Tachyon, Inc.

AF5000

Series VPNA

Handbook
About This Handbook

This document describes Tachyon, Inc. (Tachyon) AF5000 Series VPNA

software version 1.3.0.0.

The AF5000 Series consists of the AF5100 and AF5200 VPNAs.

This Handbook covers installation and configuration of the AF5000 Series

VPNA devices only. Separate manuals cover other VPNA devices.

Notices

Tachyon document 021-12539-0001 Rev. B.

Copyright © 2001, Tachyon, Inc. All rights reserved.

Tachyon, Inc. and the Tachyon logo are tra demarks of Tachyon, Inc. All other
trademarks are properties of their respective owners.

The information provided in this handbook is being provided by Tachyon, Inc.

as a service to our customers. Although every effort has been made to verify
the completeness and accuracy of the information contained in this handbook,
due to the highly technical nature of the material, and the dynamic nature of
the satellite communications network, Tachyon cannot be responsible for any
errors and omissions.
 CONTENTS

PREFACE ........................................................................................................................ 5

SAFETY............................................................................................................................ 8

THEORY OF OPERATION .........................................................................................15

TACHYON BROADBAND SATELLITE SERVICE PRIMER ..................................................................15

TACHYON SATELLITE GATEWAY............................................................................................................................16
SATELLITES ................................................................................................................................................................16
TACHYON CUSTOMER PREMISE EQUIPMENT (CPE) ............................................................................................16
TACHYON’S EXTENDED ENTERPRISE NETWORK A CCESS SERVICE ...................................................................17

IPSEC PRIMER .........................................................................................................................................................17

SSL..............................................................................................................................................................................18

VPNA PRIMER..........................................................................................................................................................18

VPNA TOPOLOGIES ..............................................................................................................................................19

SINGLE REMOTE SITE TOPOLOGY.............................................................................................................................20
M ULTIPLE REMOTE SITE - SINGLE HEADQUARTERS TOPOLOGY..........................................................................21
M ULTIPLE REMOTE SITE - MULTIPLE HEADQUARTERS TOPOLOGY .....................................................................21
A DDING CLEAR TEXT INTERNET ACCESS AT THE TACHYON GATEWAY.............................................................22
A DDING CLEAR TEXT INTERNET ACCESS AT HEADQUARTERS ............................................................................23
A N ALTERNATE METHOD - ENCRYPTING AT THE TACHYON SATELLITE GATEWAY..........................................23

CONNECTING AND CONFIGURING THE VPNA..................................................24

QUICK START..........................................................................................................................................................24
CONNECT THE TACHYON VPNA:...........................................................................................................................25
GETTING ACCESS TO THE VPNA CONFIGURATION MENUS................................................................................25
Initial access via an Ethernet Port .....................................................................................................................26
Initial access via the Serial Port .........................................................................................................................26

CONFIGURING THE AF5000 SERIES VPNA................................................................................................27

AF5000 SERIES VPNA CONFIGURATION ....................................................................................................28
Bridge Mode Configuration ...............................................................................................................................29
Route Mode Configuration.................................................................................................................................36
Routes.....................................................................................................................................................................39
Pre-fetch Configuration.......................................................................................................................................42
STATUS .....................................................................................................................................................................43
LINK TEST ...................................................................................................................................................................43
TCP TEST ...................................................................................................................................................................44
 TACHYON VPNA HANDBOOK

SHUTDOWN.................................................................................................................................................................45

ADVANCED TOPICS ..............................................................................................................................................46

SERVICES ....................................................................................................................................................................46
SNMP CONFIGURATION...........................................................................................................................................47
INTERFACE ALIASES ...............................................................................................................................................48
MTU CONFIGURATION.............................................................................................................................................48
RADIUS CONFIGURATION......................................................................................................................................49
A UTO FAIL -OVER CONFIGURATION .......................................................................................................................50
LOAD CONFIGURATION....................................................................................................................................53
SAVE CONFIGURATION ....................................................................................................................................54

TROUBLESHOOTING.................................................................................................55

PING WORKS BUT TCP/IP FAILS....................................................................................................................56

LOSS OF WAN COMMUNICATION ................................................................................................................57

LOSS OF WAN PERFORMANCE ......................................................................................................................59

TECHNICAL SPECIFICATIONS................................................................................60

4
 1 PREFACE

This VPNA Handbook provides This section includes:

information and instructions for
operation and use of Tachyon • Warranty information on the
service and equipment. Tachyon VPNA equipment.

• Instructions and tips for getting

technical support for Tachyon
This VPNA Handbook is intended for
services and equipment.
use by the system administrator or
IT manager responsible for
maintaining the VPNA.

Warranty
The Tachyon VPNA equipment is warranted to be free from defects in material
and workmanship for a period of one (1) year for parts and ninety (90) days
for labor from the date of installation. If a product proves defective during
this warranty period, Tachyon will repair the defective product without charge
for parts or labor, or will provide a replacement for the defective product.

