638-stac manual 1405a
TRANSCRIPT
Tachyon, Inc.
AF5000
Series VPNA
Handbook
About This Handbook
This document describes Tachyon, Inc. (Tachyon) AF5000 Series VPNA software version 1.3.0.0.
The AF5000 Series consists of the AF5100 and AF5200 VPNAs.
This Handbook covers installation and configuration of the AF5000 Series VPNA devices only. Separate manuals cover other VPNA devices.
Notices
Tachyon document 021-12539-0001 Rev. B.
Copyright © 2001, Tachyon, Inc. All rights reserved.
Tachyon, Inc. and the Tachyon logo are trademarks of Tachyon, Inc. All other trademarks are properties of their respective owners.
The information provided in this handbook is being provided by Tachyon, Inc. as a service to our customers. Although every effort has been made to verify
the completeness and accuracy of the information contained in this handbook, due to the highly technical nature of the material, and the dynamic nature of
the satellite communications network, Tachyon cannot be responsible for any errors and omissions.
CONTENTS
PREFACE ........................................................................................................................ 5
SAFETY............................................................................................................................ 8
THEORY OF OPERATION .........................................................................................15
TACHYON BROADBAND SATELLITE SERVICE PRIMER ..................................................................15 TACHYON SATELLITE GATEWAY............................................................................................................................16 SATELLITES ................................................................................................................................................................16 TACHYON CUSTOMER PREMISE EQUIPMENT (CPE) ............................................................................................16 TACHYON’S EXTENDED ENTERPRISE NETWORK ACCESS SERVICE ...................................................................17
IPSEC PRIMER .........................................................................................................................................................17 SSL..............................................................................................................................................................................18
VPNA PRIMER..........................................................................................................................................................18
VPNA TOPOLOGIES ..............................................................................................................................................19 SINGLE REMOTE SITE TOPOLOGY.............................................................................................................................20 MULTIPLE REMOTE SITE - SINGLE HEADQUARTERS TOPOLOGY..........................................................................21 MULTIPLE REMOTE SITE - MULTIPLE HEADQUARTERS TOPOLOGY.....................................................................21 ADDING CLEAR TEXT INTERNET ACCESS AT THE TACHYON GATEWAY.............................................................22 ADDING CLEAR TEXT INTERNET ACCESS AT HEADQUARTERS............................................................................23 AN ALTERNATE METHOD - ENCRYPTING AT THE TACHYON SATELLITE GATEWAY..........................................23
CONNECTING AND CONFIGURING THE VPNA..................................................24
QUICK START..........................................................................................................................................................24 CONNECT THE TACHYON VPNA:...........................................................................................................................25 GETTING ACCESS TO THE VPNA CONFIGURATION MENUS................................................................................25
Initial access via an Ethernet Port .....................................................................................................................26 Initial access via the Serial Port .........................................................................................................................26
CONFIGURING THE AF5000 SERIES VPNA................................................................................................27 AF5000 SERIES VPNA CONFIGURATION ....................................................................................................28
Bridge Mode Configuration ...............................................................................................................................29 Route Mode Configuration.................................................................................................................................36 Routes.....................................................................................................................................................................39 Pre-fetch Configuration.......................................................................................................................................42
STATUS .....................................................................................................................................................................43 LINK TEST...................................................................................................................................................................43 TCP TEST ...................................................................................................................................................................44
4
TACHYON VPNA HANDBOOK
SHUTDOWN.................................................................................................................................................................45
ADVANCED TOPICS ..............................................................................................................................................46 SERVICES ....................................................................................................................................................................46 SNMP CONFIGURATION...........................................................................................................................................47 INTERFACE ALIASES ...............................................................................................................................................48 MTU CONFIGURATION.............................................................................................................................................48 RADIUS CONFIGURATION......................................................................................................................................49 AUTO FAIL-OVER CONFIGURATION .......................................................................................................................50 LOAD CONFIGURATION....................................................................................................................................53 SAVE CONFIGURATION ....................................................................................................................................54
TROUBLESHOOTING.................................................................................................55
PING WORKS BUT TCP/IP FAILS....................................................................................................................56
LOSS OF WAN COMMUNICATION ................................................................................................................57
LOSS OF WAN PERFORMANCE......................................................................................................................59
TECHNICAL SPECIFICATIONS................................................................................60
PREFACE
This VPNA Handbook provides information and instructions for
operation and use of Tachyon service and equipment.
This VPNA Handbook is intended for use by the system administrator or IT manager responsible for
maintaining the VPNA.
This section includes:
• Warranty information on the Tachyon VPNA equipment.
• Instructions and tips for getting
technical support for Tachyon services and equipment.
Warranty
The Tachyon VPNA equipment is warranted to be free from defects in material and workmanship for a period of one (1) year for parts and ninety (90) days
for labor from the date of installation. If a product proves defective during this warranty period, Tachyon will repair the defective product without charge
for parts or labor, or will provide a replacement for the defective product.
In order to obtain service under this warranty, the subscriber must notify Tachyon of the defect before the expiration of the warranty period and make suitable arrangement for the performance of service.
This warranty does not apply to any defect, failure or damage caused by
improper use or inadequate or improper maintenance and care.
The reseller is not obliged to furnish service under this warranty:
• to repair damage resulting from attempts by personnel other than
Tachyon.net-certified installation and maintenance professionals to install, repair, or service the product.
1
6
TACHYON VPNA HANDBOOK
• to repair any damage or malfunction caused by the use of non-Tachyon supplies.
• to service a product that has been modified or integrated with other
products when the effect of such modification or integration increases the time or difficulty of servicing the product.
VPNA Technical Support
In the event you need technical information or support for VPNA operation beyond the scope of this Handbook, contact the Service Provider from whom you purchase your monthly Tachyon Network Service.
If necessary, the Service Provider will contact any appropriate resources required to support operation of your Tachyon Network Service, including installation and maintenance professionals or Tachyon call center personnel.
VPNA Equipment Service
Under all circumstances, contact the reseller for service.
Do not attempt to service the VPNA equipment yourself, as there are no user-
serviceable parts.
Safety Tip: Opening or removing the cover on the Tachyon VPNA may expose you to dangerous voltages or other hazards as well as void your warranty.
Contact your Tachyon reseller to obtain service assistance from a certified Tachyon maintenance professional.
7
TACHYON VPNA HANDBOOK
Notice
For the proper operation of this equipment and/or all parts thereof, the instructions in this guide must be strictly and explicitly followed. All of the contents of this guide must be fully read and understood prior to operating
any of the equipment or parts thereof.
Failure to completely read and fully understand and follow all of the contents of this guide prior to operating this equipment, or parts thereof, may result in
damage to the equipment or parts, and to any persons operating the same.
Tachyon does not assume any liability arising out of the application or use of any products, component parts, circuits, software, or firmware described herein. Tachyon further does not convey any license under its patent,
trademark, copyright, or common-law rights nor the similar rights of others. Tachyon further reserves the right to make any changes in any products, or
parts thereof, described herein without notice.
This equipment has been tested and found to comply with the limits for a Class A digital device, pursuant to Part 15 of the FCC Rules. These limits are designed to provide reasonable protection against harmful interference when
the equipment is operated in a commercial environment.
This equipment generates, uses, and radiates radio frequency energy.
SAFETY
The VPNA equipment contains delicate electronics and electrical components. Follow all safety
precautions in this section when the VPNA equipment is in
operation.
Carefully read and follow all safety, use, and operating instructions before operating the
VPNA equipment. Retain these instructions for future reference.
Carefully read and follow all safety, use, and operating
instructions for the Tachyon Customer Premise Equipment
(CPE) contained in the CPE Handbook
This section includes:
• Safety considerations for use of the Tachyon VPNA equipment.
Safety Precautions
Use safety precautions when working at or near the Tachyon VPNA as described in these sections.
Tachyon VPNA Safety Precautions
Follow all instructions and advisories in this section when working with the Tachyon VPNA.
2
9
TACHYON VPNA HANDBOOK
Warning: Shock Hazard
Do not open the equipment. Service is only to be performed by
Tachyon or by a Tachyon-certified maintenance professional.
The Tachyon VPNA contains no user serviceable parts. Do not attempt to service this product yourself. Any attempt to do so negates any and all warranties.
When operating the Tachyon VPNA, observe these precautions:
Follow the Connection procedure described in this manual
Do not plug in the Tachyon VPNA power cord until the Tachyon VPNA is connected to a LAN or computer.
Provide a Safe Location Place the Tachyon VPNA in a rack or on a stable surface of sufficient size and strength, where it cannot be jarred, hit, or pushed off its surface. Ensure that all cables and cords are out of the way and cannot be tripped over, as this could cause personal injury or serious damage to the Tachyon VPNA.
Avoid Water and Moisture Do not expose the Tachyon VPNA to any liquid or moisture.
10
TACHYON VPNA HANDBOOK
Avoid Heat, Humidity, and Dust
To avoid internal damage, the Tachyon VPNA should be placed away from all heat sources, including radiators, heater ducts, exhausts, and like emissions: out of direct sunlight and away from high humidity, excessive dust, or mechanical vibrations that can cause damage to internal parts.
11
TACHYON VPNA HANDBOOK
Provide Adequate Ventilation Slots and openings on the front and back of the Tachyon VPNA are provided for ventilation that is needed to ensure reliable operation. The Tachyon VPNA uses forced air convection that draws air in from the front and exhausts air to the back of the unit.
To avoid overheating and ensure that the ventilation slots are not blocked, place the Tachyon VPNA on a smooth, hard surface that has at least two inches of clearance around the front and rear of the unit, and adequate air circulation.
If the Tachyon VPNA is placed in a closed area, such as a bookcase or rack, ensure that proper ventilation is provided and that the internal rack operating temperature does not exceed the maximum rated temperature at the position of the Tachyon VPNA.
Never place the Tachyon VPNA on a soft surface that would obstruct the required airflow into the unit's ventilation slots.
12
TACHYON VPNA HANDBOOK
Use the Correct Power Source The Tachyon VPNA Input AC line voltage is switch-selectable to operate either at 115 VAC (90 to 130 VAC range) or 230 VAC (180 to 265 VAC range) grounded power system with line frequencies from 47 to 63 Hz. The Tachyon VPNA must be connected to an earthed main socket outlet.
To prevent damage to the Tachyon VPNA, ensure that the proper voltage range is selected prior to application of input power.
For Tachyon VPNA units equipped with a North American power cord, the cord has an IEC 320 female plug on one end and a NEMA 5-15P male plug on the other end. This cord is UL and CSA approved up to 125 VAC at 10A and is ready to use with no user wiring required.
Tachyon VPNA units for International distribution are equipped with an International cord that has an IEC 320 female on one end, and the specific National Regulatory Agency approved male plug on the other end. The power cord is HAR and IEC approved with International color coded wiring.
13
TACHYON VPNA HANDBOOK
Route Power Cords Safely Route power cords so that they are not walked on or pinched. Pay particular attention to cords and connections at the plugs, receptacles (such as power strips), and the point where they exit from the Tachyon VPNA and attach to other equipment. Do not place any items on or against power cords.
Protect Against Lightning and Power Surges
To protect against voltage surges and built-up static charges, the VPNA has been installed with appropriate grounding methods in compliance with grounding standards for electrical and radio equipment according to the electrical codes in the country of installation. Do not remove or modify the grounding and protection mechanism that has been installed with your Tachyon VPNA
To ensure continuous and undisturbed unit operation from primary power line anomalies, use an Uninterruptible Power Source (UPS) with your Tachyon VPNA.
14
TACHYON VPNA HANDBOOK
Do not penetrate the Tachyon VPNA
Touching internal Tachyon VPNA parts is dangerous to both you and the unit. Never put any object, including your fingers, through Tachyon VPNA slots or openings, as this could result in touching dangerous voltage points, short-circuiting parts, electric shock, or fire. If an object falls into the Tachyon VPNA, unplug the unit and contact your Service Provider, as serious damage could occur to the unit.
THEORY OF OPERATION
The Tachyon Satellite IP Network provides two-way Internet Protocol
service over a high-performance satellite link. Using advanced technology invented and patented by
Tachyon provides reliable, high-performance Internet communications
everywhere within the Tachyon satellite footprint.
The Tachyon VPNA allows deployment of IPSec security with Tachyon's
network.
This section includes:
• A Tachyon Broadband Satellite Service primer summarizing
key features and functionality from the CPE Handbook.
• An IPSec primer introducing
key subjects
• An overview of the most common network topologies
TACHYON BROADBAND SATELLITE SERVICE PRIMER
Tachyon’s broadband satellite service is a two-way IP carrier service providing high-speed links via satellite to subscribers.
A direct and dedicated digital link between each subscriber network and the Internet
backbone network is made possible using standard IP interfaces and protocols, ensuring end-to-end transparency and compatibility.
Figure 3-1 shows an overview of the Tachyon network components. Each regional satellite network includes a hub site called the Tachyon Satellite Gateway and many
subscriber sites using Tachyon Customer Premise Equipment (CPE).
3
16
TACHYON VPNA HANDBOOK
Figure 3-1 Tachyon, Inc. -The Network
TACHYON SATELLITE GATEWAY
The Gateway connects to backbone networks, providing a high-speed bridge between subscriber CPEs and the Internet, Intranets, and/or Extranets. The Gateway includes a large satellite antenna.
SATELLITES
Tachyon utilizes geostationary satellites. Geostationary satellites are positioned over the equator at an altitude of about 22,000 miles, such that they appear to be stationary in the sky. The CPE and Gateway antennas
remain pointed at one satellite at all times.
TACHYON CUSTOMER PREMISE EQUIPMENT (CPE)
The CPE is the terminal that connects to a subscriber network and routes IP traffic via the satellite link to the Gateway and the terrestrial network. The
CPE consists of a Tachyon Network Server, an Outdoor Unit (ODU) including a small satellite antenna with a radio, and a coaxial cable assembly that
connects the Tachyon Network Server with the ODU.
17
TACHYON VPNA HANDBOOK
TACHYON’S EXTENDED ENTERPRISE NETWORK ACCESS SERVICE
Data traverses the high-speed satellite link in both directions, providing two-way high-performance communications for each user on each subscriber LAN.
Tachyon has developed many innovative technologies to make high-speed communications over satellite a reality. Among these patented innovations is
the ability to carry TCP/IP traffic at full speed. Tachyon optimizes the TCP/IP protocol to achieve full performance when transmitted over satellite. The
following diagram briefly describes the protocol flow.
The Tachyon Proxy Server Technology Logical Implementation.
IPSEC PRIMER
For many years encryption technologies have been evolving. Until recently
encryption was supported for private networks using proprietary algorithms and single-vendor solutions. With the rapid growth of the Internet it was imperative for the security industry to develop a standard for encrypting packets for transfer over
the public network providing general interoperability. IPSec has become the de-facto standard for encrypting traffic on the Internet and has also become the
standard for encryption in private networks including most federal and many military networks.
18
TACHYON VPNA HANDBOOK
IPSec currently has two basic modes: transport and tunnel. For the purposes of this primer the differences are not important. The important point to know is that IPSec in either mode encapsulates IP packets into a new IP packet. The contents of the
original IP packet are encrypted and no longer visible to the outside until they pass the decryption process at the destination.
The Tachyon Gateway and Tachyon Customer Premise Equipment cannot accelerate TCP/IP traffic after the traffic has been encrypted with IPSec because the TCP
header is also encrypted. If encrypted the packets are passed as IP packets, but the TCP acceleration is not applied. Therefore performance will be reduced.
By placing VPN Accelerators into the network just before the IPSec encryption
devices, TCP/IP traffic reaches the VPNA in the clear and is accelerated; restoring TCP/IP performance.
SSL
A quick word about SSL. SSL, or Secure Socket Layer, is a very popular encryption method used with IP applications. Because SSL performs its encryption on the data payload prior to passing the packet on to the transport layer (TCP), SSL does not
interfere with Tachyon’s TCP/IP acceleration. However, when using HTTPS all HTML data is encrypted before the HTTP proxy can perform pre-fetch so web sites using HTTPS (thus SSL) do load slower than regular HTTP sites. The VPNA cannot mitigate
this slowdown.
VPNA PRIMER
In order to allow customers to use IPSec and still retain the benefits of Tachyon's
technology we developed the VPNA (short for VPN Accelerator). The VPNA performs Tachyon's TCP acceleration prior to the IPSec encryption/encapsulation process. High performance is maintained and user data is fully secured via IPSec encryption.
The VPNA is a simple appliance to connect to your network. You simply insert the VPNA between your LAN and your IPSec device. The following diagrams depict a network before and after installation of a VPNA.
WAN LAN
WAN Router /CPE
IPSec Device
19
TACHYON VPNA HANDBOOK
Site before Installing the VPNA
LAN
WAN Router /CPE
IPSec Device Tachyon VPNA
WAN
Site after Installing VPNA
The VPNA comes with two 10/100 BaseTX Ethernet interfaces providing quick compatibility with most networks.
The VPNA has two basic modes of operation to support most LAN configurations: Bridge Mode and Routed Mode. In Bridge Mode the VPNA gets a single IP address on
the sub-network and bridges traffic between its two interfaces both on the same sub-network. In Routed Mode, the WAN and LAN sides of the VPNA get different IP addresses corresponding to two separate sub-networks and the VPNA routes
packets between the two networks.
The VPNA supports IP aliases on its interfaces to provide additional flexibility in supporting your network architectures.
Bridge and Route modes are described in further detail in the Configuration Section.
VPNA TOPOLOGIES
For networks using IPSec, a VPNA is required at each site where there is an IPSec
device. In general the routing aspects of the VPNA are similar to those of the IPSec devices. The VPNA-100 is designed for placement at remote sites with a CPE and the AF5000
Series VPNA is designed for the Headquarter sites. This document applies only to the AF5000 Series VPNA.
In this handbook we describe these basic topologies:
• Single Remote Site
• Multiple Remote Sites with a Single Headquarters
• Multiple Remote Sites with Multiple Headquarters
• Adding clear text access to the Internet at the Gateway
• Adding clear text access to the Internet at Headquarters
• An alternate method - Encrypting at the Tachyon Satellite Gateway
20
TACHYON VPNA HANDBOOK
In this section we present the concepts associated with the basic topologies. In the next section we walk through example networks and provide worksheets for each of the different topologies to simplify organizing IP addresses and routes.
SINGLE REMOTE SITE TOPOLOGY
Most networks involve more than one site so this topology is primarily provided to introduce the basic principles; although all networks must have their first site to come online.
The following diagram identifies the key network components and how they are interconnected:
Internet
TachyonVPNA 100
IPSec
LAN
TachyonVPNA 5000
IPSec
Remote Site
Headquarters
LAN
Server
CPE
Satellite(WAN)
Client
TachyonGateway
Client
Client
Client
Client
Client
WANRouter
Single Remote Site Configuration
The CPE-side VPNA can be configured in Bridge Mode or Routed Mode depending upon the desired LAN topology. As mentioned earlier one advantage of Bridge mode
is ease of configuration.
NOTE: If Routed Mode is implemented on the CPE-side VPNA and Network Address
Translation (NAT) is not being used, then the Tachyon Network Operations Center (NOC) must be notified of the additional sub-network so they can make the
appropriate entries to allow the CPE to route to the sub-network behind the VPNA. You will need to provide the NOC with the IP address of the VPNA as it is the default gateway to reach the internal sub-network.
21
TACHYON VPNA HANDBOOK
At the Headquarters side the VPNA can also be configured in Bridge or Routed Mode. Again, the selection of Bridge Mode in this case is preferred to simplify network reconfiguration.
In this scenario all traffic from the remote site is destined for Headquarters. The
CPE-side VPNA is configured with a route to the VPNA at headquarters and similarly the VPNA at Headquarters is configured with a route to the VPNA at the remote site.
MULTIPLE REMOTE SITE - SINGLE HEADQUARTERS TOPOLOGY
This topology is just an extension of the Single Site case. Each remote site VPNA has a route to the Headquarters VPNA and the Headquarters VPNA has a route entry for each of the VPNAs at the remote sites. Communication between remote sites
requires packets to go through Headquarters.
TachyonVPNA
IPSEC
LAN
Remote Site N
CPE
Client
Client
Client
Internet
Headquarters
LAN
ServerSatellite(WAN)
TachyonGateway
Client
Client
Client
TachyonVPNA
IPSEC
LAN
Remote Site 2
CPE
Client
Client
Client
TachyonVPNA 100
IPSec
LAN
Remote Site 1
CPE
Client
Client
Client
TachyonVPNA 5000
IPSecWANRouter
Multiple Remote Sites with a Single Headquarters
MULTIPLE REMOTE SITE - MULTIPLE HEADQUARTERS TOPOLOGY
Many corporations or extranets require that remote sites be able to communicate with a number of Headquarters locations. For example a remote bank may have to exchange certain data with Corporate Headquarters as well as with regional banks.
In these cases the IPSec equipment may be configured to allow direct communication between the remote sites and the corporate or regional sites. The
VPNA can be configured to support this topology.
22
TACHYON VPNA HANDBOOK
Each CPE-side VPNA gets a route for each of the Headquarters sites. Similarly, each Headquarters VPNA has a route for each remote VPNA it needs to communicate with.
The following diagram depicts the topology:
TachyonVPNA
IPSEC
LAN
Remote Site N
CPE
Client
Client
Client
Internet
Satellite(WAN)
TachyonGateway
TachyonVPNA
IPSEC
LAN
Remote Site 2
CPE
Client
Client
Client
TachyonVPNA 100
IPSec
LAN
Remote Site 1
CPE
Client
Client
Client
LAN
Server
Client
LAN
Server
Client
Headquarters 1
Headquarters N
TachyonVPNA 5000
IPSecWANRouter
TachyonVPNA 5000
IPSecWANRouter
Multiple Sites with a Multiple Headquarters
ADDING CLEAR TEXT INTERNET ACCESS AT THE TACHYON GATEWAY
The previous examples described completely private networks with only encrypted packets transiting the Internet. It may be desirable to offer clients at the remote sites access to the general Internet unencrypted.
One method to accomplish this is to configure Internet browsers on the CPE-side LAN to use the CPE as their default gateway and configure the IPSec devices to allow packets destined to the general Internet to pass through the IPSec device
unencrypted.
If remote sites access a web-enabled application that is hosted at Headquarters they will need to change their proxy settings to switch between accessing the Internet and Headquarters.
23
TACHYON VPNA HANDBOOK
ADDING CLEAR TEXT INTERNET ACCESS AT HEADQUARTERS
Some corporations may want to provide general Internet access to remote sites but prefer to have all traffic transit Headquarters where packets can be filtered and inspected.
In this configuration packets are encrypted between the remote site and Headquarters creating a VPN tunnel. At Headquarters packets are routed to/from the general Internet. Because the routing happens outside the Tachyon network
there are no configuration changes to the VPNA.
AN ALTERNATE METHOD - ENCRYPTING AT THE TACHYON SATELLITE GATEWAY
Many networks require a high level of security to keep their data completely private. For these networks, end-to-end encryption is the only solution. Some networks,
however, transfer data that is sensitive but may not warrant the additional expense of a full IPSec solution.
CIO or IT managers putting together a network should consider a topology where an IPSec tunnel over the public Internet is set up between the Tachyon Gateway and
the corporate Headquarters. This architecture does not require an IPSec device at each site. This significantly lessens the cost of ownership, as these devices do not
need to be procured or managed. In this configuration VPNA devices are also not required.
Consideration for this architecture requires a careful review of security requirements. Packets will transit the satellite link without IPSec encryption.
Tachyon's combination of network partitioning along with unique modulation and error correction schemes makes it difficult to intercept a transmission. However,
malicious interception is indeed possible with some effort.
24
TACHYON VPNA HANDBOOK
CONNECTING AND CONFIGURING THE VPNA
This document assumes you
already have a working Tachyon network and are adding the VPNA to integrate IPSec technology into
the network.
This section includes:
• A quick start section to get you
into the configuration pages.
• Instructions on configuring the VPNA for different network
topologies.
QUICK START
The experienced network professional may find that the VPNA configuration menus provide enough context -sensitive help that they can proceed through the menus and configure their network. However, we strongly suggest a quick read of this section
and the Theory of Operation section in order to fully understand the features and benefits of the VPNA to provide optimum performance.
When configuring the VPNA it is important to remember that TCP acceleration is separate from IP delivery. Therefore the VPNA must first be configured correctly for
delivery of IP traffic, only then can TCP acceleration be configured. If the CPE-side VPNA can not find a route to deliver IP traffic to the Headquarters-side VPNA then
TCP acceleration will fail also. However, if IP traffic is correctly delivered from the CPE-side VPNA to the Headquarters-side VPNA (e.g. ping works), any problems can now be isolated to the TCP configuration.
A common symptom for this kind of configuration problem is that pinging between sites works yet connecting with ftp fails. If this occurs review your TSP acceleration routes and make sure that the CPE-side is correctly configured to point at the
Headquarters-side and vice versa. Use the "TCP Test" tool to diagnose TCP problems. See the troubleshooting section for more causes and solutions.
4
25
TACHYON VPNA HANDBOOK
CONNECT THE TACHYON VPNA:
The VPNA goes just in front of your IPSec device on the LAN side. Assuming you have a working network, to add a VPNA device you simply disconnect the Ethernet cable from the LAN-side of your IPSec device and connect it to the LAN-side port on
the VPNA. You then connect a cable from the WAN-side port on the VPNA to the now open port on the IPSec device.
The VPNA has 10/100BaseTX interfaces. Normally the Ethernet cables to/from the
VPNA will be straight-through cables.
For optimum performance the IPSec device and LAN should support 100 Mbps transfers and full duplex operation.
Safety Tip A cable is provided with the VPNA to interconnect it to your IPSec device. If you choose not to use this cable make sure to select a good quality, shielded (recommended) CAT-5 category LAN cable for interconnecting the
Tachyon VPNA.
The following diagram depicts a typical installation:
WAN LAN
WAN Router /CEP
IPSec Device
Site before Installing the VPNA
LAN
WAN Router /CPE
IPSEec Device Tachyon VPNA
WAN
Site after Installing VPNA
GETTING ACCESS TO THE VPNA CONFIGURATION MENUS
Once you have connected the VPNA to the local network you are ready to configure it.
26
TACHYON VPNA HANDBOOK
The VPNA has two control interfaces: a serial interface and its Ethernet interfaces. Using these control interfaces is described in more detail below.
When accessing the VPNA you will need to log in. Use the following factory default username and password:
Login: admin Password: vpna
Once you access the VPNA menus you can change the password.
NOTE: Remember your password. If you forget your password you can
only access the VPNA by connecting to the serial port and logging in as admin with a password of eraseconfig. Using this login will reset the VPNA to its
factory default values and all configuration information previously entered will be lost.
INITIAL ACCESS VIA AN ETHERNET PORT
The VPNA ships from the factory with the default address of 192.168.1.1. with a netmask of 255.255.255.0. You can gain initial access to the configuration menus
by connecting a PC or workstation to the LAN port that is configured for this sub-network. Once you have connected the PC or Workstation with the proper IP
configuration, simply point your browser to the IP address of the VPNA (192.168.1.1). You should see the prompt "Login:”. If you do not, then make sure you can ping the VPNA from your PC or workstation. You may need to restart your
computer if you changed IP addresses. You also need to make sure the VPNA is powered on. Once you have set the initial IP parameters of the VPNA you can
reconnect it to your network and access it from any client on the LAN (depending on firewalls and other security).
INITIAL ACCESS VIA THE SERIAL PORT
You can also configure the VPNA via the serial port. To do this you need a terminal emulation program running on your PC or Workstation and have it configured for 9600-N-8-1 (that is 9600 baud, no parity bits, eight bits per character, and 1 stop
bit). If you have an option, select VT-100 emulation. The VPNA is supplied with a serial cable that should work with most PCs and laptops.
Once you get your terminal emulation program configured and the serial cable hooked up to the VPNA hit "Enter" a couple of times. You should see the prompt
"Login:”. If you do not, then the terminal emulation program is not configured properly, you are on the wrong serial port on your PC/workstation, or the cable is
not appropriate for your PC/Workstation. You also need to make sure the VPNA is powered on.
27
TACHYON VPNA HANDBOOK
There are two logins for the serial interface. The first login enters the graphical user interface and the second login is the actual VPNA login. The login ID and password are the same for both. Once you have logged on to the VPNA using the serial
interface, you will be connected to the VPNA’s web interface using a character based web browser. The most convenient way to proceed with the configuration is to
navigate (using the instructions provided at the bottom of your screen) to the Basic Configuration link, change the VPNA’s LAN IP Address to an address compatible with
your network, and proceed with the configuration from a client based web browser as described in CONFIGURING THE AF5000 Series VPNA.
CONFIGURING THE AF5000 SERIES VPNA
The configuration of the VPNA depends on your network topology. Please read the Theory of Operation section to become familiar with the various network topologies.
The recommended method for accessing the VPNA menus is using a web browser on a LAN client. The menus are also available via the serial port. These menus are very similar to the web-based menus. Only the web-based menus are described in this
document.
Refer to the previous section to get to the point where you are at the Main Menu.
The Main Menu of the VPNA is the starting place to enter, view and modify all VPNA parameters. You can return to the Main Menu by clicking the top link labeled "Tachyon VPNA". If you are accessing the VPNA from the terminal interface you can
access the Main Menu by pressing the M or H keys. A handy link to Tachyon's web site is just below. The following figure shows the Main Menu.
28
TACHYON VPNA HANDBOOK
Use the Setup Wizard to walk through configuration items for a new device.
If you are changing a device between Bridge Mode and Route Mode you will need to run the Setup Wizard again.
If you are changing IP addresses on a VPNA device you can edit the parameters under the Basic Configuration link.
NOTE: If you are using a device that was previously configured and want to start from the default values you must access the login prompt via the serial port and login as 'admin' with a password of 'eraseconfig'.
AF5000 SERIES VPNA CONFIGURATION
Select the Setup Wizard from the Main Menu.
You will see the following screen:
29
TACHYON VPNA HANDBOOK
Select "Bridge" or "Route" and then press the "Next =>" button.
BRIDGE MODE CONFIGURATION
Selecting Bridge Mode will bring up the next Setup Wizard Menu:
30
TACHYON VPNA HANDBOOK
Clicking on “example configuration” will display the following:
31
TACHYON VPNA HANDBOOK
In the Basic Configuration menu, enter a Hostname if you wish to identify this VPNA in SNMP messages and HTTP error messages.
NOTE: You cannot use underscores or spaces in the Hostname.
Enter the LAN IP Address you have reserved for the VPNA and the corresponding LAN Netmask. Press the "Next =>" button.
32
TACHYON VPNA HANDBOOK
NOTE: You have the option of entering the netmask in the form /n where n
designates a netmask with the first n bits set to 1. For example 255.255.255.0 is the same as /24.
You will now see the following menu:
Enter the IP address of the WAN Router. This will typically be the IPSec device and the device that the machines on the LAN use as their Default Gateway. With this
entry you are instructing the VPNA to use this device as its Default Gateway.
33
TACHYON VPNA HANDBOOK
If you know the Ethernet address of the WAN Router you can enter it. Ethernet addresses consist of six octets separated by colons; for example 00:0a:b4:e0:01:02. Enter the colons. If you are unsure of the Ethernet address
leave the entry blank and the VPNA will auto-discover it. The VPNA will check for the Ethernet address once every minute.
NOTE: If you change the WAN Router in the future, you will need to update these
entries and reboot the VPNA. Again, make sure the WAN Router (IPSec device) is
powered on before you reboot the VPNA if you want the VPNA to auto-discover the Ethernet address. The auto-discover mechanism will retry the WAN Router once every minute.
Press the "Next =>" button to advance to the Prefetch Configuration menu.
34
TACHYON VPNA HANDBOOK
You may add multiple DNS servers for the AF5000 Series VPNA. The DNS servers will be searched in the order in which you add them.
Press the "Next =>" button to advance to the Configuration Review menu.
Review the entries. Use the "<= Back" button to go back and correct any entries. When the entries are correct press the "Reboot =>" button. Changes will then be
committed and the VPNA will reboot. Your browser will display the following page:
35
TACHYON VPNA HANDBOOK
This page will update to show the current status of the VPNA, unless you have given the VPNA a new IP address. In the case the VPNA has been assigned a new IP
address this page will continually show the “Rebooting” state because the browser cannot connect to the VPNA.
If you have given the VPNA a new IP address, you may also have to reconfigure the
networking on your local machine to be on the same network as the VPNA. After making any necessary networking changes on your local machine, you will have to browse to the new IP address of the VPNA.
Your VPNA is now configured in “Bridge Mode”.
Before the AF5000 Series VPNA will accelerate TCP traffic, IP and TSP routes need to be added. See the discussion of routes following the section on “Route Mode
Configuration”.
36
TACHYON VPNA HANDBOOK
ROUTE MODE CONFIGURATION
Selecting Route Mode will bring up the next Setup Wizard Menu:
Enter a Hostname if you wish to identify this VPNA in SNMP messages and HTTP error messages.
NOTE: You cannot use underscores or spaces in the Hostname.
Enter the LAN IP Address you have reserved for the VPNA and the corresponding LAN Netmask. Enter the WAN IP Address you have reserved for the VPNA and the
corresponding WAN Netmask.
Press the "Next =>" button to advance to the Prefetch Configuration menu.
37
TACHYON VPNA HANDBOOK
You may add multiple DNS servers for the AF5000 Series VPNA. The DNS servers will be searched in the order in which you add them.
Press the "Next =>" button to advance to the Configuration Review menu.
38
TACHYON VPNA HANDBOOK
Review the entries. Use the "<= Back" button to go back and correct any entries. When the entries are correct press the "Reboot =>" button. Changes will then be
committed and the VPNA will reboot. Your browser will display the following page:
39
TACHYON VPNA HANDBOOK
This page will update to show the current status of the VPNA, unless you have given the VPNA a new IP address. In the case the VPNA has been assigned a new IP address this page will continually show the “Rebooting” state because the browser
cannot connect to the VPNA.
If you have given the VPNA a new IP address, you may also have to reconfigure the networking on your local machine to be on the same network as the VPNA. After making any necessary networking changes on your local machine, you will have to
browse to the new IP address of the VPNA.
Your VPNA is now configured in “Route Mode”.
Before the AF5000 Series VPNA will accelerate TCP traffic, IP and TSP routes need to be added. See the following discussion of routes.
ROUTES
Select the "Routes" link from the Main Menu.
40
TACHYON VPNA HANDBOOK
41
TACHYON VPNA HANDBOOK
IP routes are needed for both “Route Mode” and “Bridge Mode.” In “Bridge Mode” the VPNA only needs IP routes to accelerate TCP traffic; non-TCP traffic is simply bridged from one interface to the other.
In a typical deployment, you will add the default IP route to the gateway router on
the LAN Network (e.g. destination 0.0.0.0, netmask 0.0.0.0, and gateway 172.30.2.101). However, your network may vary. Press the "Add" button when you have made the entries.
Next, you will enter two routes for each VPNA-100 that is to be connected to this AF5000 Series VPNA. The first route is a general IP Route for all traffic. The second route is a TSP Route used for TCP acceleration. The following picture shows
the Routes configuration page with the required routes for a single VPNA-100. Note that the routes that do not have “Delete” buttons next to them are routes resulting from the AF5000 Series VPNA’s network interfaces.
For the IP Route enter the Destination network address (e.g. 172.20.2.0) and the corresponding Netmask (for this example it would be 255.255.255.0) and the IP address of the local IPSec device (e.g. 172.30.2.1) or the next hop router for the
destination network). Press the "Add" button when you have made the entries.
For the TSP Route enter the Destination address (172.20.2.0) and the corresponding Netmask (for this example it would be 255.255.255.0) and the IP address of the VPNA-100 at the remote site. Select "Remote" since this route is for
a 'remote' network. Press the "Add" button when you have made the entries.
For each new TSP Gateway that is added, an entry is created in the “Rate To TSP Gateway” table. The default is the maximum rate of 2.045 Mbps. However, if the actual link is slower than this rate, then tuning the AF5000 Series VPNA to the
actual rate will yield better link utilization.
Repeat the above steps for each remote VPNA-100 site you want to have connectivity to this Headquarters site.
If you need to target any device that is between a AF5000 Series VPNA and a VPNA-100 (the IPSec router for example); you must create a non-accelerated TSP route to
the device by specifying a TSP Mode of “none.” For example, to access the IPSec at 172.20.2.1 from the VPNA at 172.30.2.2 you must enter the following TSP Route:
destination 172.20.2.1, netmask 255.255.255.255, TSP Gateway 0.0.0.0, TSP Mode “none.”
If you have a default “remote” TSP route, you will need to specify “local” TSP routes for each subnetwork that is not to be accelerated. Additionally, you will need to
specify “local” for any subnets that are not to be accelerated within a “remote” network.
42
TACHYON VPNA HANDBOOK
Specifically, a TSP Mode of “local” means, “do not accelerate if the destination IP address matches the TSP route destination.” A TSP Mode of “none” means, “do not accelerate if the source or destination IP address matches the TSP route
destination.”
Press the “Done” button when you are finished adding routes.
PRE-FETCH CONFIGURATION
If you are adding VPNAs to an existing Tachyon connection you are already familiar with the benefits of our patented pre-fetch technology. By configuring your web
browsers to use the VPNA as your web proxy you will retain your improved performance for HTTP-based applications.
On each client machine configure the web browser (most likely Internet Explorer or Netscape) to use the VPNA-100 as its web proxy. Enter the IP address of the VPNA-
100 and the port number of 3128. The CPE Handbook has example screens that describe how to modify the proxy settings for Internet Explorer and Netscape.
NOTE: If you want to access any local machines with web interfaces (such as the
VPNA or the IPSec device) from a specific client then make sure to configure that client to exclude local addresses from using the proxy.
The AF5000 Series VPNA is the default HTTP Proxy Parent for VPNA-100 Prefetching HTTP Proxies. Therefore, the AF5000 Series VPNA needs to resolve URL's via one or
more Domain Name System (DNS) servers. Configure the DNS server search from the Prefetch Configuration Menu. The DNS servers will be searched in the order in
which you add them.
43
TACHYON VPNA HANDBOOK
STATUS
This menu provides current status on the VPNA-100 including the Version number of the software.
LINK TEST
Follow these steps to verify your VPNA has been set up correctly. Do not proceed to
the next step if the current test is not successful. This test assumes you have a client VPNA-100, which is being brought online with the AF5000 Series VPNA.
44
TACHYON VPNA HANDBOOK
1. Ping the VPNA-100 and AF5000 Series VPNA from a client on your LAN. This should succeed if you have been using the LAN Ethernet port to configure the VPNA. If the ping does not work check that the LAN and WAN Ethernet ports are
cabled up correctly and the interface's link lights are on. Verify the IP address and Netmask is correct on both the client and VPNA.
2. From the same client on the LAN, ping the WAN Router (IPSec device) on the other side of the VPNA. This will test the VPNAs local routes. If this fails check
the Routes page on the VPNA and make sure there is an entry for the local network(s). If pings from the client fail try a ping of the WAN Router from the
VPNA. There is a link to the Ping Menu from the VPNA's Main Menu. If this fails reboot the VPNA and the WAN Router. It is possible that the ARP cache on these
machines is incorrect.
3. From a client on the LAN that has access permission to a remote network behind a VPNA-100, do a ping of the VPNA-100 at a remote site. If the VPNA-100 at the remote site is in Route Mode, Ping the WAN interface. If this fails make sure the
Headquarters’ VPNA has a route to the remote site. Also make sure your IPSec equipment is configured correctly. Since the IPSec equipment sits 'inside' the
VPNAs, connectivity between IPSec devices on the WAN is not affected by the VPNAs.
4. From this client Ping a machine on the remote network. If this fails it is possible that the VPNA-100 needs to be updated with the route information to reach the
remote subnet.
TCP TEST
When commissioning a new AF5000 Series VPNA it is suggested TCP acceleration be verified. The TCP Test conducts a TCP connection test directly between the AF5000
Series VPNA and the designated VPNA-100. This simplified test can help isolate IPSec, IP Route, and TSP Route problems.
Before performing the TCP Test use the Ping utility to verify basic IP connectivity
between the AF5000 Series VPNA and the VPNA-100.
Once you have verified basic IP connectivity using Ping, go to the TCP Test menu.
The only entry in the TCP Test menu is the IP address of the VPNA-100 with which
you wish to test TCP acceleration.
45
TACHYON VPNA HANDBOOK
The following figure shows the TCP Test menu screen:
If the test fails, verify both machines have TCP acceleration enabled. You can find the TCP acceleration menu in the Services Menu, which is accessed from the
Advanced Functions menu. If you find one or both of the machines have TCP acceleration disabled, enable TCP acceleration and retry the tests beginning with the
Ping.
If the test still fails, review your exact steps and make sure the IP address you are using for the Ping and for the TCP Test are the same and are the IP address of the AF5000 Series VPNA.
If the test still fails contact your service provider.
SHUTDOWN
Use this menu to reboot or halt the VPNA before powering down.
46
TACHYON VPNA HANDBOOK
ADVANCED TOPICS
The VPNA has several menus that you probably will not need to access for normal operation. To lessen security concerns, Telnet and SNMP are not permitted in the default configuration of the VPNA. If you have relocated a VPNA from another site
be sure to review these menus to make sure the state of these protocols meets your security guidelines.
The menus for these features are located under the Advanced Functions link in the
Main Menu. If you select Advanced Functions you will see the following menu.
SERVICES
By disabling certain types of access to the AF5000 Series VPNA, you can increase
the security of your network. From this screen you can enable or disable telnet and http access. You can also disable or enable TSP accleration.
If you disable both telnet and http access, the only way to access your AF5000 Series VPNA is by connecting to the serial port at the back of the AF5000 Series
VPNA.
47
TACHYON VPNA HANDBOOK
Generally, you will only need to disable TSP acceleration to aid in debugging the network. Both your remote VPNA-100 and the corporate AF5000 Series VPNA must have TSP acceleration disabled or enabled to pass traffic. Note that an alternate way
of disabling TSP acceleration on the AF5000 Series VPNA is to change the TSP Route type from remote to none.
SNMP CONFIGURATION
From the SNMP menu you can enable LAN and/or WAN SNMP access, as well as add community strings.
48
TACHYON VPNA HANDBOOK
INTERFACE ALIASES
Aliases provide additional integration and management flexibility. An alias adds an IP address to the VPNA's physical Ethernet port (LAN or WAN). IP addresses configured before adding an alias remain functional.
MTU CONFIGURATION
Some IPSec devices expand the size of TCP packets. If this is done and the VPNA MTU size is not large enough to fit the encrypted packet then the packet is
fragmented. In some cases these fragmented packets will be rejected when received at the other end.
Setting the MTU size should be done carefully and with full knowledge of the IPSec equipment connected to the VPNA. Incorrect MTU size entries will adversely affect
performance.
The default value for the MTU size is 1400 bytes.
49
TACHYON VPNA HANDBOOK
RADIUS CONFIGURATION
This menu allows you to configure the VPNA to use one or more RADIUS authentication servers to control who has administration access to the VPNA. When
RADIUS authentication is not enabled, the built-in username admin is the only username allowed access into the VPNA. The admin password can be changed on
the Password Menu, which is reachable from the Main Menu. This is the default configuration when you receive your VPNA.
Once RADIUS authentication is enabled, remote access via telnet must authenticate against a username/password configured in a RADIUS server. Starting at the first server on the page and working down each server is checked for authentication.
Only if the server does not respond is the next server in the list checked. Therefore, users configured to access the VPNA should be configured identically in each
RADIUS server.
50
TACHYON VPNA HANDBOOK
Serial port access works like telnet access when RADIUS authentication is activated with an additional check of the built-in username. This additional check allows you to still access the VPNA if your network connecting to the RADIUS authentication
server(s) is down.
HTTP access never checks the RADIUS servers. It is therefore suggested that HTTP access be disabled after RADIUS authentication is enabled.
In order for RADIUS authentication to be enabled you must enter at least one RADIUS Server IP into the page. The Port is optional and may be left blank to reach
the server at the default authentication port of 1812 and accounting port of 1813. If you specify a Port, p, then the accounting port will be p + 1. The Time field is the
number of seconds to wait for a response from the server before moving onto the next server. The Key is the shared secret key that needs to be the same on the RADIUS server.
AUTO FAIL-OVER CONFIGURATION
This menu allows you to configure the VPNA to act as a backup for other 5000 Series VPNAs in your network.
51
TACHYON VPNA HANDBOOK
Selecting the example link will bring up a new window with the following detailed description:
52
TACHYON VPNA HANDBOOK
The Auto Fail-Over feature of the 5000 Series VPNA (VPNA 5000) allows multiple VPNA 5000s to provide backup capacity for each other. The following diagram shows a generic network with a Primary VPNA 5000 and a single Backup VPNA 5000. When the backup VPNA 5000 is properly configured, it will accelerate traffic not only for its own network, but for the primary VPNA 5000's network as well.
Network redundancy may be implemented using protocols such as RIP, EIGRP, OSPF, manual switch-over, etc. The implementation of network redundancy is irrelevant to the VPNA 5000 functionality, as long as symmetric routing is guaranteed.
1000 series VPNA accelerators (VPNA 1000) typically have a default TSP route to a VPNA 5000 acting as the TSP Gateway. When Auto Fail-Over is disabled, a VPNA 5000 will pass-through accelerated traffic, that has a TSP Gateway that is different from its own IP address. When Virtual IP Address mode is enabled a VPNA 5000 will accept accelerated traffic whose TSP Gateway matches its Virtual IP Address, and mark accelerated packets as being sourced from the Virtual IP Address.
When Network Address Translation (NAT) is enabled a VPNA 5000 will accept accelerated traffic when the pair of (source IP, TSG Gateway IP) match an entry in the NAT Table. Also, the VPNA 5000 will mark accelerated packets to one of the NAT sources as originating from the TSP Gateway IP in the matched pair.
Auto Fail-Over may be configured to use a single Virtual IP Address, or a NAT Table containing source/destination IP address pairs. Both the Virtual IP Address and the NAT Table entries may be specified. However, only one mode may be Enabled at any given time. Virtual IP Address and NAT Table modes may both be Disabled at the same time.
A TSP route must be entered in the Basic Functions | Routes page for each VPNA 1000 for which this VPNA 5000 is serving as a backup gateway.
If a Virtual IP Address is specified, all traffic accelerated to the Virtual IP Address that is routed to the VPNA 5000 will be processed. To configure the Backup VPNA 5000 in the example diagram:
• In the Routes page, add a TSP route with a Destination of 172.20.2.0, and a TSP Gateway of 172.20.2.2
• Set the Virtual IP Address to 172.20.3.2
• Enable Virtual IP Address Mode
If the NAT Table is enabled, only traffic bound to/from the source/destination address entries will be processed (in addition to traffic normally targeted to this VPNA 5000.) In the NAT Table, the Source IP is the IP Address of a VPNA 1000 for which this VPNA 5000 is serving as a backup gateway. The Destination IP is the IP Address of a VPNA 5000 for which this VPNA 5000 is serving as a backup gateway. To configure the Backup VPNA 5000 in the example diagram:
• In the Routes page, add a TSP route with a Destination of 172.20.2.0, and a TSP Gateway of 172.20.2.2
53
TACHYON VPNA HANDBOOK
• Add an entry in the NAT Table with a Source IP of 172.20.2.2, and a Destination IP of 172.20.3.2
• Enable NAT Table Mode
LOAD CONFIGURATION
This menu allows the current operating configuration to be loaded from the computer that is being used to configure the AF5000 Series VPNA. You are prompted to locate the configuration file you want to load.
NOTE: When you commit the change all operating parameters will be replaced with
the ones in the configuration file. You may want to save your current configuration to a temporary file before loading a new configuration.
54
TACHYON VPNA HANDBOOK
SAVE CONFIGURATION
This menu allows the current operating configuration to be stored to the computer that is being used to configure the AF5000 Series VPNA. You are prompted to enter a file name (which will be appended with a .conf extension) and select a location to
save the configuration file.
55
TACHYON VPNA HANDBOOK
TROUBLESHOOTING
IPSec networks are often difficult to
troubleshoot because end-to-end encryption prevents visibility between the ends.
This section identifies key problems and suggests methods for identifying the source of the
problems. In some cases, network security policy may disqualify the proposed method.
For problems that are not corrected by the troubleshooting techniques described in this section, contact
the Service Provider for technical support.
This section includes:
• Troubleshooting procedures for
partial connectivity.
• Troubleshooting procedures for interrupted connectivity
• Troubleshooting procedures for
degraded performance
Before performing any of the troubleshooting procedures in this chapter, it is important to read Chapter 2 - VPNA Safety Information. Follow all safety
procedures when performing any troubleshooting operations.
5
56
TACHYON VPNA HANDBOOK
PING WORKS BUT TCP/IP FAILS
It is sometimes the case that using ping to check connectivity between two sites will succeed, but a TCP connection between the same two sites will fail. This symptom usually indicates that TSP acceleration routing is incorrect. But
it may also indicate an error in IP routing for the VPNAs that are in Bridge Mode, or one of the VPNAs has TSP acceleration disabled. When the VPNA
intercepts TCP packets, it originates accelerated IP packets to move the TCP data. The VPNA’s IP routes are used to determine where to send these
accelerated IP packets.
1 Verify that both VPNAs have TSP acceleration enabled.
Go to the service menu on each VPNA and verify that TSP acceleration is
marked as enabled.
2 Verify that the CPE-side VPNA has a TSP acceleration route marked as remote to
the Headquarters-side VPNA address.
If the Headquarters VPNA is in Route Mode then, use the Headquarters-side VPNA’s WAN address
3 Verify that the Headquarters-side VPNA has a TSP acceleration route
marked as remote to the CPE-side VPNA address.
If the CPE-side VPNA is in Route Mode use the CPE-side VPNA’s WAN address.
4 Verify IP routes for CPE-side VPNAs in Bridge Mode.
IP routing is not used in Bridge Mode when a packet can simply be bridged.
Since ping packets are simply bridged an error in IP routing will not be
revealed by ping. However, TSP acceleration does not simply bridge packets, so IP routes must be correct.
57
TACHYON VPNA HANDBOOK
LOSS OF WAN COMMUNICATION
Follow the systematic troubleshooting procedure described here if there is no communication between a remote site and Headquarters.
1 Verify that the power to the Tachyon VPNA is on - the green LED on the front panel
is lit
If the Power indicator is not lit, check that the power cord is securely connected to the Tachyon VPNA and
to the AC power source. If the power is connected, and the Power LED is
not lit, follow the troubleshooting procedure in this section for Loss of
Power to the Tachyon Network Server.
If the Power indicator is lit, proceed to the next step.
2 Verify Link Integrity - the
Link LED on the Network Interface Cards (NIC) at the rear of the VPNA are lit
Both the WAN and LAN ports should
be lit.
If the Link indicator is not lit check that the cable is properly seated and make sure the device on the other
end is powered up.
If the Link indicator is lit, proceed to the next step.
3 Verify the connection between your Workstation and the VPNA device
Using the Ping utility on your workstation, ping the VPNA device. If the VPNA does not respond:
1. Go to the VPNA configuration menus and check the "status"
menu for error messages.
• If you cannot reach the VPNA configuration menus either by
the Ethernet address or the serial port then reboot the VPNA manually by cycling
power to the unit.
2. If the configuration looks correct and there are no error messages
58
TACHYON VPNA HANDBOOK
to act on, reboot the unit from the
Shutdown menu. It will take a few minutes for the unit to reboot.
3. If you are still unable to unable to
access the VPNA unit via the Ethernet port or serial port after a power cycle then contact your
service provider for assistance.
4 Verify the connection between your Workstation and the IPSec device
Using the Ping utility on your workstation, ping the IPSec device. If the IPSec device does not respond:
1. Make sure the IPSec device is power up.
2. Check the Link light on the VPNA again. If it is out make sure the cables are seated properly. You
may want to change cables.
3. Refer to the documentation for the IPSec device for troubleshooting ideas.
Reboot the IPSec device and try again.
If you cannot ping the IPSec device you may have a faulty device.
5 Verify the CPE is up and
connected to the Tachyon network.
In order to perform this step you will
need direct access to the CPE bypassing the IPSec device. If this is not possible the skip this step. Note:
when connecting directly to the CPE with PC or workstation use a
crossover cable.
If direct access to the CPE is possible follow the Internet Connectivity procedures in the Troubleshooting
section of the CPE Handbook.
59
TACHYON VPNA HANDBOOK
6 Verify the IPSec devices are functioning properly
Refer to the User Manual for your IPSec devices for diagnostic utilities.
7 If there is still no connectivity after verifying
the above items, contact your Service Provider for
technical support
The ISP providing Tachyon service will provide technical support for CPE
connectivity issues.
LOSS OF WAN PERFORMANCE
1 Verify Clear Text performance
If your network allows IP packets destined for the public Internet to
pass the IPSec device without encryption then test the link on a few
well known sites. Try to download a few files from our demo web server at 63.103.96.229. If performance is not
close to your Tachyon service level, point your web browser to the CPE
and access its Web Admin page. View the Faults page and look for any
errors. If errors are found reboot the CPE and try again. If the errors persist
contact your service provider.
TECHNICAL SPECIFICATIONS
This section provides detailed technical specifications for the
Tachyon VPNA device.
.
This section includes:
• Specifications for the VPNA.
Tachyon AF 5000 SERIES VPNA Specifications
System Specifications
Nominally support for up to 500 VPNA-100s
Rear Panel Port Specifications
WAN Interface Ethernet, 10/100 BaseTX, RJ-45, full duplex operation
LAN Interface Ethernet, 10/100 BaseTX, RJ-45, full duplex operation
Serial Interface RS-232, 9-pin Male. DCE
Ethernet Port Pinout:
6
61
TACHYON VPNA HANDBOOK
RJ-45
Pin#
Signal
Name
Pin
Description
1 TD+ Transmit Data
2 TD- Transmit Data
3 RD+ Receive Data
4 N/C No connect
5 N/C No connect
6 RD- Receive Data
7 N/C No connect
8 N/C No connect
Environmental Specifications
Temperature 10 to +35oC ambient air temperature (operating)
Warm-up ≤ 15 minutes
Humidity 5 to 95% non-condensing
Mechanical Specifications
Size 8.4 cm (h) x 42.5 cm (w) x 66.7 cm (d)
Weight 22.6 kg (50 lbs.)
Shipping Weight 24.9 kg (55 lbs.)
62
TACHYON VPNA HANDBOOK
Power Specifications
Input Voltage Switch selectable voltage range:
110/220 Volts
Frequency 50/60 Hz
Power 330 Watts
INDEX
Advanced Topics, 47
Aliases, 48
Bridge Mode, 19, 21, 30
Configuration
Load, 51
Save, 51
CPE, 17
IPSec, 18
WAN Router, 33
Login, 27
Main Menu, 29
MTU Configuration, 49
Password, 27
Forgotten, 27
Prefetch, 43
Local Machines, 43
Quick Start, 25
Restore Default Configuration, 29
Route Mode, 37
Safety, 8
Serial Port, 27
Setup Wizard, 29
SNMP, 48
Software Version Number, 44
Specifications
Environmental, 58
Mechanical, 58
Power, 59
Rear Panel, 57
SSL, 18
Status, 44
Tachyon Access Point, 17
Tachyon Satellite Gateway, 16
Tachyon, Inc. 15
TCP Test, 45
TCP/IP, 17
Techinal Support, 6
Theory of Operation, 15
Toplogies
Multiple Remote Sites with Multiple Headquarters, 22
Multiple Remote Sites with Single Headquarters, 22
Single Remote Site, 20
Version Number, 44
Warranty, 5