DumaOS causing GlobalProtect VPN (required for my work) to disconnect

[NeeWii]

Hello,

DumaOS is causing the VPN installed on my work laptop (that I require to be able to access work systems) to disconnect. It will connect for a brief period of time, up to around 30 seconds, however it will then interrupt the connection and cause the VPN to disconnect and spend a while trying to reconnect again, and the cycle will repeat.

Under the previous version of NetDuma, I had more or less the same problem - but the workaround I had in place was changing the QoS congestion control settings to "Pre-emptive" rather than "Reactive". "Reactive" mode caused similar problems for me, but "Pre-emptive" allowed the VPN to stay connected just fine (albeit with much lower maximum bandwidth speeds). However I can't see any way to configure things in a similar way on the new DumaOS.

I have tried disabling QoS altogether on DumaOS, however this doesn't appear to fix the problem. Is there a way to replicate "Pre-emptive" QoS settings (or something similar) on DumaOS? Or any other solution to the problem (e.g. put my laptop on a DMZ, but I can't see the option to do that).

For reference, setup is VM Superhub 3.0 in Modem mode --> R1 DumaOS --> Netgear Nighthawk (wifi AP) --> work laptop.

Any help would be greatly appreciated. As it stands, DumaOS is not viable for me at all as I work at home.

Thanks,

NeeWii

 

[Netduma Admin]

Very odd. If you disable QoS altogether and the issue still continues then the issue must be somewhere else (i.e. QoS is not the blocker).

Do you have IPv6 enabled? Please disable it in Network Settings for both LAN and WAN. I'm thinking that could be the cause.

Also please enable UPNP if you haven't done so already

 

[NeeWii]

Hi - thanks for the response. I can confirm that the settings already have IPv6 disabled on both LAN and WAN, and UPnP is enabled also. I think a similar recommendation was made a couple of years back when I made a post about reactive mode causing the same problem (post appears to have disappeared though) - IPv6 didn't fix the problem in the old firmware either though. Is there anything else I can try? It's definitely something in the Duma, as I get no issues connecting directly via the VM Superhub.

And if not is there a usable workaround? I was thinking worst case scenario I could have the VM Superhub in router mode but the Duma in a DMZ? Then connect my work PC via the Superhub wifi and everything else through the Duma/Nighthawk. Far from ideal given the added wifi congestion but I can't picture any other option.

Thanks in advance.

Edit - I've attached the logfile after disabling QoS again, then re-enabling for a while - just in case it's of any use.

 

 

 

log-1541025451494.txt

Edited October 31, 2018 by NeeWii
logfile added

[Netduma Fraser]

Okay thanks for this, I think its a case that we'll need to get a dev to take a look as someone else is seeing something similar.

[NeeWii]

Thanks Fraser, that would be greatly appreciated. Happy to help troubleshoot if needed.

In the meantime I've gone with my suggested workaround, with the R1 within the Superhub DMZ. For some reason in this configuration the speed I get is only around 130Mbps; using modem mode instead on the superhub gives me around 260Mbps (a 350Mbps connection but I figure the R1 is strained above 200Mbps). It's not wifi interference as disabling wifi on the superhub doesn't improve anything, only changing back to modem mode increases the bandwidth back to normal. Have you come across this before? Are there settings in the superhub that should be disabled when R1 is in its DMZ or something? I can't see anything about QoS or similar to disable in the superhub menu, I had thought something like that might be the cause.

[Netduma Fraser]

Great thanks!

The only things I can think of to do to give you the best chance of your higher speeds when in DMZ mode are:

• Disable UPnP on hub
• Disable any manual port forward rules added on hub
• Disable WiFi on hub 

If you're still not getting expected speeds it may be a limitation with DMZ mode on the hub

[NeeWii]

Thanks Fraser. It seems disabling UPnP has done the trick to get the Duma up to decent speeds while under the DMZ. The current setup is a decent workaround then until someone can look at what causes the DumaOS to block certain VPNs.

[NeeWii]

On 11/1/2018 at 1:16 PM, Netduma Fraser said:

Great thanks!

The only things I can think of to do to give you the best chance of your higher speeds when in DMZ mode are:

• Disable UPnP on hub
• Disable any manual port forward rules added on hub
• Disable WiFi on hub 

If you're still not getting expected speeds it may be a limitation with DMZ mode on the hub

Hi Fraser,

Just upgraded to milestone 1.3, have noticed a significant decrease in download speeds (given the exercise I went through per above posts, I know that the speed through the Duma was satisfactory previously - believe I was seeing around 250Mbps on a direct wired connection (of a 300Mbs connection). My maximum download speed now is only around 160Mbs.I noted user "infernomachine" commented that they'd also seen an impact on their speeds upon upgrade - see Duma Admin response at:

Connecting directly to the Virgin Media Superhub immediately after the 160Mbs Duma result, actually gave me a download speed of 370Mbps on speedtest.net (it's easy for me to jump between them and compare given the Duma is just in the DMZ of the Superhub). Nothing has been changed recently on the Superhub either.

So I'm seeing a very severe difference in speeds compared to my potential maximum, and a severe drop in speeds from 250Mbps down to 160Mbps upon upgrade to milestone 1.3.

Has this been identified as a recognised issue? It would appear not from the Netduma Admin response above, but it definitely seems like something's up.

 

NeeWii

 

[Netduma Fraser]

It's not something widespread that we've come across, since the upgrade have you checked the same settings are applied on both the R1 and hub? Possible the R1's IP changed meaning the DMZ is no longer active

[NeeWii]

Have double checked, no change to IP address, superhub also still configured correctly. Is there a way I can downgrade to previous version/milestone to make absolutely sure it’s this update that caused the problem?

[Netduma Jack]

10 hours ago, NeeWii said:

Have double checked, no change to IP address, superhub also still configured correctly. Is there a way I can downgrade to previous version/milestone to make absolutely sure it’s this update that caused the problem?

There is a way to downgrade - check out the instructions here: http://support.netduma.com/en/support/solutions/articles/16000085792-downgrading-back-to-the-original-r1-firmware-from-dumaos.

Have you tried removing the R1 from your Modem DMZ and adding it again using the WAN IP shown on the System Information page?

[NeeWii]

Hi Jack, just checking - is the above method suitable for downgrading from one version of DumaOS to another, rather than from DumaOS to original R1 firmware?

Have tried removing R1 and re-adding, but no change. Settings were the same as before, WAN IP hadn't changed for the R1 and so it was still configured correctly in the Superhub.

[Netduma Fraser]

Yes you can use those instructions for downgrading to a previous DumaOS version as well, do let us know, strange that just updating would cause a slow down. Have you tried a factory reset since updating and setting up from scratch?

[NeeWii]

Hi both. Had a play around, both versions are showing me the slow speeds so it can't have been a result of updating. I have no idea what has changed since I first set this all up, but for whatever reason the speeds must have dropped down on the Duma at some point and I only noticed after updating the firmware. Seems I'm back to square one in getting a setup with decent speeds!

I've tried re-applying the original options suggested (turning off uPnP, WifI, etc, on the Superhub) to no avail - seems the Duma just doesn't do well in the Superhub DMZ, and modem mode is still not an option for me given the Duma blocks my work VPN.

I'll try as you suggest Fraser, and do a complete factory reset - will let you know how I get on.

Thanks again.

[Netduma Fraser]

Okay well at least we can rule out the update causing the issue specifically. Keep us updated!

[NeeWii]

1 hour ago, Netduma Fraser said:

Okay well at least we can rule out the update causing the issue specifically. Keep us updated!

So I tried the factory reset, no change to the speed results on factory settings, and no change also when putting back to my previous settings.

Just finished doing some more testing, all direct ethernet cable into the Duma or Superhub respectively:

 - Speeds, whether in the Superhub's DMZ, or with the Superhub in Modem mode, are largely equivalent it seems. I'm averaging around 150Mbps in each (varying between around 130Mbps and 180Mbps in tests; no other network traffic at the same time). A little surprising to me, as I'm sure the modem mode had previously yielded better results a while back (>200Mbps).

- Again, plugging a cable directly into the Superhub yielded a far greater speed - a solid 380Mbps.