In order to obtain service under this warranty, the subscriber must notify
Tachyon of the defect before the expiration of the warranty period and make
suitable arrangement for the performance of service.

This warranty does not apply to any defect, failure or damage caused by
imp roper use or inadequate or improper maintenance and care.

The reseller is not obliged to furnish service under this warranty:

• to repair damage resulting from attempts by personnel other than

Tachyon.net-certified installation and maintenance professionals to
install, repair, or service the product.
 TACHYON VPNA HANDBOOK

• to repair any damage or malfunction caused by the use of non-

Tachyon supplies.

• to service a product that has been modified or integrated with other

products when the effect of such modification or integratio n increases
the time or difficulty of servicing the product.

VPNA Technical Support

In the event you need technical information or support for VPNA operation
beyond the scope of this Handbook, contact the Service Provider from whom
you purchase your monthly Tachyon Network Service.

If necessary, the Service Provider will contact any appropriate resources

required to support operation of your Tachyon Network Service, including
installation and maintenance professionals or Tachyon call center personnel.

VPNA Equipment Service

Under all circumstances, contact the reseller for service.

Do not attempt to service the VPNA equipment yourself, as there are no user-
serviceable parts.

Safety Tip: Opening or removing the cover on the Tachyon VPNA may
expose you to dangerous voltages or other hazards as well as void your
warranty.

Contact your Tachyon reseller to obtain service assistance from a certified

Tachyon maintenance professional.

6
 TACHYON VPNA HANDBOOK

Notice
For the proper operation of this equipment and/or all parts thereof, the
instructions in this guide must be strictly and explicitly followed. All of the
contents of this guide must be fully read and understood prior to operating
any of the equipment or parts thereof.

Failure to completely read and fully understand and follow all of the contents
of this guide prior to operating this equipment, or parts thereof, may result in
damage to the equipment or parts, and to any persons operating the same.

Tachyon does not assume any liability arising out of the application or use of
any products, component parts, circuits, software, or firmware described
herein. Tachyon further does not convey any license under its patent,
trademark, copyright, or common-law rights nor the similar rights of others.
Tachyon further reserves the right to make any changes in any products, or
parts thereof, described herein without notice.

This equipment has been tested and found to comply with the limits for a
Class A digital device, pursuant to Part 15 of the FCC Rules. These limits are
designed to provide reasonable protection against harmful interference when
the equipment is operated in a commercial environment.

This equipment generates, uses, and radiates radio frequency energy.

7
 2 SAFETY

This section includes:

The VPNA equipment contains • Safety considerations for use of

delicate electronics and electrical the Tachyon VPNA equipment.
components. Follow all safety
precautions in this section when
the VPNA equipment is in
operation.

Carefully read and follow all

safety, use, and operating
instructions before operating the
VPNA equipment. Retain these
instructions for future reference.

Carefully read and follow all

safety, use, and operating
instructions for the Tachyon
Customer Premise Equipment
(CPE) contained in the CPE
Handbook

Safety Precautions
Use safety precautions when working at or near the Tachyon VPNA as described in
these sections.

Tachyon VPNA Safety Precautions

Follow all instructions and advisories in this section when working with the
Tachyon VPNA.
 TACHYON VPNA HANDBOOK

Warning: Shock Hazard

Do not open the equipment. Service is only to be performed by
Tachyon or by a Tachyon-certified maintenance professional.

The Tachyon VPNA contains no user serviceable parts. Do not

attempt to service this product yourself. Any attempt to do so
negates any and all warranties.

When operating the Tachyon VPNA, observe these precautions:

Follow the Connection Do not plug in the Tachyon VPNA

procedure described in this power cord until the Tachyon VPNA is
manual connected to a LAN or computer.

Provide a Safe Location Place the Tachyon VPNA in a rack or

on a stable surface of sufficient size
and strength, where it cannot be
jarred, hit, or pushed off its surface.
Ensure that all cables and cords are
out of the way and cannot be tripped
over, as this could cause personal
injury or serious damage to the
Tachyon VPNA.

Avoid Water and Moisture Do not expose the Tachyon VPNA to

any liquid or moisture.

9
 TACHYON VPNA HANDBOOK

Avoid Heat, Humidity, and To avoid internal damage, the

Dust Tachyon VPNA should be placed away
from all heat sources, including
radiators, heater ducts, exhausts, and
like emissions: out of direct sunlight
and away from high humidity,
excessive dust, or mechanical
vibrations that can cause damage to
internal parts.

10
 TACHYON VPNA HANDBOOK

Provide Adequate Ventilation Slots and openings on the front and

back of the Tachyon VPNA are
provided for ventilation that is
needed to ensure reliable operation.
The Tachyon VPNA uses forced air
convection that draws air in from
the front and exhausts air to the
back of the unit.

To avoid overheating and ensure

that the ventilation slots are not
blocked, place the Tachyon VPNA on
a smooth, hard surface that has at
least two inches of clearance around
the front and rear of the unit, and
adequate air circulation.

If the Tachyon VPNA is placed in a

closed area, such as a bookcase or
rack, ensure that proper ventilation
is provided and that the internal
rack operating temperature does
not exceed the maximum rated
temperature at the position of the
Tachyon VPNA.

Never place the Tachyon VPNA on a

soft surface that would obstruct the
required airflow into the unit's
ventilation slots.

11
 TACHYON VPNA HANDBOOK

Use the Correct Power Source
The Tachyon VPNA Input AC line
voltage is switch-selectable to
operate either at 115 VAC (90 to
130 VAC range) or 230 VAC (180 to
265 VAC range) grounded power
system with line frequencies from
47 to 63 Hz. The Tachyon VPNA
must be connected to an earthed
main socket outlet.

To prevent damage to the Tachyon

VPNA, ensure that the proper
voltage range is selected prior to
application of input power.

For Tachyon VPNA units equipped

with a North American power cord,
the cord has an IEC 320 female
plug on one end and a NEMA 5-15P
male plug on the other end. This
cord is UL and CSA approved up to
125 VAC at 10A and is ready to use
with no user wiring required.

Tachyon VPNA units for

International distribution are
equipped with an International cord
that has an IEC 320 female on one
end, and the specific National
Regulatory Agency approved male
plug on the other end. The power
cord is HAR and IEC approved with
International color coded wiring.

12
 TACHYON VPNA HANDBOOK
Route Power Cords Safely
Protect Against Lightning and
Power Surges
13
Route power cords so that they are
not walked on or pinched. Pay
particular attention to cords and
connections at the plugs,
receptacles (such as power strips),
and the point where they exit from
the Tachyon VPNA and attach to
other equipment. Do not place any
items on or against power cords.
To protect against voltage surges
and built-up static charges, the
VPNA has been installed with
appropriate grounding methods in
compliance with grounding
standards for electrical and radio
equipment according to the
electrical codes in the country of
installation. Do not remove or
modify the grounding and
protection mechanism that has
been installed with your Tachyon
VPNA
To ensure continuous and
undisturbed unit operation from
primary power line anomalies, use
an Uninterruptible Power Source
(UPS) with your Tachyon VPNA.
 TACHYON VPNA HANDBOOK

Do not penetrate the Tachyon Touching internal Tachyon VPNA

VPNA parts is dangerous to both you and
the unit. Never put any object,
including your fingers, through
Tachyon VPNA slots or openings, as
this could result in touching
dangerous voltage points, short-
circuiting parts, electric shock, or
fire. If an object falls into the
Tachyon VPNA, unplug the unit and
contact your Service Provider, as
serious damage could occur to the
unit.

14
 3 THEORY OF OPERATION

The Tachyon Satellite IP Network This section includes:

provides two-way Internet Protocol
service over a high-performance
satellite link. Using advanced
technology invented and patented by
Tachyon provides reliable, high-
performance Internet communications
everywhere within the Tachyon
satellite footprint.
• A Tachyon Broadband Satellite
Service primer summarizing
key features and functionality
from the CPE Handbook.
• An IPSec primer introducing
key subjects

The Tachyon VPNA allows deployment • An overview of the most

of IPSec security with Tachyon's common network topologies
network.

TACHYON BROADBAND SATELLITE SERVICE PRIMER

Tachyon’s broadband satellite service is a two-way IP carrier service providing high-
speed links via satellite to subscribers.

A direct and dedicated digital link between each subscriber network and the Internet
backbone network is made possible using standard IP interfaces and protocols,
ensuring end-to-end transparency and compatibility.

Figure 3-1 shows an overview of the Tachyon network components. Each regional
satellite network includes a hub site called the Tachyon Satellite Gateway and many
subscriber sites using Tachyon Customer Premise Equipment (CPE).
 TACHYON VPNA HANDBOOK

Figure 3-1 Tachyon, Inc. -The Network

TACHYON SATELLITE GATEWAY

The Gateway connects to backbone networks, providing a high-speed bridge

between subscriber CPEs and the Internet, Intranets, and/or Extranets. The
Gateway includes a large satellite antenna.

SATELLITES

Tachyon utilizes geostationary satellites. Geostationary satellites are

positioned over the equator at an altitude of about 22,000 miles, such that
they appear to be stationary in the sky. The CPE and Gateway antennas
remain pointed at one satellite at all times.

TACHYON C USTOMER PREMISE EQUIPMENT (CPE)

The CPE is the terminal that connects to a subscriber network and routes IP
traffic via the satellite link to the Gateway and the terrestrial network. The
CPE consists of a Tachyon Network Server, an Outdoor Unit (ODU) including a
small satellite antenna with a radio, and a coaxial cable assembly that
connects the Tachyon Network Server with the ODU.

16
 TACHYON VPNA HANDBOOK

TACHYON’S EXTENDED ENTERPRISE NETWORK ACCESS SERVICE

Data traverses the high-speed satellite link in both directions, providing two-
way high-performance communications for each user on each subscriber LAN.

