IPsec tunnel for offsire rrepository

Availability for the Always-On Enterprise

IPsec tunnel for offsire rrepository

Veeam Logoby MikaelG » Fri Dec 30, 2016 9:21 pm

Hi,

After trying to increase the security on the tunnel set up to our offsite repository I get "channel time out failure" on the first try merging the copied data to a full restore point. It usually succeeds on the second try. When doing a full sync it fails with "peer did not respond in time". What we did was change encryption on the tunnel to DH20 SHA512 etc. so the most secure versions availiable on the 2 firewalls. And I think that might be the cause of these errors. Trying different settings is cumbersome since the jobs take a long time before they run into problems. Does anyone have tips on a good setting that works for them? As I rather not fall back to the old encryption that was pretty weak. Both peers have 1gbit connections so speed shouldn´t be an issue. And the firewalls work fine with other tunnels using the more complex encryption. Only with the Veeam backup copy jobs there is a problem.

Thanks,

Mikael
MikaelG
Influencer
 
Posts: 13
Liked: 1 time
Joined: Wed Dec 21, 2016 9:43 am
Full Name: Mikael Gustafsson

Re: IPsec tunnel for offsire rrepository

Veeam Logoby EugeneK » Fri Dec 30, 2016 10:26 pm

Hi Mikael,

Do you see any events on the firewall side for the periods, when it happens? The encryption level itself should not have affected the way the jobs operate, I suspect there may be tcp timeouts for IPsec tunnels or a potential resources saturation on the endpoint firewalls, which may lead to the packets drop.
Eugene K
Product Architect @ SingleHop - Veeam Platinum Service Provider
http://www.singlehop.com
VCAP-DCD, VCAP-DCA, VCP-NV
Veeam Certified Architect
EugeneK
Veeam Vanguard
 
Posts: 102
Liked: 23 times
Joined: Sat Mar 19, 2016 10:57 pm
Location: Chicago, IL
Full Name: Eugene Kashperovetskyi

Re: IPsec tunnel for offsire rrepository

Veeam Logoby MikaelG » Sat Dec 31, 2016 9:02 am

Hi, I haven't found anything in the firewall logs that could explain it. But I'll check again next week.
MikaelG
Influencer
 
Posts: 13
Liked: 1 time
Joined: Wed Dec 21, 2016 9:43 am
Full Name: Mikael Gustafsson

Re: IPsec tunnel for offsire rrepository

Veeam Logoby Mike Resseler » Mon Jan 02, 2017 7:48 am

Mikael,

I think you should indeed search in the direction that Eugene is pointing at. How are the time-outs for TCP / UDP connections? I assume that they need to get increased on your firewall. But the problem is that if you increase them and they stay longer open (unless there is a closure confirmation) it can also cause your memory of your firewall to be used completely or the firewall could stop accepting new connections.

From a previous life as a consultant I would check the current connection time-out settings to maybe double it or so...
Mike Resseler
Veeam Software
 
Posts: 3340
Liked: 379 times
Joined: Fri Feb 08, 2013 3:08 pm
Location: Belgium, the land of the fries, the beer, the chocolate and the diamonds...
Full Name: Mike Resseler

Re: IPsec tunnel for offsire rrepository

Veeam Logoby MikaelG » Mon Jan 02, 2017 10:15 am

Hi,

I will look into it, but I don´t think firewall timeouts is the issue since it woked perfectly before the encryption change. We did setup a new linux machine (repository) over the tunnel also. My thought now is that it could be SSH time out that causes it. ´The vendow has changed the time out setting now so we´ll se if it helps.

Thanks,

Mikael
MikaelG
Influencer
 
Posts: 13
Liked: 1 time
Joined: Wed Dec 21, 2016 9:43 am
Full Name: Mikael Gustafsson

Re: IPsec tunnel for offsire rrepository

Veeam Logoby Andreas Neufert » Mon Jan 02, 2017 11:28 pm

The default SSHD current allowed connections are pretty low. Maybe this config from one of my tests help:
/etc/ssh/sshd_config
ClientAliveInterval 30
TCPKeepAlive yes
ClientAliveCountMax 99999
MaxSessions 200 <= we limit at the data transport side (current task count at Repository). Limited SSH connections result in job errors.
MaxStartups 100:30:200
Andreas Neufert
Veeam Software
 
Posts: 2248
Liked: 374 times
Joined: Wed May 04, 2011 8:36 am
Location: Germany
Full Name: @AndyandtheVMs Veeam PM

Re: IPsec tunnel for offsire rrepository

Veeam Logoby Andreas Neufert » Mon Jan 02, 2017 11:29 pm

you can as well "play" with the number of TCP streams in the network throttling settings.
Andreas Neufert
Veeam Software
 
Posts: 2248
Liked: 374 times
Joined: Wed May 04, 2011 8:36 am
Location: Germany
Full Name: @AndyandtheVMs Veeam PM


Return to Veeam Backup & Replication



Who is online

Users browsing this forum: Google [Bot], Mandietha, Mattk03, mcclans, mkralj, rdkennedy and 69 guests