overwrite
    no ip http server
    no ip http secure-server
    no ip snmp agent
    no ip ftp server
    ip ftp server default-filesystem flash
    no ip scp server
    no ip sntp server
    !
    !
    !
    !
    !
    !
    !
    !
    ip sip udp 5060
    ip sip tcp 5060
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    line con 0
    no login
    !
    line telnet 0 4
    login
    password Axxxx
    no shutdown
    line ssh 0 4
    login local-userlist
    no shutdown
    !
    !
    !
    !
    !
    end
    Falmouth#
  • Options
    LizanoLizano Member Posts: 230 ■■■□□□□□□□
    Do the thin clients actually loose conectivity to the other site? Or is it only the applications that die?

    I once had someone reporting a similar issue with RDP over a VPN. I ended up leaving a ping running with FREEping from a PC at the site to the RDP server, which proved to me that the RDP server never was unreachable, it ended up going away after changing the session timeout limit on a firewall.
  • Options
    MonkerzMonkerz Member Posts: 842
    I guess we can start by troubleshooting the main site. Are the users and term servers on the same LAN? If not, what is between the users and term servers at the main site?
  • Options
    tdeantdean Member Posts: 520
    Lizano wrote: »
    Do the thin clients actually loose conectivity to the other site? Or is it only the applications that die?

    I once had someone reporting a similar issue with RDP over a VPN. I ended up leaving a ping running with FREEping from a PC at the site to the RDP server, which proved to me that the RDP server never was unreachable, it ended up going away after changing the session timeout limit on a firewall.


    Both, actually. Sometimes they get booted right out of their rdp connection (thats the protocol error) and other times the performance is so bad the app just hangs for 2-3 minutes and everyone has the "hourglass."
  • Options
    tdeantdean Member Posts: 520
    Monkerz wrote: »
    I guess we can start by troubleshooting the main site. Are the users and term servers on the same LAN? If not, what is between the users and term servers at the main site?

    main site, users and servers all on the same subnet.
  • Options
    networker050184networker050184 Mod Posts: 11,962 Mod
    tdean wrote: »
    main site, users and servers all on the same subnet.

    So the traffic that doesn't traverse the routers and ASAs have the same issue? Sounds like a problem with the server or local LAN to me. Have you looked into the server/application?
    An expert is a man who has made all the mistakes which can be made.
  • Options
    tdeantdean Member Posts: 520
    So the traffic that doesn't traverse the routers and ASAs have the same issue? Sounds like a problem with the server or local LAN to me. Have you looked into the server/application?

    it is intermittant with the main site... the performance is very good. the main site gets the protocol error. the remote site gets that and also poor performance. Sorry i didnt clarify.

    ***EDIT: the protocol error happens when a user launches a telnet based app (Meditech) that is routed through the Adtrans to the Hospital we are affiliated with,.

    also, this didnt happen prior to the "upgrade" where we removed the watchguard firewalls and replaced them with the "faster" circuit and the combo of Adtrans and ASA firewalls, which is why i am not focusing on the server/app end of things.
  • Options
    networker050184networker050184 Mod Posts: 11,962 Mod
    tdean wrote: »
    it is intermittant with the main site... the performance is very good. the main site gets the protocol error. the remote site gets that and also poor performance. Sorry i didnt clarify.

    also, this didnt happen prior to the "upgrade" where we removed the watchguard firewalls and replaced them with the "faster" circuit and the combo of Adtrans and ASA firewalls, which is why i am not focusing on the server/app end of things.

    Yeah, but the traffic that doesn't traverse these new devices is having trouble also. How would that have anything to do with the new equipment unless there is something I'm missing here? The poor performance could be do to the same issue thats causing the protocol error at the main site.

    What kind of traffic is this application using? Have the users at the remote site noticed any issues with other connectivity or just this application?
    An expert is a man who has made all the mistakes which can be made.
  • Options
    tdeantdean Member Posts: 520
    Yeah, but the traffic that doesn't traverse these new devices is having trouble also. How would that have anything to do with the new equipment unless there is something I'm missing here? The poor performance could be do to the same issue thats causing the protocol error at the main site.