Tachyon has developed many innovative technologies to make high-speed

communications over satellite a reality. Among these patented innovations is
the ability to carry TCP/IP traffic at full speed. Tachyon optimizes the TCP/IP
protocol to achieve full performance when transmitted over satellite. The
following diagram briefly describes the protocol flow.

The Tachyon Proxy Server Technolo gy Logical Implementation.

IPSEC PRIMER
For many years encryption technologies have been evolving. Until recently
encryption was supported for private networks using proprietary algorithms and
single-vendor solutions. With the rapid growth of the Internet it was imperative for
the security industry to develop a standard for encrypting packets for transfer over
the public network providing general interoperability. IPSec has become the de-
facto standard for encrypting traffic on the Internet and has also become the
standard for encryption in private networks including most federal and many
military networks.

17
 TACHYON VPNA HANDBOOK

IPSec currently has two basic modes: transport and tunnel. For the purposes of this
primer the differences are not important. The important point to know is that IPSec
in either mode encapsulates IP packets into a new IP packet. The contents of the
original IP packet are encrypted and no longer visible to the outside until they pass
the decryption process at the destination.

The Tachyon Gateway and Tachyon Customer Premise Equipment cannot accelerate
TCP/IP traffic after the traffic has been encrypted with IPSec because the TCP
header is also encrypted. If encrypted the packets are passed as IP packets, but the
TCP acceleration is not applied. Therefore performance will be reduced.

By placing VPN Accelerators into the network just before the IPSec encryption
devices, TCP/IP traffic reaches the VPNA in the clear and is accelerated; restoring
TCP/IP performance.

SSL

A quick word about SSL. SSL, or Secure Socket Layer, is a very popular encryption
method used with IP applications. Because SSL performs its encryption on the data
payload prior to passing the packet on to the transport layer (TCP), SSL does not
interfere with Tachyon’s TCP/IP acceleration. However, when using HTTPS all HTML
data is encrypted before the HTTP proxy can perform pre-fetch so web sites using
HTTPS (thus SSL) do load slower than regular HTTP sites. The VPNA cannot mitigate
this slowdown.

VPNA PRIMER
In order to allow customers to use IPSec and still retain the benefits of Tachyon's
technology we developed the VPNA (short for VPN Accelerator). The VPNA performs
Tachyon's TCP acceleration prior to the IPSec encryption/encapsulation process.
High performance is maintained and user data is fully secured via IPSec encryption.

The VPNA is a simple appliance to connect to your network. You simply insert the
VPNA between your LAN and your IPSec device. The following diagrams depict a
network before and after installation of a VPNA.

WAN LAN

WAN Router / IPSec Device

CPE

18
 TACHYON VPNA HANDBOOK

Site before Installing the VPNA

WAN LAN

WAN Router / IPSec Device Tachyon VPNA

CPE

Site after Installing VPNA

The VPNA comes with two 10/100 BaseTX Ethernet interfaces providing quick
compatibility with most networks.

The VPNA has two basic modes of operation to support most LAN configurations:
Bridge Mode and Routed Mode. In Bridge Mode the VPNA gets a single IP address on
the sub-network and bridges traffic between its two interfaces both on the same
sub-network. In Routed Mode, the WAN and LAN sides of the VPNA get different IP
addresses corresponding to two separate sub-networks and the VPNA routes
packets between the two networks.

The VPNA supports IP aliases on its interfaces to provide additional flexibility in

supporting your network architectures.

Bridge and Route modes are described in further detail in the Configuration Section.

VPNA TOPOLOGIES
For networks using IPSec, a VPNA is required at each site where there is an IPSec
device. In general the routing aspects of the VPNA are similar to those of the IPSec
devices.
The VPNA-100 is designed for placement at remote sites with a CPE and the AF5000
Series VPNA is designed for the Headquarter sites. This document applies only to
the AF5000 Series VPNA.

In this handbook we describe these basic topologies:

• Single Remote Site

• Multiple Remote Sites with a Single Headquarters

• Multiple Remote Sites with Multiple Headquarters

• Adding clear text access to the Internet at the Gateway

• Adding clear text access to the Internet at Headquarters

• An alternate method - Encrypting at the Tachyon Satellite Gateway

19
 TACHYON VPNA HANDBOOK

In this section we present the concepts associated with the basic topologies. In the
next section we walk through example networks and provide worksheets for each of
the different topologies to simplify organizing IP addresses and routes.

SINGLE REMOTE SITE TOPOLOGY

Most networks involve more than one site so this topology is primarily provided to
introduce the basic principles; although all networks must have their first site to
come online.

The following diagram identifies the key network components and how they are
interconnected:

LAN

LAN

Server
Satellite
(WAN)
Client

Internet
Client
Tachyon
Client
CPE Gateway WAN IPSec Tachyon
Tachyon IPSec
Router VPNA 5000
VPNA 100

Client
Client

Remote Site
Client

Headquarters

Single Remote Site Configuration

The CPE-side VPNA can be configured in Bridge Mode or Routed Mode depending
upon the desired LAN topology. As mentioned earlier one advantage of Bridge mode
is ease of configuration.

