Hi there. We have a huge problem here, and our ISP (BT) and our networking consultants are blaming the draytek...

Quite simply, we implemented a new corporate Firewall (DELL Sonicwall) 2 weeks ago, and the SSL VPN is temperamental, working for most, but for some, from certain locations (no pattern!), they are unable to connect to the SSL VPN.

They can ping the DNS name for the VPN (the Sonicwall router IP behind the draytek) and they can access other services on our network (same connection, different IP).

We have tried running the SSL VPN over a different comms line, and when we do this, the SSL VPN is fine. The other comms line DOES NOT have a draytek router. So, the assumption is that it's the Draytek router. We actually have another guest line, which also has another Draytek (these are 2860's by the way, BT infinity and TalkTalk VDSL), and guess what? Doesn't work over that line either.

Can anybody shed any light at all? It's random in that most locations are fine, but certain locations just will not work. And remember, they can PING it just fine, so it's not routing or anything at that level.

Thanks in advance for any suggestions.

Alan

Interesting problem.

Latest firmware installed ?

Have you enabled syslog ?
This will give loads of interesting reading to monitor the status of the tunnel.

Are the sites that don't work always the same, any similarities in network routers ?
The same sites then work without the Draytek inline without any other changes ?

There's also a variation of the ping command, can't remember the name which can use a particular port number for more precise troubleshooting, unfortunately ping is only of limited use here.

I've seen instances of VPN issues in the past due to double NAT but that was with IPsec so mat be different with SSL.

Hi thanks for the reply. I installed the latest FW yesterday and no difference. Will dabble with syslog when I'm back next week. Double NAT shouldn't be relevant as its on the IP routed subnet? So the DELL is on a public IP.
You're right, the same SSL VPN works fine on a line without a draytek. Note it's a different line, but we have another VDSL line with another draytek, doesn't work on that line either (different ISP)

The hugely annoying thing is it works for many people but is not working at all for others from home, hotels, cafes etc, so it's going to be a needle in a haystack to do anything at the client end.

Thanks, alan

OK just for completion and future reference...
This was a very simple fix in the end. Lots of time invested in really technical troubleshooting, and it was down to the MTU settings. I used the drayteks MTU detection feature, changed both routers to 1492, and voila!
This MTU seems fine on our BT infinity FTTC line, so this may not work on your line, I'd recommend testing the MTU settings out over a period of time, as certain webpages may not load correctly, downloads may hang, we've had all sorts of issues in the past with MTU settings, I don't know why I didn't try this first.