    What kind of traffic is this application using? Have the users at the remote site noticed any issues with other connectivity or just this application?

    Sorry, i updated my previous post....

    ***EDIT: the protocol error happens when a user launches a telnet based app (Meditech) that is routed through the Adtrans to the Hospital we are affiliated with,.... that is the 128.x.x.x route in the Main site router config.


    So, the main site performance is good but protocol error when launching this telnet based app.

    Remote site, also getting protocol error but ALSO poor performance in general across the P2P link to the extent that sometimes all the thin client desktops will just have an hourglass for 2-3 minutes.
  • Options
    it_consultantit_consultant Member Posts: 1,903
    If I were you, and we have talked about this before, if you have the WGs handy I would perform an experiment. You won't normally hear people on these boards recommend WG over Cisco/Adtran but in this case we need to test something. I have clients on an EVPL and we use WGs to sort the traffic out. My experience is that it is easier to configure the WGs in these funny situations where you have to both firewall the WAN AND terminate a layer 2 connection from another site. The WG sees that layer 2 connection as just another ethernet port, you can set the port you plug the EVPL into as a "trusted" port and the WG will route the EVPL and WAN traffic appropriately if you set up both fireboxes correctly. That way you don't have 2 routers (one for the EVPL and one for the WAN).

    Dollars to donuts the protocol errors and performance issues you are having is related to how the ad trans and Ciscos are configured. You have 2 more routers (2 at each site, should be one at each site) than you actually need to get the job done.
  • Options
    networker050184networker050184 Mod Posts: 11,962 Mod
    Adtran looks pretty basic so I doubt your problem is there. I see you have speed and duplex set a few places. Have you verified there are no mismatches causing errors?

    Since you said these are new circuits also I'd have the carrier check them out for errors.
    An expert is a man who has made all the mistakes which can be made.
  • Options
    MonkerzMonkerz Member Posts: 842
    Yeah that was going to be my next question, are there any duplex mismatches on any routers, switches or servers?
  • Options
    tdeantdean Member Posts: 520
    there were errors at the beginning b/c some things were set to "auto". everything has been reset and there are 0 errors on the routers, core switches or firewall ports.

    it_consultant, i have been thinking about going straight into the ASA's since the ports are available. Do you think that would be the best idea? I mean, at least its up and running right now... before, i had to replace the e-lan with the EVPL with no downtime.
  • Options
    tdeantdean Member Posts: 520
    From the remote router:

    User Access Login
    Password:
    Falmouth>en
    Password:
    Falmouth#show int
    Displaying interfaces...
    eth 0/1 is UP, line protocol is UP
    Hardware address is 00:A0:C8:7E:3E:F0
    Running 802.1Q Encapsulation
    100Mb/s, full-duplex
    Last clearing of counters never
    5 minute input rate 1361856 bits/sec, 263 packets/sec
    5 minute output rate 908672 bits/sec, 224 packets/sec
    Queueing method: fifo
    Output queue: 0/256/0 (size/max total/drops)
    Interface Shaper: NOT ENABLED
    343705880 packets input, 718623725 bytes
    343703993 unicasts, 1887 broadcasts, 0 multicasts input
    0 unknown protocol, 0 symbol errors, 0 discards
    0 input errors, 0 runts, 0 giants
    0 no buffer, 0 overruns, 0 internal receive errors
    0 alignment errors, 0 crc errors
    229380293 packets output, 2409898157 bytes
    0 unicasts, 0 broadcasts, 0 multicasts output
    0 output errors, 0 deferred, 0 discards
    0 single, 0 multiple, 0 late collisions
    0 excessive collisions, 0 underruns
    0 internal transmit errors, 0 carrier sense errors
    0 resets, 0 throttles
    eth 0/1.3711 is UP, line protocol is UP
    Vlan Id is 3711
    Ip address is 1.1.1.2, netmask is 255.255.255.0
    MTU is 1500 bytes
    ARP type: ARPA; ARP timeout is 20 minutes
    eth 0/2 is UP, line protocol is UP
    Hardware address is 00:A0:C8:7E:3E:F1
    Ip address is 172.22.2.1, netmask is 255.255.255.0
    MTU is 1500 bytes, BW is 100000 Kbit
    100Mb/s, negotiated full-duplex, configured full-duplex
    ARP type: ARPA; ARP timeout is 20 minutes
    Last clearing of counters never
    5 minute input rate 915080 bits/sec, 229 packets/sec
    5 minute output rate 1365280 bits/sec, 267 packets/sec
    Queueing method: fifo
    Output queue: 0/256/0 (size/max total/drops)
    Interface Shaper: NOT ENABLED
    242439264 packets input, 2113455187 bytes
    241973981 unicasts, 393652 broadcasts, 71631 multicasts input
    0 unknown protocol, 0 symbol errors, 0 discards
    0 input errors, 0 runts, 0 giants
    0 no buffer, 0 overruns, 0 internal receive errors
    0 alignment errors, 0 crc errors
    356394083 packets output, 4026541336 bytes
    0 unicasts, 0 broadcasts, 0 multicasts output
    0 output errors, 0 deferred, 0 discards
    0 single, 0 multiple, 0 late collisions
    0 excessive collisions, 0 underruns
    0 internal transmit errors, 0 carrier sense errors
    0 resets, 0 throttles
    Falmouth#


    Main router:


    User Access Login
    Password:
    Hyannis>en
    Password:
    Hyannis#show int
    Displaying interfaces...
    eth 0/1 is UP, line protocol is UP
    Hardware address is 00:A0:C8:7E:9D:1C
    Running 802.1Q Encapsulation
    100Mb/s, full-duplex
    Last clearing of counters never
    5 minute input rate 722416 bits/sec, 195 packets/sec
    5 minute output rate 1178728 bits/sec, 235 packets/sec
    Queueing method: fifo
    Output queue: 0/256/0 (size/max total/drops)
    Interface Shaper: NOT ENABLED
    143812252 packets input, 4068588207 bytes
    143811171 unicasts, 1081 broadcasts, 0 multicasts input
    0 unknown protocol, 0 symbol errors, 0 discards
    0 input errors, 0 runts, 0 giants
    0 no buffer, 0 overruns, 0 internal receive errors
    0 alignment errors, 0 crc errors
    228268260 packets output, 3198391055 bytes
    0 unicasts, 0 broadcasts, 0 multicasts output
    0 output errors, 0 deferred, 0 discards
    0 single, 0 multiple, 0 late collisions
    0 excessive collisions, 0 underruns
    0 internal transmit errors, 0 carrier sense errors
    0 resets, 0 throttles
    eth 0/1.3711 is UP, line protocol is UP
    Vlan Id is 3711
    Ip address is 1.1.1.1, netmask is 255.255.255.0
    MTU is 1500 bytes
    ARP type: ARPA; ARP timeout is 20 minutes
    eth 0/2 is UP, line protocol is UP
    Hardware address is 00:A0:C8:7E:9D:1D
    Ip address is 172.22.1.240, netmask is 255.255.255.0
    MTU is 1500 bytes, BW is 100000 Kbit
    100Mb/s, full-duplex
    ARP type: ARPA; ARP timeout is 20 minutes
    Last clearing of counters never
    5 minute input rate 10982400 bits/sec, 1119 packets/sec
    5 minute output rate 10520720 bits/sec, 1076 packets/sec
    Queueing method: fifo
    Output queue: 0/256/0 (size/max total/drops)
    Interface Shaper: NOT ENABLED
    920876315 packets input, 5981752 bytes
    917139583 unicasts, 3694455 broadcasts, 42277 multicasts input
    0 unknown protocol, 0 symbol errors, 0 discards
    72173 input errors, 0 runts, 0 giants
    0 no buffer, 0 overruns, 0 internal receive errors
    0 alignment errors, 72173 crc errors <
    this is from before i changed the duplex. no errors since
    832781461 packets output, 312246507 bytes
    0 unicasts, 0 broadcasts, 0 multicasts output
    0 output errors, 0 deferred, 0 discards
    0 single, 0 multiple, 0 late collisions
    0 excessive collisions, 0 underruns
    0 internal transmit errors, 0 carrier sense errors
    0 resets, 0 throttles
    Hyannis#
  • Options
    it_consultantit_consultant Member Posts: 1,903
    tdean wrote: »
    there were errors at the beginning b/c some things were set to "auto". everything has been reset and there are 0 errors on the routers, core switches or firewall ports.

