    We are challenging a VPN problem between Canada and Mexico.
    We are running commercial firewalls/routers and VPN at each end.
    The Internet in Canada and Mexico are stable at 99.99%

    However the VPN the 2 sites have constant slow down and often disconnect.
    We may say the VPN is up 85% of the time. Even if the internet still up at 100% !!

    The other strange thing is something the VPN won`t come back by itself. We need to manually disconnect VPN both end. Let them idle for a while. Then re-enable them to make it work. Soon the VPN is up we test with a ping -t and 50% of pings work.

    When the VPN is up the ping -t works for about 8/10 pings due to time outs. VPN still up but seems the route is to slow.

    Do you ever experimented VPN problems similar to that. We have more complex setup in Canada and US and we never get this of problem.

    Best Regards

    Re: Intermittent VPN from Canada to Mexico

    Something is clearly wrong with the VPN setup, the equipment or the Internet connection at one or both ends.

    When you experience 50% packet loss over the VPN connection, do you see similar losses if you ping the remote gateway directly?

    What kind of VPN connection do you use? IPsec, L2TP, GRE/IPsec, or something else entirely?

    Have you looked at the firewall/router logs?


      Re: Intermittent VPN from Canada to Mexico

      The setup is the same that we apply all across NorthAmerica.
      The VPN is box to box IPSEC VPN (boxes are Watchguard)

      It's the only setup that we have problem but also the only setup with a branch office in Mexico.

      End to End ping are having 0 to 50% lost in the VPN Tunnel
      End to End ping are about 0 to 50% lost (box to box, rules allowing direct ip pinging)

      Both Ends to Google or others sites = 0% lost

      We have direct, indirect and outsite monitoring prooving of standard browsing is nearly up 100%.

      The logs didn't show that much to help.

      By experience I suppect some kind of ISP breaking the VPN or compressing/accelarating features on ISP causing intermitent VPN disconnection.

      We did tracert the link and for Canada to Mexico have more hops than Mexico to Canada.

      During the tracert we clearly see Canada / US / Mexico and vice versa !

      Any help or suggestions are welcome ....


        Re: Intermittent VPN from Canada to Mexico

        I suggest you exclude the endpoints by removing the relevant IPsec Phase 2 SA, as that will enable you to send unencrypted ping packets from one endpoint to the other. That should tell you whether the packet loss is related to the IPsec tunnel or not.

        Have you tried forcing/disabling NAT-T (depending on your current setting)?

        Have you checked for MTU "blackhole" issues? If you disable IPsec transport encryption between the endpoints, a simple ping with the DF flag set will reveal any MTU problems along the path. Since the trace revealed asymmetric routing, an MTU issue could be one-way only.

        The IKE/IPsec logs should at least tell you if an SA times out or is being renegotiated. Are you using a keepalive feature? Does the connection fail most often when it's in heavy use, or does it typically fail when idle?
        Last edited by Ser Olmy; 28th April 2014, 17:33.