Unless there's a deficiency in both the Superhub's modem mode, and in it's DMZ feature, the above would suggest it's the R1 itself that's bottlenecking things. The key features of the R1 I use are the QoS (and good uPnP implementation for open NATs) to allow for Plex streaming from my home server, at the same time as playing games online on multiple consoles. - I'm honestly at a bit of a loss as to what to do here - while it's functional, it's a real shame to be losing out on more than half my bandwidth in getting effective QoS. Just now I'm pretty much just throwing money at Virgin Media without getting the benefit of what I'm paying for!

I really appreciate the help you've both provided, but I think at this stage it's looking like I'll have to investigate what other routers are out there with effective (if not necessarily quite as user friendly as the Duma!) QoS / uPnP abilities. If you have any further suggestions though they'd still be appreciated!

Thanks.

[Netduma Jack]

This is quite a strange case. I'm in agreement with the others above - if you disable QoS and loads of other features yet are unable to reach those speeds, this has to be some kind of limitation caused by something else. It's very possible that your speeds are lower due to the hardware being old, as routers can degrade over time. When did you get your Netduma?

If this speed issue happens no matter whether your R1 is in the DMZ or not, or despite any different modem settings, it's most likely a hardware fault.

[NeeWii]

Hi Jack,

Apologies for delay in response. I bought it 5th March 2016, so it’s a little on the older side. 

I spent more time doing speed tests on different firmware versions, with maddeningly inconsistent results.

- I was very briefly able to get full speed when reverting back to the old R1 firmware rather than DumaOS, although after a reboot the speeds went back to 160Mbps or so.

- I actually get faster speeds (but still too slow in absolute terms) out of the downstream Nighthawk R7000 wired connection, than I do from plugging directly into the R1 Duma. Makes absolutely no sense to me, given all traffic to the nighthawk has to go via the Duma.

- across R1 firmware and different milestone versions of DumaOS, I’m seeing pretty much consistent speeds of around 160Mbps (apart from the one-off attempt noted above).

Pretty stuck really, don’t know what options I have other than getting a new router. I’m wary about upgrading to a newer DumaOS device though, given the Duma software is still blocking my workVPN and WiFi calling, so likely not practical for me until those are resolved. Reluctant to move away from the brand though as it’s served me well for a few years now! I’ll be mulling things over for a while I think!

[Netduma Fraser]

That is very strange, could you just post a screenshot of every page on the router including multiple screenshots for the tabs on the settings page please so I can see if there is anything else we may be able to suggest.

[NeeWii]

Thanks Fraser. Screens below:

 

[Netduma Admin]

Ok - I think this is happening because the CPU is becoming maxed out. Just in the images I can see it reached 100%.

Could you do these steps please:

1. Only have one tab open at a single time to access the router (i.e. don't open multiple tabs)
2. Reboot the router
3. Disable QoS completely (in Anti-Bufferbloat's advanced settings)

Now try a speedtest, is it higher? If yes, re-enable QoS and try again. Does it now reduce to 160mbps again?

[bmw523xi]

I am having a similar issue with connecting the GlobalProtect VPN to my DumaOS. This was also an issue with the original R1 firmware, however, we were able to find a workaround with this when we checked off something to do with deep packet, sorry I cant remember exactly which tab that was under. My wife did not have any issues with connecting after that. I installed the new OS this past Friday and today when my wife went to sign into her VPN, she started to have problems again. She tells me she can connect to the VPN, however, she is not allowed to access any of her databases.  Is there an option in the new OS that will resolve the issue similar to the deep packet fix we found previously?

[Netduma Admin]

Hi - yes. If you to to QoS and then Anti-Bufferbloat, click on the three horizontal lines in the top left of the panel to open the Options. Then click the option to 'disable QoS'. Click 'Proceed' at the warning message. This will then disable DPI (as well as QoS of course).

See if that then resolves your problem.

[bmw523xi]

QoS is disabled and she is still having issues with connecting to Global Protect. 

[NeeWii]

Yeah I don’t think you’re going to have any luck with the current build. I’d tried just about every possible settings combination trying to get mine working and nothing did.