Upgrading VPN at the office

C

ciggwin

Supreme [H]ardness
Joined
May 30, 2006
Messages
4,861
Hey all,

I recently started a new job at a small (55 user) company where the guy before me didn't really do anything. I am the only IT guy here and my boss is the CFO. I'm not that knowledgeable about networking and such yet, so I have come to the [H] to inquire about upgrading our VPN, as I think it will help solve a lot of issues we are having.

We currently have a Cisco VPN 3000 Concentrator and we use the Cisco VPN Client Version 5.0.00.0340

There are a lot of problems with it - people keep getting disconnected, people have a really hard time getting connected in the first place, and it's slow (but our Internet connection is slow so I know that is also a problem I need to fix).

Is it recommended to upgrade the VPN? I know at my previous job we had an older VPN and we upgraded to Cisco AnyConnect (that was the client, not sure what the back-end was). After the upgrade we rarely had issues, if at all. But I believe we upgraded/changed our firewall as well so I am not sure if I will need to do that.

My questions:
Is this something I should just leave up to our 3rd party support vendor?
In order to replace the VPN would I need to replace the firewall? Anything else? Or does this go on a case-by-case basis?
Can I provide any more information for you to help me in the first steps to figuring out what I need to do?

Basically this is all I have....... the VPN sucks, it's slow, and while it works it is not reliable and people HATE IT. I don't know anything about VPN and very little about networking, so this is already a challenge from the start.

Thx :)
 
If your internet connection is slow. It will surely choke your vpn capability of people connecting and how many con current connection you can have.
 
I actually just posted this in another thread as I was looking in the server room... there's a Sonicwall in the rack but it isn't plugged in to anything.

There's 4 Cisco Catalyst 2950 switches I don't see a firewall. We have two T1 lines coming in - one goes into our load balancer, and the other goes into a DLink DES 1105 (wtf?) which splits this line into two - one into the load balancer and one into our VPN concentrator.
 
If you have the funds available you could replace the firewall and VPN concentrator with a ASA5500-series appliance sized for your needs.

The concentrator and the client is old but that reason alone isn't really causing the connection to be slow or drop. That's probably the fault of your "slow" Internet connection which should be investigated first. Sticking a smokin' fast ASA on a shoddy link isn't going to improve your end-user's experience.
 
ciggwin said:
We have two T1 lines coming in - one goes into our load balancer, and the other goes into a DLink DES 1105 (wtf?) which splits this line into two - one into the load balancer and one into our VPN concentrator.
Click to expand...

WAT!!?
 
mattjw916 said:
WAT!!?
Click to expand...

I'm as confused as you are... I know practically nothing about networking but I know that a corporate network needs to have a firewall... I followed the cables coming straight from the T1 junction boxes on the wall... let me take a few pictures and I will post them.
 
Airmack said:
Get rid of the D-Link right now.
That may even be your bottle neck
Click to expand...

easy there...

You can't terminate a T1 on an Ethernet switch so more investigation needs to be made before people start ripping cables out of a network and causing an outage...
 
mattjw916 said:
easy there...

You can't terminate a T1 on an Ethernet switch so more investigation needs to be made before people start ripping cables out of a network and causing an outage...
Click to expand...

I would hope to God he had some thing to back it up or replace it before he just jacked it out of the rack. But that Dlink is not meant to run any kind of business application no very secure. Thats why I said that
 
Hire an IT guy. ;) They are worth their weight in gold.

Now I agree with mattjw916 lay off anything until we know more. Right now it works. You start ripping shit off the wall and it will not. I have been revamping a cobbled together network for a client now for 1 week. It is a pain and it will take a while to ge the right way set up. Main factors are though, VPN's are slow without bandwidth. You need more up if you have a small amount of users and they are all complaining. You may need both if you have a lot of your users connecting VPN. Also what are they accessing VPN wise? Programs? Databases?

Pics and more info.
 
mattjw916 said:
easy there...

You can't terminate a T1 on an Ethernet switch so more investigation needs to be made before people start ripping cables out of a network and causing an outage...
Click to expand...

Ya - I am not touching anything because it is currently functional and I'm not about to unplug one of our T1 lines :p

Here are the pics...
Top: (you can see the bottom of it) is our 3rd Cisco Catalyst 2950. The 4th is above it, and then two are below it.
Below that you can see the DLink Switch sitting on top of an old piece of equipment.
Below that is the Cisco 2600 (not plugged in to anything).
Below that (green device) is the Cisco 3000 Concentrator (VPN).
Below that (silver device) is the Sonicwall Pro 230 (not plugged in to anything).
Below that (can't see it) is the FiberLogic Optiroute 2120 RS load balancer.


Here is the front view... a fucking mess but you can see the load balancer in this pic.


This is the wall where the T1 lines come in. The box on the right which is vertically mounted carries the data/voice T1 AFAIK (blue and yellow cables). The blue cable is plugged into the DSX-1 port and looks like it comes from the wall with a bundle of wires. The yellow cable is plugged into the NTWK port. The white cable coming down (behind the bunched blue) goes into the DLink switch, then ultimately into the load balancer. As I stated before the other line coming out of the DLink switch goes into the VPN concentrator.
The horizontally mounted box is just a data T1 and the red cable (10/100 Base T port) goes directly into the load balancer. The gray cable comes from that little box to the left which goes up into what I think is the phone system - but this makes no sense to me. It is plugged into the NTWK port.


thee_rook said:
Hire an IT guy. ;) They are worth their weight in gold.

Now I agree with mattjw916 lay off anything until we know more. Right now it works. You start ripping shit off the wall and it will not. I have been revamping a cobbled together network for a client now for 1 week. It is a pain and it will take a while to ge the right way set up. Main factors are though, VPN's are slow without bandwidth. You need more up if you have a small amount of users and they are all complaining. You may need both if you have a lot of your users connecting VPN. Also what are they accessing VPN wise? Programs? Databases?

Pics and more info.
Click to expand...

I'm sure that this is what I'm going to have to do. I'm not "there" yet with networking, so I'm going to have to call someone in to do this and I'm going to have to pick up as much as possible when they are here. This is WAY over my head.

VPN wise we are only accessing Exchange and our data server. No programs, no databases. We really don't host anything here at the office - all the stuff we use is hosted online. We run your basic stuff... AD, Exchange, a data server, etc. Also yes the # of VPN users is low - less than 10. I can't imagine what would happen if more tried to use the VPN at the same time.

You're probably wondering how I got hired if I don't know any of this stuff - honestly I'm not sure why they didn't want someone with more networking experience. But they wanted someone that would fit in well with the company and someone that had a personality. As for technical stuff, I can learn it all or outsource if I have to. Also the guy that was here before me didn't do much, and since he was/I am the only IT guy, no one knows WTF goes on in the background or what needs to be done.
 
Last edited:
Yeup you really need to hire a competent tech to clean that disaster up. If you aren't comfortable or 100% certain of what you are looking at. Don't touch it.

Good luck.
 
BTW, I'll take that Cisco 2600 series router that's not plugged into anything... :p
 
mattjw916 said:
Yeup you really need to hire a competent tech to clean that disaster up. If you aren't comfortable or 100% certain of what you are looking at. Don't touch it.

Good luck.
Click to expand...

It is completely overwhelming for one person. I'm no IT expert, as I'm pretty young, but I know how things should work - I may not know how to get it working but I know the fundamentals. This place is just as you said it... a disaster. The funny part? No one else has any clue how dangerous/fucked up this is.

mattjw916 said:
BTW, I'll take that Cisco 2600 series router that's not plugged into anything... :p
Click to expand...

If for some reason we don't need it, I'm sure my brother will claim it if I don't use it for learning :p

*EDIT* Anyone looking for some work in the Boston area? :p What I could use are any recommendations for some reputable companies/people in the Boston area that I can hire to fix all of this for me. All suggestions are welcome, and are better than me going and looking randomly for some joey :)

Thanks
 
Last edited:
God luck man. I would spend the lead time re-running the cables with proper cable management just to get familiar with what is there, and to get unused hardware out of the rack and off the wall. You will do okay. I am cleaning up after a company that provides managed services for 50+ companies and their demarc to the old location looked as bad or worse. Even if you know what you are doing, does not mean you will not become lazy and just start running shit wherever. I treat my jobs as if you fire me from your network the next guy can walk in and get a grasp quickly and hit the ground running.
I would also recommend buying a small labeling machine that can print custom labels to start marking out ports, patch panels, wall jacks, and surface mounted punch downs. This will also allow you to get a handle on what you have.
Equipment to buy: A good cable tester. I use a LanRoamer Pro (tp600)
: A good fox & hound. (Toner for tracing lines)
: Spiraled notebook for note taking. You will have lots of notes to take.
Also good network mapping program, networkview or whatnot. Visio 2007 or get ahold of a 2010 beta copy. Once you get your network mapped, then you can start improving the existing logical structures.
Let your boss know that Rome was not built over night nor was that disaster of a demarc. You will have to rerun cables and clean up the board before you can honstly assess what is there, what is not there, and what is needed for upgrading. Also no sub-contracted tech will walk in and say, "Oh yeah there is your problem." They will want to know what is incoming, whhat are you settings on hardware, what points to where.

Good Luck.
 
i agree with rook above. first and formost.... cable management. clean that stuff up! grab some cable ties and velcro scraps to temporarily move stuff out of the way.

a good Toner will help you find where some lines are going quickly...rather than trying to semi pull a line through that spaghetti bowl of wires.

I'm not a networking expert either, but I know a thing or 2 myself. I'm trying to understand why a 2 T1's are in place? I would have 2 static cable lines from TWC / Charter / Cox or someone that could give me better down and up bandwidth that the 1.5 you'd get with a T1.... plus it should be a hell of a lot cheaper.... now that I think about it... i bet you are running voice and data through the T1s together...... blah!

One other thing to try is maybe a speed test (speedtest.net) when people are complaining the most, try to run a speed test and see what you are pulling down. this might help....

VPNs aren't hard, they just have to be setup properly. Unfortunately your situation means that you have a previous VPN job that might be sub-par when setup and causing a mountain of issues that only the end users see...
 
You guys have mentioned a LAN toner... is the LanRoamer Pro (tp600) going to give me what I need, or is that just a cable tester?

The item description says: Built-in tone generator with selectable tones and pair capability

How exactly do these work? Never used one before.

Thanks for all the help thus far

laughable:
 
Last edited:
What about getting something like a Cisco 1841 ISR with two WIC-1DSU-T1-V2 cards in it. At least you could even bond the T1 lines using MLPPP or similar. This ISR router could also act as your VPN to replace the Concentrator as well as your firewall (access lists), router, NTP server, DHCP (if needed), etc.

The ISR's are meant for this exact type of usage. We replaced our Cisco 3005 Concentrator with an ASA5510 appliance and then added the intrusion prevention module to it. We actually have that much traffic over the VPN to warrant the appliance. However, for your setup, I think an ISR (1800 series (I've only messed with the 1841)) would do you quite well for a cheap price.

Alternatively, you could go to Newegg and get a little supermicro appliance with a dual-core atom processor and a small hard drive and put something like pfSense or Untangle on it. I have heard good things about Untangle and definitely good things about pfSense ( I use and love it). You could build an enterprise type system for around $350 maybe.

Cisco 1841 ISR Router:
http://www.ciscosystems.com/en/US/products/ps5875/index.html
http://www.ciscosystems.com/en/US/p...s5853/product_data_sheet0900aecd8016a59b.html

pfSense:
www.pfsense.com

Untangle:
www.untangle.com
 
Currently looking at a SonicWALL NSA 240 as I call our third party vendor to talk about why things were set up this way in the first place.

http://www.sonicwall.com/us/products/NSA_240.html

From what I understand, the NSA 240 has the features of a VPN concentrator, firewall, load balancer, as well as all the unified threat management features.
 
55 users and a guy not knowing IT....

my advice... replace as much cisco stuff as possible.

for 55 users, you could get a Linksys RV series run to a nice gig switch and be done. Setup what ever VPN you like.
 
Ditto what Marley1 said. The RV's a nice. I've got quite a few of them as VPN endpoints opposite an ASA and my main office.
 
Wanted to update my post with a basic network diagram that I created... I will be using this post as my worklog


I spoke with our 3rd party network vendor dudes and they are a "Cisco shop" but have been going more towards Astaro products.

Has anyone had experience with Astaro?

This is the network as I inherited it:
networkdiagram.jpg
 
You must log in or register to reply here.
Back
Top