    it_consultant, i have been thinking about going straight into the ASA's since the ports are available. Do you think that would be the best idea? I mean, at least its up and running right now... before, i had to replace the e-lan with the EVPL with no downtime.

    I have a similar set up at a couple of my clients. For each I only have one router for the WAN and the EVPL. The WAN port is configured as an "untrusted" port, the port the EVPL is plugged into is set as a "trusted" port (essentially just another network hanging off the firewall) a simple route to the other side of the EVPL and a couple of "allow allow" statements for inbound and outbound traffic over the EVPL and you are off to the races.
  • Options
    tdeantdean Member Posts: 520
    I have a similar set up at a couple of my clients. For each I only have one router for the WAN and the EVPL. The WAN port is configured as an "untrusted" port, the port the EVPL is plugged into is set as a "trusted" port (essentially just another network hanging off the firewall) a simple route to the other side of the EVPL and a couple of "allow allow" statements for inbound and outbound traffic over the EVPL and you are off to the races.


    Hi it,

    i remember you trying to walk me through that before but im just having a tough time visualizing it. heres what mine is on both ends... both the AdTrans and ASA's are physically connected to the core switch... the AdTran is the default gateway and there are routes on there to send internet traffic out the ASA. I wonder if the routers Verizon recommended are appropriate... heres what they are.

    NetVanta 3430 (2nd Gen)


    If im understanding you, i will have to change the default gateway to the ASA at one location and config the vlan on it?

    this is driving me crazy, all i think about when i sleep is resolving this. i ordered a couple Wireshark books, maybe that will help.
  • Options
    it_consultantit_consultant Member Posts: 1,903
    I work with a consulting network engineer who works with a lot of EVPL providers in the Denver Area, she is in love with the adtran routers and the adtran router/switch combo devices.

    In your configuration I would find the ad tran to be unnecessary. I would take a cable from the CPE provided by verizon and plug it into an unused port on the ASA. Configure that to be a trusted port by giving it a private address scheme and get rid of the deny statements and put in allow statements. Do the same at your other location. Create a little network between the two ASA ports which are plugged into the CPE at each location and create routes to the networks on either side of the verizon network. Remember that the EVPL is essentially like physically dragging an ethernet cable from building to building. So, if you remember your CCNA lab, this should be like configuring your Ciscos as if they are plugged right into each other.

    Where is your verizon EVPL plugged into now, the core switches or the Ad tran?
  • Options
    tdeantdean Member Posts: 520
    I work with a consulting network engineer who works with a lot of EVPL providers in the Denver Area, she is in love with the adtran routers and the adtran router/switch combo devices.

    In your configuration I would find the ad tran to be unnecessary. I would take a cable from the CPE provided by verizon and plug it into an unused port on the ASA. Configure that to be a trusted port by giving it a private address scheme and get rid of the deny statements and put in allow statements. Do the same at your other location. Create a little network between the two ASA ports which are plugged into the CPE at each location and create routes to the networks on either side of the verizon network. Remember that the EVPL is essentially like physically dragging an ethernet cable from building to building. So, if you remember your CCNA lab, this should be like configuring your Ciscos as if they are plugged right into each other.