NOTE: If Routed Mode is implemented on the CPE-side VPNA and Network Address
Translation (NAT) is not being used, then the Tachyon Network Operations Center
(NOC) must be notified of the additional sub-network so they can make the
appropriate entries to allow the CPE to route to the sub-network behind the VPNA.
You will need to provide the NOC with the IP address of the VPNA as it is the default
gateway to reach the internal sub-network.

20
 TACHYON VPNA HANDBOOK

At the Headquarters side the VPNA can also be configured in Bridge or Routed Mode.
Again, the selection of Bridge Mode in this case is preferred to simplify network
reconfiguration.

In this scenario all traffic from the remote site is destined for Headquarters. The
CPE-side VPNA is configured with a route to the VPNA at headquarters and similarly
the VPNA at Headquarters is configured with a route to the VPNA at the remote site.

MULTIPLE REMOTE SITE - SINGLE HEADQUARTERS TOPOLOGY

This topology is just an extension of the Single Site case. Each remote site VPNA
has a route to the Headquarters VPNA and the Headquarters VPNA has a route entry
for each of the VPNAs at the remote sites. Communication between remote sites
requires packets to go through Headquarters.

LAN
LAN
LAN
LAN

Satellite Server
(WAN)

Client

Client

Client Internet
Client
Tachyon
Gateway WAN IPSec Tachyon
Client Router
CPE VPNA 5000
Tachyon IPSEC
VPNA

Client
CPE
Tachyon IPSEC
Client VPNA
CPE Client
Tachyon IPSec
VPNA 100
Client

Client
Remote Site N
Client
Remote Site 2 Client

Remote Site 1
Headquarters
Multiple Remote Sites with a Single Headquarters

MULTIPLE REMOTE SITE - MULTIPLE HEADQUARTERS TOPOLOGY

Many corporations or extranets require that remote sites be able to communicate

with a number of Headquarters locations. For example a remote bank may have to
exchange certain data with Corporate Headquarters as well as with regional banks.
In these cases the IPSec equipment may be configured to allow direct
communication between the remote sites and the corporate or regional sites. The
VPNA can be configured to support this topology.

21
 TACHYON VPNA HANDBOOK

Each CPE-side VPNA gets a route for each of the Headquarters sites. Similarly, each
Headquarters VPNA has a route for each remote VPNA it needs to communicate
with.

The following diagram depicts the topology:

LAN LAN

LAN
LAN Server

Satellite WAN IPSec Tachyon

(WAN) Router VPNA 5000

Client Client

Client Headquarters 1
Client Internet
Tachyon
Gateway
Client
CPE
Tachyon IPSEC
VPNA

Client
Tachyon IPSEC
CPE LAN
Client VPNA
CPE
Tachyon IPSec
VPNA 100
Client

Client
Remote Site N Server

WAN IPSec Tachyon

Client
Remote Site 2 Router VPNA 5000

Remote Site 1 Client

Headquarters N

Multiple Sites with a Multiple Headquarters

ADDING CLEAR TEXT INTERNET ACCESS AT THE TACHYON GATEWAY

The previous examples described completely private networks with only encrypted
packets transiting the Internet. It may be desirable to offer clients at the remote
sites access to the general Internet unencrypted.

One method to accomplish this is to configure Internet browsers on the CPE-side

LAN to use the CPE as their default gateway and configure the IPSec devices to
allow packets destined to the general Internet to pass through the IPSec device
unencrypted.

If remote sites access a web-enabled application that is hosted at Headquarters they

will need to change their proxy settings to switch between accessing the Internet
and Headquarters.

22
 TACHYON VPNA HANDBOOK

ADDING CLEAR TEXT INTERNET ACCESS AT HEADQUARTERS

Some corporations may want to provide general Internet access to remote sites but
prefer to have all traffic transit Headquarters where packets can be filtered and
inspected.

In this configuration packets are encrypted between the remote site and
Headquarters creating a VPN tunnel. At Headquarters packets are routed to/from
the general Internet. Because the routing happens outside the Tachyon network
there are no configuration changes to the VPNA.

AN ALTERNATE METHOD - ENCRYPTING AT THE TACHYON SATELLITE GATEWAY

Many networks require a high level of security to keep their data completely private.
For these networks, end-to-end encryption is the only solution. Some networks,
however, transfer data that is sensitive but may not warrant the additional expense
of a full IPSec solution.

CIO or IT managers putting together a network should consider a topology where an

IPSec tunnel over the public Internet is set up between the Tachyon Gateway and
the corporate Headquarters. This architecture does not require an IPSec device at
each site. This significantly lessens the cost of ownership, as these devices do not
need to be procured or managed. In this configuration VPNA devices are also not
required.

Consideration for this architecture requires a careful review of security

requirements. Packets will transit the satellite link without IPSec encryption.
Tachyon's combination of network partitioning along with unique modulation and
error correction schemes makes it difficult to intercept a transmission. However,
malicious interception is indeed possible with some effort.

