Byte corruption over site-to-site VPN

Hello,

I hope that you can read and understand my broken english ;-)

I have setup an site to site VPN with stand alone BM-Servers (every
BM-server has its own tree) at all ends (1Master, 3Slaves).

1.LAN-----Slave-BM---ISP-Router--------|
2.LAN-----Slave-BM---ISP-Router----Internet----ISP-Router-----MasterBM----3.LAN

4.LAN-----Slave-BM---ISP-Router--------|

(I hope you can read this schema of the WAN ;-) In the 1st, 2nd and
3rd LAN are Novell-Servers (Lets name it "File-Server") who are in the
same tree (but own Partitions, of course). All BM-Servers are 
NW6SP2, BM36SP1a. The DS-Version is the same on all File-Servers in
the tree.

DS-Repair shows -717 errors. To check the communication, i copy
ASCII-Files between the File-Servers with toolbox.nlm. The result: If
i copy files via VPN, all 1400Byte the file has 32Byte corrupt 
Byte (filename date and time are correct). If i copy from an
w2k-workstation to a File-Server via VPN the file is OK. A copy from
w2k-workstation to a w2k-workstion ist OK, too. A packet-trace at the 

received File-Server shows that two packets are received. 

The first packed has 1486Byte (Protocol: NCP, Request "Write to a
file" (ncp=73)), 
the second packed has 70Byte and waas protocol: TCP, the port numbers
of this traffic are varying, 
then the receiving File-server sends a "reply to a file (ncp=73)"
And again a packe with 1486byte Request write to a file...
This loop continue a long as all bytes of the copied file are
received.

The corruption of the file begin when the payload of the NCP paccket
ends (1400Byte), the rest of the payload is in the TCP packet, this
are 32byte.
I think that this are the bytes who are going wrong. It is correct
that part of the data flows in a NCP-Packet and the rest in an
TCP-Packet? Is it an VPN-Problem?

If i copy from an File-Server in 3.LAN to a other location, connectet
via frame-relay to the BM-Master (not shown in the schema above), then
there is no problem.

I'm really puzzled about this. 

1000Thx, for any hints

Thorsten








0
toppels
2/10/2003 4:33:34 PM
novell.bordermanager.vpn 2677 articles. 0 followers. Follow

3 Replies
282 Views

Similar Articles

[PageSpeed] 39
Get it on Google Play
Get it on Apple App Store

hi Thorsten,

from what I understoof, everything seems to point rather to a problem
in
the toolbox rather than to the VPN (indeed, when you copy files from
other machines THROUGH the VPN, everything is ok).
Or maybe it's a problem associated to the toolbox AND the VPN.

what I would suggest is to disable the nagles algorithm. In Monitor,
server parameters, communication, look for the command that mentions
the
nagle's algorithm, and make sure you disable it (I cannot give you the

exact command because it varies with the version of NW and patch
level).

Let me know.

--
Cat
Novell Support Connection Volunteer Sysop





0
CSL
2/10/2003 5:18:17 PM
On Mon, 10 Feb 2003 17:18:17 GMT, CSL <Cat@not-here.com> wrote:


>from what I understoof, everything seems to point rather to a problem
in
>the toolbox rather than to the VPN (indeed, when you copy files from
>other machines THROUGH the VPN, everything is ok).
>Or maybe it's a problem associated to the toolbox AND the VPN.

Hi CSL, thx for your answer.

OK my english is not really good ;-) i try i again.
I use the toolbox.nlm to test the server-server communication, because

i have problems to sync the NDS via . There are -171 errors in
DSREPAIR.

The VPN-Server at all locations are Stand-alone PC's. Every BM has its

own Tree. Behind every VPN-Server are LAN's with 1-2 NetWare-Servers.


>
>what I would suggest is to disable the nagles algorithm. In Monitor,
>server parameters, communication, look for the command that mentions
the
>nagle's algorithm, and make sure you disable it (I cannot give you
the
>exact command because it varies with the version of NW and patch
level).
Hm, "NAGLE" appears nowhere in Communication Parameters (NW6SP2)

Just in the moment, i am setup two other BM for a test via a other
ISP. 
>
>Let me know.
>
Any other hints? Is it normal, that the packet size via VPN is only
1486Byte?

Thx Thorsten





0
thoppels
2/11/2003 1:21:38 PM
hi,

> Hi CSL, thx for your answer.

sorry for the late reply...the flu forced me to bed the whole of last
week!

> OK my english is not really good ;-)

don't worry - neither is mine...

> i try i again.
> I use the toolbox.nlm to test the server-server communication,
because
> i have problems to sync the NDS via . There are -171 errors in
> DSREPAIR.
>
> The VPN-Server at all locations are Stand-alone PC's. Every BM has
its
> own Tree. Behind every VPN-Server are LAN's with 1-2
NetWare-Servers.

ok, I this is what I understood also last time.

> >
> >what I would suggest is to disable the nagles algorithm. In
Monitor,
> >server parameters, communication, look for the command that
mentions the
> >nagle's algorithm, and make sure you disable it (I cannot give you
the
> >exact command because it varies with the version of NW and patch
level).
> Hm, "NAGLE" appears nowhere in Communication Parameters (NW6SP2)

it should be there...
try to load monitor with the !H option (load monitor !H) and you will
see
more options.

> Just in the moment, i am setup two other BM for a test via a other
> ISP.
> >
> >Let me know.
> >
> Any other hints? Is it normal, that the packet size via VPN is only
> 1486Byte?

yes, that's normal because the VPN header takes up some space inside
the
standard ethernet packet size, BUT this should not cause corruption on
the
packets.
the UDP packets will not pass the checksumming tests, but this is
normal, too
because of the VPN. The important thing is that the underlying data is
not
corrupted, but you say that instead it is.

--
Cat
Novell Support Connection Volunteer Sysop





0
CSL
2/17/2003 5:01:59 PM
Reply: