No announcement yet.
  • Filter
  • Time
  • Show
Clear All
new posts

  • Watchguard VPN remote users issue

    Hello and thank you for taking the time to read this.

    SF main office
    NY main office
    1 remote user NY
    1 remote user Wis
    1 remote user Boston
    all remote users have a watchguard firewall with main offices using watchguards.

    SF to NY is MPLS
    Remote users vpn into both SF and NY watchguards
    SF and NY have two subnets
    SF = x.x.50.x - computers
    x.x.51.x - shoretel devices

    ADTRAN routers manage the subnets

    NY = x.x.100.x - computers
    x.x.101.x - shortel devices

    Remote users are set up in IP PHONE ADDRESS MAP as Teleworkers

    Remote users have IP230 phones SEV with static routes.

    Problem occurs with all remote users. All INTERNAL calls are perfectly fine. All EXTERNAL calls are NOT fine.

    Remote user can hear the external caller fine and clear, external caller cannot hear remote user clear. Maybe a few seconds worth are fine but as the call goes on the external caller cannot hear remote user.

    I searched the forum and saw something about removing ICMP requests and will try that. Any further insight you can give would be helpful. THANKS!!!

  • #2
    Are you running QOS on the WAN and COS on the LAN? If not that would certainly cause the issues you describe. I have 43 sites mostly running on MPLS using Adtran. We had a number of 119 events (the issue you are describing) we were using QOS on the WAN but no COS on the LANs. Once I implemented COS on the LANs almost all of our issues cleared up.

    Let me know if you need a better explanation

    (Edited to ask) What kind of curcuit do the VPN sites have? Are the DSL or is it a guaranteed rate?
    Last edited by khitan; 11-22-2008, 11:28 AM. Reason: adding last lines


    • #3
      Thanks for the information Khitan. I need to check for COS. I'm not good with configuring QOS or COS but have people who can do it.

      Also I'm not sure how to answer the vpn site question. My remotes have Watchguards connected to our office watchguard. the Remotes are using cable for their internet connections.



      • #4
        Yes we are running QoS over our MPLS WAN. I'm sure you are correct about CoS on our LAN as Shoretel has stated it's out LAN that's the issue. I looked at the Adtrac CoS but do not understand it. Should there be an emphasis on something in the CoS? Again my apologies I'm not good with Routers.


        • #5
          Watchguard VPN

          It is a bit early in the morning for me here but.....

          I am going to break your users out into two groups. "Remote" and "internal". Remote are assumed to use a software or hardware VPN connection back into one of the main firewalls.

          You are running a watchguard VPN for your "remote" connections right?

          The MPLS circuit running QOS is looking for certain packets to prioritize (voice packets) right?

          Does your internet connection actually come over the mpls, or do you have DSL/Cable/T1?

          If your internet connection is over the MPLS side, it is probably only seeing the encrypted watchguard VPN connection, and therefor, is unable to actually prioritize the voice packets?

          The site to site calls are ok because they are NOT going through a VPN, just straight over the MPLS circuit (i know MPLS is technically a VPN, but not for these discussions).

          I don't think your issue will be with the internal network. It will be more with your internet connection, firewall config, and QOS on the VPN connections themselves.

          If you look at the logs of both firewalls, I think you will see dropped packets. Probably due to the watchguard setting in the firewall that controls packets per second, etc. This setting prevents denial of service attacks. This setting has to be cranked up quite a bit from its default. VOIP is a lot of small packets. It can look like an attack to a firewall........

          Once this "limit" is reached, the traffic will be blocked for a period of time, possibly only one way.

          sounds reasonable.
          Last edited by eazeaz; 11-26-2008, 07:09 AM.


          • #6
            This sounds like more of an IP routing problem than anything else. I had similar problems across my VPN until I added the necessary static routes so that traffic could flow properly. Are you using SIP trunks or a VoIP gateway to the outside world?

            Keep in mind that the data stream between the phone and PSTN is not always through the Shoretel switch. Think of the data stream (audio) as two pipes, one for listening and one for talking. One seems to be working but the other obviously is not, this is usually a IP path/route issue. I am pretty sure the phones will let you run ping. Try hitting your very last device before the PSTN.



            • #7
              Thanks to all of your suggestions!

              We are running regular T1/internet connections from our SF and NY offices. The MPLS only connects the two sites.

              So the watchguards interact via the T1/internet lines. The T1's are only used for data.

              I agree that CoS and the watchguards are playing a role in this issue.

              My other thought is ShoreTel just came out with a VPN Concentrator which may just make my initial question and issue a mute point.

              Has anyone else looked at the VPN Concentrator solution?


              • #8

                we are ordering one in a few weeks.

                it will not remove the need for QOS on the watchguards


                • #9
                  You are over looking the obvious, adding another piece of equipment is not necessarily going to solve your problem. You still didn't answer my first question.
                  Where and what are you external (PSTN) lines connected? What type of
                  ShoreTel switch are you using?

                  Does it have a T-1 connected or multiple analog lines? So where in your network do you have to have a connection to the outside world phone network. It is either a Shoretel switch or a gateway like the Ingate proxy. This device will handle the calls to the outside world.

                  You mention that all internal calls work fine. Excellent. The next hop is the outside world, what sits between the ShoreTel switch and server and the outside world phone network? That is where you need to look, is there a router hop there? Do you have PSTN connections in both NY and SF main offices?