    Where is your verizon EVPL plugged into now, the core switches or the Ad tran?


    yeah, i see what you're saying... originally i couldnt do it like that b/c all the ports were taken up on the ASA. i was also told i need to add the vlan, although thats not a huge deal. now there are 2 ports open, so maybe i can at least start. the EVPL is currently the default gateway and plugged directly into the switch at both locations.
  • Options
    it_consultantit_consultant Member Posts: 1,903
    It isn't a good idea to have the evpl plugged directly into your switches unless you intend on having a layer 2 connection across your two offices. I asked because I thought for a second you might have done that, this can cause all sorts of issues since the devices on both ends will pollute each other with their ARP traffic. This can be an OK arrangement provided you are on the same layer 3 LAN and you don't mind your ARPs going across the EVPL. I have seen this configuration, it works if your remote offices have only a few PCs.
  • Options
    tdeantdean Member Posts: 520
    It isn't a good idea to have the evpl plugged directly into your switches unless you intend on having a layer 2 connection across your two offices. I asked because I thought for a second you might have done that, this can cause all sorts of issues since the devices on both ends will pollute each other with their ARP traffic. This can be an OK arrangement provided you are on the same layer 3 LAN and you don't mind your ARPs going across the EVPL. I have seen this configuration, it works if your remote offices have only a few PCs.

    ok... been a while since my CCNA studies... when you say "a layer 2 connection across the 2 offices" isnt that what the vlan is for? also, does the arp traffic traverse the vlan if they are on different subnets? i guess it would since there are routes to direct the traffic....

    we are having a lot of trouble with our thin clients and term servers since this upgrade... protocol errors that i am researching. the causes seem to be apps using the same port as the TS and default gateway problems.


    i dont have much experience with the ASA's yet and i dont want to pile a bunch of work on our FW guy b/c he is just helping out for now... are you suggesting i plug the Adtrans into the ASA's or eliminate the adtrans altogether and config vlans on the ASA? or FW guy said "lets let the adtrans do what routers do, and let the ASA's do what firewalls do...."

    im torn.
  • Options
    it_consultantit_consultant Member Posts: 1,903
    tdean wrote: »
    ok... been a while since my CCNA studies... when you say "a layer 2 connection across the 2 offices" isnt that what the vlan is for? also, does the arp traffic traverse the vlan if they are on different subnets? i guess it would since there are routes to direct the traffic....

    we are having a lot of trouble with our thin clients and term servers since this upgrade... protocol errors that i am researching. the causes seem to be apps using the same port as the TS and default gateway problems.


    i dont have much experience with the ASA's yet and i dont want to pile a bunch of work on our FW guy b/c he is just helping out for now... are you suggesting i plug the Adtrans into the ASA's or eliminate the adtrans altogether and config vlans on the ASA? or FW guy said "lets let the adtrans do what routers do, and let the ASA's do what firewalls do...."

    im torn.

    A firewall and a router are basically the same thing. You can easily configure a firewall to operate exactly like a basic router. Take the ad trans out all together, they add complexity and don't add needed capability. Networking is game of keeping stuff as simple as possible to get the job done. The ASA is a fully functional router as well as a 'firewall'.

    When I say a layer 2 connection, I am talking about a data-link connection. The EVPL is providing you a virtual ethernet connection. It isn't real ethernet, the CPE translates the transport technology (Fiber, COE, etc) and emulates ethernet signaling so to your equipment it will look like the EVPL is just another ethernet device. Which is quite cool. If you have your ethernet switches plugged into the EVPL, the broadcast packets they send will go over that link. I think the protocol errors are happening because on the network layer (layer 3) the computers have a route to resources, but on the data link they also have a route and the two do not follow the same paths. Remember that even though your machines are on different subnets, since you have EVPL running they are on the same BROADCAST domain, which means ARPs will be flying around. Segregate the two subnets on layer 1 (physical) by plugging the EVPL into your firewall as opposed to your switches and you will eliminate this from happening.

    I have never seen the answer for EVPL problems be "put the VLAN into your port configuration" because the VLANs you use and the VLANs the provider use operate on a different layer. That is the magic of EVPL. The provider has thousands of VLAN tags floating on their network, imagine you hook up your network to EVPL and you are using the same tags as your provider, chaos. In order to prevent this Verizon is able to segregate your VLAN tags to just your EVPL connection.
  • Options
    tdeantdean Member Posts: 520
    well, the vlans are on a subinterface... doesnt that matter? its strange b/c the Adtran guy set these up and this was the set up recommended by our Verizon guy... although thats not saying much. i am going to config a port on each ASA for testing. i should be able to use the same 1.1.1.1 and 1.1.1.2 on the other, the way the routers are set up, right? then i'd have to add all the static routes like for the internet and our other apps... oh damn... i'd have to change the ip of the ASA to do this b/c the Adtrans are the default gateway.....
  • Options
    phoeneousphoeneous Member Posts: 2,333 ■■■■■■■□□□
    Just an observation, if you have end to end connectivity then I doubt it is a vlan issue. Have you asked your thin client vendor for support?
  • Options
    it_consultantit_consultant Member Posts: 1,903
    tdean wrote: »
    well, the vlans are on a subinterface... doesnt that matter? its strange b/c the Adtran guy set these up and this was the set up recommended by our Verizon guy... although thats not saying much. i am going to config a port on each ASA for testing. i should be able to use the same 1.1.1.1 and 1.1.1.2 on the other, the way the routers are set up, right? then i'd have to add all the static routes like for the internet and our other apps... oh damn... i'd have to change the ip of the ASA to do this b/c the Adtrans are the default gateway.....

    Your third statement is right on the money. You will have three internal networks. Two for each remote office and one for the ASA's to communicate with each other over the EVPL link. Each router needs 2 routes, one to the other side of the EVPL and one off to the internet. So in reality, it is one static route and one route of last resort - a term that is basically interchangeable with default gateway.

    Your ASA will have three plugs -
    1. Dirty internet to ASA. This is the interface where you apply all of your traditional firewalling features.
    2. ASA to internal switches, a "trusted" interface.
    3. EVPL to ASA. This interface should be configured as an "trusted" interface. On a firebox you can actually tell it that it is a trusted interface and the firebox configures itself to route between the to trusted interfaces. On an ASA you might have to enter allow statements so traffic can flow both ways.

    Lets slice one of my EVPL connections. I have a firewall in a colo facility where all the EVPL connections converge, this handles all of my internet. The firewalls at the remote offices have an interface plugged into their switch and an interface plugged into the EVPL. I set up a random private network on the inside of my remote office firewall and I set up the other interface with a static IP address on the same network as my main firewall. I then enter a route on my remote office "0.0.0.0 0.0.0.0 192.168.1.3". This tells it to push all the packets to the main firewall. The main firewall has routes to all the remote offices plus a route to the internet.

    Lets take your ASA. Lets say office number 1 is 192.168.1.xxx and your second office is 192.168.2.xxx you will inevitably set up the EVPL network as 192.168.3.xxx.

    office one asa
    port 1 - local WAN provider
    port 2 - 192.168.1.1 (inside switches)
    port 3 - 192.168.3.1 (evpl)

    office two asa
    port 1 - local WAN provider
    port 2 - 192.168.2.1 (inside switches
    port 3 - 192.168.3.2

    Office 1 ASA
    "0.0.0.0 0.0.0.0 WAN default route"
    "192.168.2.0 255.255.255.0 192.168.3.1"

    Office 2 ASA
    same default route
    "192.168.1.0 255.255.255.0 192.168.3.2"

    Set your allow statements so traffic can go to your other private network on each side of the EVPL.

    Does this make sense?
Sign In or Register to comment.