[ale] PPP/SSH VPN dies randomly

James P. Kinney III jkinney at localnetsolutions.com
Mon Mar 4 22:56:11 EST 2002 

Ahh! That's different. I was having horrible visions of another sys
admin in a tattered monks robe being tortured by management to perform
unholy and impossible tasks. 

Of course, management may still be like that.

If I were in your situation, I would do exactly as you suggested. While
the T1 is up (before the A.M. reset) , I would reset the DSL. When it
has been verified, then reset the T1.

Of course, this does nothing for the hardware between your endpoints.
The weakest link is the phone pole outside the office that all this data
hangs from. Waiting for that delivery truck to smack it head on at 40
mph. 

"But Mr. Boss!", the admin pleads as the ropes around his wrists tighten
again, pulling his shoulders past his ears, his knees creaking as the
tendons near the separation point, "It wasn't my fault the UPS truck hit
the pole and took out all communications for 18 seconds. It was
delivering your new laptop!"

"REPENT WORTHLESS ADMIN!". bellows the crimson robed Boss, who was
completely unexpected, "Had you been worthy, you would have had the DSL
backup line on a separate pole at the BACK to avoid just such a
calamity." The fires from the boiling oil shone ominously in his eyes as
he ...

On Mon, 2002-03-04 at 22:25, Christopher Bergeron wrote:
> Okay, lemme rephrase:  I'd _like_ to have 99.99999% availability.  I feel
> that I can offer at least that between 8am-7pm EST though.  I have a T1 VPN
> with a redundant DSL fallover VPN.  So basically, I have 2 pipes between my
> locations.  Should I cron the VPN so that it starts every morning at like
> 7:30 AM?  Should I kill it just before then, or at COB?  I'd like to have
> the VPN as much as possible during "human" hours in case someone works late
> or gets in early.
> 
> Our KEY business hours are between 8AM EST and 6PM Central time (roughly
> 8am-8pm EST).
> 
> Any suggestions?
> -CB
> 
> 
> > -----Original Message-----
> > From: James P. Kinney III [mailto:jkinney at localnetsolutions.com]
> > Sent: Monday, March 04, 2002 9:56 PM
> > To: Christopher Bergeron
> > Cc: Ale
> > Subject: RE: [ale] PPP/SSH VPN dies randomly
> >
> >
> > If you're expected to provide 7 nines of VPN reliability, I'm glad I
> > don't work for your company!
> >
> > The only way to get even 99.99% VPM uptime would involve multiple,
> > redundant, synchronous data lines. I don't want to even think about the
> > engineering costs.
> >
> > As most places that have VPN's have them automated for connection setup,
> > use that to your advantage. Keep a connection test running at intervals
> > appropriate to your normal loading. When the connection test fails,
> > reroute the VPN traffic before the tunneling to a buffered fifo and
> > remake the connection. Dump the buffer through the connection when it's
> > ready.
> >
> > I have never kept a VPN up for days on end. There has always been some
> > network glitch outside my control that has required a reconnect. I saw a
> > statistic (I need to keep a better log of this stuff) that claimed there
> > is a fiber line cut every day in the US.
> >
> > On Mon, 2002-03-04 at 21:43, Christopher Bergeron wrote:
> > > And this is acceptable?  Forgive me for being naive, but that
> > would be like
> > > using an Operating System that crashed almost daily and wrote
> > it off as, "I
> > > guess that's just how it has to be".  By definition there has to be a
> > > "reason" for it and therefore, a solution.
> > >
> > > Have you confronted your VPN vendor about it (please say it
> > wasn't Cisco)?
> > > If so, what was their response?
> > >
> > > I'm currently adding a VPN watchdog to my crontab, but even 1 minute of
> > > downtime per month is a major malfunction.  Someone has to have
> > some clues
> > > about this.  I'm not using IPsec, I'm using SSH over PPP.  I
> > understand that
> > > encryption can be finicky, but I have a hard time blaming SSH.
> > I'm expected
> > > to produce 99.99999% availability and I can't accept anything
> > less.  Call me
> > > a spoiled Linux user for assuming availability, if you must...
> > >
> > > :)
> > >
> > > Anyone have any leads or even starting points for debugging this?
> > >
> > > Thanks,
> > > CB
> > >
> > >
> > > > -----Original Message-----
> > > > From: Geoffrey [mailto:esoteric at 3times25.net]
> > > > Sent: Monday, March 04, 2002 7:53 PM
> > > > To: Christopher Bergeron
> > > > Cc: Ale
> > > > Subject: Re: [ale] PPP/SSH VPN dies randomly
> > > >
> > > >
> > > > No real help, except to say that this happens to my (commercial) vpn
> > > > connectivity on occasion.  It presents an error message
> > something to the
> > > > effect of: "heartbeat missed, assuming tunnel is down."  This is an
> > > > ipsec vpn.
> > > >
> > > > Christopher Bergeron wrote:
> > > > > Does anyone have any idea why my VPN connection dies
> > > > periodically?  It seems
> > > > > to be okay for a few days and then one of the procees goes
> > > > defunct and the
> > > > > connection goes down.  I'm tunneling ssh over ppp over a T1
> > > > connection to
> > > > > the 'net on both sides.
> > > > >
> > > > > Any clues are greatly appreciated...
> > > > > -CB
> > > > >
> > > > >
> > > > > ---
> > > > > This message has been sent through the ALE general discussion list.
> > > > > See http://www.ale.org/mailing-lists.shtml for more info.
> > > > Problems should be
> > > > > sent to listmaster at ale dot org.
> > > > >
> > > > >
> > > > >
> > > >
> > > >
> > > > --
> > > > Until later: Geoffrey		esoteric at 3times25.net
> > > >
> > > > I didn't have to buy my radio from a specific company to listen
> > > > to FM, why doesn't that apply to the Internet (anymore...)?
> > > >
> > > >
> > > > ---
> > > > This message has been sent through the ALE general discussion list.
> > > > See http://www.ale.org/mailing-lists.shtml for more info.
> > > > Problems should be
> > > > sent to listmaster at ale dot org.
> > > >
> > >
> > >
> > > ---
> > > This message has been sent through the ALE general discussion list.
> > > See http://www.ale.org/mailing-lists.shtml for more info.
> > Problems should be
> > > sent to listmaster at ale dot org.
> > >
> > --
> > James P. Kinney III   \Changing the mobile computing world/
> > President and COO      \          one Linux user         /
> > Local Net Solutions,LLC \           at a time.          /
> > 770-493-8244             \.___________________________./
> >
> > GPG ID: 829C6CA7 James P. Kinney III (M.S. Physics)
> > <jkinney at localnetsolutions.com>
> > Fingerprint = 3C9E 6366 54FC A3FE BA4D 0659 6190 ADC3 829C 6CA7
> >
> >
> >
> 
> 
> ---
> This message has been sent through the ALE general discussion list.
> See http://www.ale.org/mailing-lists.shtml for more info. Problems should be 
> sent to listmaster at ale dot org.
> 
-- 
James P. Kinney III   \Changing the mobile computing world/
President and COO      \          one Linux user         /
Local Net Solutions,LLC \           at a time.          /
770-493-8244             \.___________________________./

GPG ID: 829C6CA7 James P. Kinney III (M.S. Physics)
<jkinney at localnetsolutions.com>
Fingerprint = 3C9E 6366 54FC A3FE BA4D 0659 6190 ADC3 829C 6CA7 



 This is a digitally signed message part

More information about the Ale mailing list