23
 TACHYON VPNA HANDBOOK

4 CONNECTING AND CONFIGURING THE VPNA

This document assumes you This section includes:

already have a working Tachyon
network and are adding the VPNA
to integrate IPSec technology into
the network.
• A quick start section to get you
into the configuration pages.
• Instructions on configuring the
VPNA for different network
topologies.

QUICK START

The experienced network professional may find that the VPNA configuration menus
provide enough context -sensitive help that they can proceed through the menus and
configure their network. However, we strongly suggest a quick read of this section
and the Theory of Operation section in order to fully understand the features and
benefits of the VPNA to provide optimum performance.

When configuring the VPNA it is important to remember that TCP acceleration is

separate from IP delivery. Therefore the VPNA must first be configured correctly for
delivery of IP traffic, only then can TCP acceleration be configured. If the CPE-side
VPNA can not find a route to deliver IP traffic to the Headquarters-side VPNA then
TCP acceleration will fail also. However, if IP traffic is correctly delivered from the
CPE-side VPNA to the Headquarters-side VPNA (e.g. ping works), any problems can
now be isolated to the TCP configuration.

A common symptom for this kind of configuration problem is that pinging between
sites works yet connecting with ftp fails. If this occurs review your TSP acceleration
routes and make sure that the CPE-side is correctly configured to point at the
Headquarters-side and vice versa. Use the "TCP Test" tool to diagnose TCP
problems. See the troubleshooting section for more causes and solutions.

24
 TACHYON VPNA HANDBOOK

C ONNECT THE TACHYON VPNA:

The VPNA goes just in front of your IPSec device on the LAN side. Assuming you
have a working network, to add a VPNA device you simply disconnect the Ethernet
cable from the LAN-side of your IPSec device and connect it to the LAN-side port on
the VPNA. You then connect a cable from the WAN-side port on the VPNA to the now
open port on the IPSec device.

The VPNA has 10/100BaseTX interfaces. Normally the Ethernet cables to/from the
VPNA will be straight-through cables.

For optimum performance the IPSec device and LAN should support 100 Mbps
transfers and full duplex operation.

Safety Tip A cable is provided with the VPNA to interconnect it to your IPSec
device. If you choose not to use this cable make sure to select a good quality,
shielded (recommended) CAT -5 category LAN cable for interconnecting the
Tachyon VPNA.

The following diagram depicts a typical installation:

WAN LAN

WAN Router / IPSec Device

CEP

Site before Installing the VPNA

WAN LAN

WAN Router / IPSEec Device Tachyon VPNA

CPE

Site after Installing VPNA

GETTING ACCESS TO THE VPNA C ONFIGURATION MENUS

Once you have connected the VPNA to the local network you are ready to
configure it.

25
 TACHYON VPNA HANDBOOK

The VPNA has two control interfaces: a serial interface and its Ethernet
interfaces. Using these control interfaces is described in more detail below.

When accessing the VPNA you will need to log in. Use the following factory
default username and password:

Login: admin
Password: vpna

Once you access the VPNA menus you can change the password.

NOTE: Remember your password. If you forget your password you can
only access the VPNA by connecting to the serial port and logging in as admin
with a password of eraseconfig. Using this login will reset the VPNA to its
factory default values and all configuration information previously
entered will be lost.

INITIAL ACCESS VIA AN ETHERNET PORT

The VPNA ships from the factory with the default address of 192.168.1.1. with a
netmask of 255.255.255.0. You can gain initial access to the configuration menus
by connecting a PC or workstation to the LAN port that is configured for this sub-
network. Once you have connected the PC or Workstation with the proper IP
configuration, simply point your browser to the IP address of the VPNA
(192.168.1.1). You should see the prompt "Login:”. If you do not, then make sure
you can ping the VPNA from your PC or workstation. You may need to restart your
computer if you changed IP addresses. You also need to make sure the VPNA is
powered on. Once you have set the initial IP parameters of the VPNA you can
reconnect it to your network and access it from any client on the LAN (depending on
firewalls and other security).

INITIAL ACCESS VIA THE SERIAL PORT

You can also configure the VPNA via the serial port. To do this you need a terminal
emulation program running on your PC or Workstation and have it configured for
9600-N-8-1 (that is 9600 baud, no parity bits, eight bits per character, and 1 stop
bit). If you have an option, select VT-100 emulation. The VPNA is supplied with a
serial cable that should work with most PCs and laptops.

Once you get your terminal emulation program configured and the serial cable
hooked up to the VPNA hit "Enter" a couple of times. You should see the prompt
"Login:”. If you do not, then the terminal emulation program is not configured
properly, you are on the wrong serial port on your PC/workstation, or the cable is
not appropriate for your PC/Workstation. You also need to make sure the VPNA is
powered on.

