Wireless Access

I have a test Verizon Fios account that consistently gets me 25mbps up and down, however with VIA connected (no split tunnel) I am getting 2mbps and some occasional drops and reconnects. I also notice that even though I can get to ports 4500 and 500 Nmap,  I am still being put on ssl-fallback.  My MTU seems to be 1200 once connected, on a pcap I don't see a ton or resends.. if anything I see PUSH which seems to indicate that the application is just not ready to receive the packet.  Anyone have VIA up that has some ideas?   

6.4.3.1_49733 is the version for the Controller and 2.04.74088  for the client (osx)

---

@mattjhughes wrote:

I have a test Verizon Fios account that consistently gets me 25mbps up and down, however with VIA connected (no split tunnel) I am getting 2mbps and some occasional drops and reconnects. I also notice that even though I can get to ports 4500 and 500 Nmap,  I am still being put on ssl-fallback.  My MTU seems to be 1200 once connected, on a pcap I don't see a ton or resends.. if anything I see PUSH which seems to indicate that the application is just not ready to receive the packet.  Anyone have VIA up that has some ideas?   

---

Matthughes,

If SSL failback is triggered, the client cannot get through on port UDP 4500 and that needs to be investigated.  SSL failback is not triggered by user authentication, but failure to reach the controller period on port UDP 4500.  NMAP is not a reliable method of understanding if traffic makes it through on port 4500; you need to do "show datapath session table <external ip address of VIA client>" when it is attempting to connect to see if  UDP 4500 is working.  SSL failback does not perform as well as ipsec.

Source IP       Destination IP  Prot SPort DPort  Cntr    Prio ToS Age Destination TAge Packets    Bytes      Flags           

--------------- --------------- ---- ----- ----- -------- ---- --- --- ----------- ---- ---------  --------- --------------- 

xxx.170.47.149  10.30.42.17     17   2331  4500   0/0     0    0   1   pc3         15   2          125        FC              

10.30.42.17     xxx.170.47.149  17   4500  2331   0/0     0    0   1   pc3         15   0          0          FY 

No bytes or packets going in one direction.  Check routing.

I will look into that,  this would be a routing issue somewhere upstream from the controller?   Also how am I successfully getting traffic with it showing no packets being received?

Thanks for the help

I setup a profile and connected to VIA using the internal network to make sure there was no firewall in the way.  These are the results, we are using 4500 now, but it still appears traffic is only going one way? Or maybe I am reading the output wrong

Source IP       Destination IP  Prot SPort DPort  Cntr    Prio ToS Age Destination TAge Packets    Bytes      Flags
--------------- --------------- ---- ----- ----- -------- ---- --- --- ----------- ---- ---------  --------- ---------------
10.30.42.17     10.31.38.40     17   4500  56319  0/0     0    0   4   pc3         af   8          1268       F
10.31.38.40     10.30.42.17     17   56319 4500   0/0     0    0   0   pc3         af   16625      2635078    FC

 ike-scan --nat-t --dport=4500 --verbose hostname

DEBUG: pkt len=336 bytes, bandwidth=56000 bps, int=52000 us

Starting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)

10.30.42.17    Main Mode Handshake returned HDR=(CKY-R=114c5f1e619f2049) SA=(Enc=3DES Hash=SHA1 Auth=PSK Group=2:modp1024 LifeType=Seconds LifeDuration(4)=0x00007080) VID=4485152d18b6bbcd0be8a8469579ddcc (draft-ietf-ipsec-nat-t-ike-00) VID=90cb80913ebb696e086381b5ec427b1f (draft-ietf-ipsec-nat-t-ike-02
) VID=afcad71368a1f1c96b8696fc77570100 (Dead Peer Detection v1.0)

Ending ike-scan 1.9: 1 hosts scanned in 1.061 seconds (0.94 hosts/sec).  1 returned handshake; 0 returned notify