26
 TACHYON VPNA HANDBOOK

There are two logins for the serial interface. The first login enters the graphical user
interface and the second login is the actual VPNA login. The login ID and password
are the same for both. Once you have logged on to the VPNA using the serial
interface, you will be connected to the VPNA’s web interface using a character based
web browser. The most convenient way to proceed with the configuration is to
navigate (using the instructions provided at the bottom of your screen) to the Basic
Configuration link, change the VPNA’s LAN IP Address to an address compatible with
your network, and proceed with the configuration from a client based web browser
as described in CONFIGURING THE AF5000 Series VPNA.

CONFIGURING THE AF5000 SERIES VPNA

The configuration of the VPNA depends on your network topology. Please read the
Theory of Operation section to become familiar with the various network topologies.

The recommended method for accessing the VPNA menus is using a web browser on
a LAN client. The menus are also available via the serial port. These menus are very
similar to the web-based menus. Only the web-based menus are described in this
document.

Refer to the previous section to get to the point where you are at the Main Menu.

The Main Menu of the VPNA is the starting place to enter, view and modify all VPNA
parameters. You can return to the Main Menu by clicking the top link labeled
"Tachyon VPNA". If you are accessing the VPNA from the terminal interface you can
access the Main Menu by pressing the M or H keys. A handy link to Tachyon's web
site is just below. The following figure shows the Main Menu.

27
 TACHYON VPNA HANDBOOK

Use the Setup Wizard to walk through configuration items for a new device.

If you are changing a device between Bridge Mode and Route Mode you will need to
run the Setup Wizard again.

If you are changing IP addresses on a VPNA device you can edit the parameters
under the Basic Configuration link.

NOTE: If you are using a device that was previously configured and want to start
from the default values you must access the login prompt via the serial port and
login as 'admin' with a password of 'eraseconfig'.

AF5000 SERIES VPNA CONFIGURATION

Select the Setup Wizard from the Main Menu.

You will see the following screen:

28
 TACHYON VPNA HANDBOOK

Select "Bridge" or "Route" and then press the "Next =>" button.

BRIDGE MODE C ONFIGURATION

Selecting Bridge Mode will bring up the next Setup Wizard Menu:

29
 TACHYON VPNA HANDBOOK

Clicking on “example configuration” will display the following:

30
 TACHYON VPNA HANDBOOK

In the Basic Configuration menu, enter a Hostname if you wish to identify this VPNA
in SNMP messages and HTTP error messages.

NOTE: You cannot use underscores or spaces in the Hostname.

Enter the LAN IP Address you have reserved for the VPNA and the corresponding
LAN Netmask. Press the "Next =>" button.

31
 TACHYON VPNA HANDBOOK

NOTE: You have the option of entering the netmask in the form /n where n
designates a netmask with the first n bits set to 1. For example 255.255.255.0 is
the same as /24.

You will now see the following menu:

Enter the IP address of the WAN Router. This will typically be the IPSec device and
the device that the machines on the LAN use as their Default Gateway. With this
entry you are instructing the VPNA to use this device as its Default Gateway.

32
 TACHYON VPNA HANDBOOK

If you know the Ethernet address of the WAN Router you can enter it. Ethernet
addresses consist of six octets separated by colons; for example
00:0a:b4:e0:01:02. Enter the colons. If you are unsure of the Ethernet address
leave the entry blank and the VPNA will auto-discover it. The VPNA will check for
the Ethernet address once every minute.

NOTE: If you change the WAN Router in the future, you will need to update these
entries and reboot the VPNA. Again, make sure the WAN Router (IPSec device) is
powered on before you reboot the VPNA if you want the VPNA to auto-discover the
Ethernet address. The auto-discover mechanism will retry the WAN Router once
every minute.

Press the "Next =>" button to advance to the Prefetch Configuration menu.

33
 TACHYON VPNA HANDBOOK

You may add multiple DNS servers for the AF5000 Series VPNA. The DNS servers
will be searched in the order in which you add them.

Press the "Next =>" button to advance to the Configuration Review menu.

Review the entries. Use the "<= Back" button to go back and correct any entries.
When the entries are correct press the "Reboot =>" button. Changes will then be
committed and the VPNA will reboot. Your browser will display the following page:

34
 TACHYON VPNA HANDBOOK

This page will update to show the current status of the VPNA, unless you have given
the VPNA a new IP address. In the case the VPNA has been assigned a new IP
address this page will continually show the “Rebooting” state because the browser
cannot connect to the VPNA.

If you have given the VPNA a new IP address, you may also have to reconfigure the
networking on your local machine to be on the same network as the VPNA. After
making any necessary networking changes on your local machine, you will have to
browse to the new IP address of the VPNA.

Your VPNA is now configured in “Bridge Mode”.

Before the AF5000 Series VPNA will accelerate TCP traffic, IP and TSP routes need to
be added. See the discussion of routes following the section on “Route Mode
Configuration”.

35
 TACHYON VPNA HANDBOOK

ROUTE MODE C ONFIGURATION

Selecting Route Mode will bring up the next Setup Wizard Menu:

Enter a Hostname if you wish to identify this VPNA in SNMP messages and HTTP
error messages.

NOTE: You cannot use underscores or spaces in the Hostname.

Enter the LAN IP Address you have reserved for the VPNA and the corresponding
LAN Netmask. Enter the WAN IP Address you have reserved for the VPNA and the
corresponding WAN Netmask.

Press the "Next =>" button to advance to the Prefetch Configuration menu.

36
 TACHYON VPNA HANDBOOK

You may add multiple DNS servers for the AF5000 Series VPNA. The DNS servers
will be searched in the order in which you add them.

Press the "Next =>" button to advance to the Configuration Review menu.

37
 TACHYON VPNA HANDBOOK

Review the entries. Use the "<= Back" button to go back and correct any entries.
When the entries are correct press the "Reboot =>" button. Changes will then be
committed and the VPNA will reboot. Your browser will display the following page:

38
 TACHYON VPNA HANDBOOK

This page will update to show the current status of the VPNA, unless you have given
the VPNA a new IP address. In the case the VPNA has been assigned a new IP
address this page will continually show the “Rebooting” state because the browser
cannot connect to the VPNA.

If you have given the VPNA a new IP address, you may also have to reconfigure the
networking on your local machine to be on the same network as the VPNA. After
making any necessary networking changes on your local machine, you will have to
browse to the new IP address of the VPNA.

Your VPNA is now configured in “Route Mode”.

Before the AF5000 Series VPNA will accelerate TCP traffic, IP and TSP routes need to
be added. See the following discussion of routes.

ROUTES
Select the "Routes" link from the Main Menu.

39
TACHYON VPNA HANDBOOK

40
 TACHYON VPNA HANDBOOK

IP routes are needed for both “Route Mode” and “Bridge Mode.” In “Bridge Mode”
the VPNA only needs IP routes to accelerate TCP traffic; non-TCP traffic is simply
bridged from one interface to the other.

In a typical deployment, you will add the default IP route to the gateway router on
the LAN Network (e.g. destination 0.0.0.0, netmask 0.0.0.0, and gateway
172.30.2.101). However, your network may vary. Press the "Add" button when you
have made the entries.

Next, you will enter two routes for each VPNA-100 that is to be connected to this
AF5000 Series VPNA. The first route is a general IP Route for all traffic. The
second route is a TSP Route used for TCP acceleration. The following picture shows
the Routes configuration page with the required routes for a single VPNA-100. Note
that the routes that do not have “Delete” buttons next to them are routes resulting
from the AF5000 Series VPNA’s network interfaces.

For the IP Route enter the Destination network address (e.g. 172.20.2.0) and the
corresponding Netmask (for this example it would be 255.255.255.0) and the IP
address of the local IPSec device (e.g. 172.30.2.1) or the next hop router for the
destination network). Press the "Add" button when you have made the entries.

For the TSP Route enter the Destination address (172.20.2.0) and the
corresponding Netmask (for this example it would be 255.255.255.0) and the IP
address of the VPNA-100 at the remote site. Select "Remote" since this route is for
a 'remote' network. Press the "Add" button when you have made the entries.

For each new TSP Gateway that is added, an entry is created in the “Rate To TSP
Gateway” table. The default is the maximum rate of 2.045 Mbps. However, if the
actual link is slower than this rate, then tuning the AF5000 Series VPNA to the
actual rate will yield better link utilization.

Repeat the above steps for each remote VPNA-100 site you want to have
connectivity to this Headquarters site.

If you need to target any device that is between a AF5000 Series VPNA and a VPNA-
100 (the IPSec router for example); you must create a non-accelerated TSP route to
the device by specifying a TSP Mode of “none.” For example, to access the IPSec at
172.20.2.1 from the VPNA at 172.30.2.2 you must enter the following TSP Route:
destination 172.20.2.1, netmask 255.255.255.255, TSP Gateway 0.0.0.0, TSP Mode
“none.”

If you have a default “remote” TSP route, you will need to specify “local” TSP routes
for each subnetwork that is not to be accelerated. Additionally, you will need to
specify “local” for any subnets that are not to be accelerated within a “remote”
network.

41
 TACHYON VPNA HANDBOOK

Specifically, a TSP Mode of “local” means, “do not accelerate if the destination IP
address matches the TSP route destination.” A TSP Mode of “none” means, “do not
accelerate if the source or destination IP address matches the TSP route
destination.”

Press the “Done” button when you are finished adding routes.

PRE- FETCH C ONFIGURATION

If you are adding VPNAs to an existing Tachyon connection you are already familiar
with the benefits of our patented pre-fetch technology. By configuring your web
browsers to use the VPNA as your web proxy you will retain your improved
performance for HTTP-based applications.

On each client machine configure the web browser (most likely Internet Explorer or
Netscape) to use the VPNA-100 as its web proxy. Enter the IP address of the VPNA-
100 and the port number of 3128. The CPE Handbook has example screens that
describe how to modify the proxy settings for Internet Explorer and Netscape.

NOTE: If you want to access any local machines with web interfaces (such as the
VPNA or the IPSec device) from a specific client then make sure to configure that
client to exclude local addresses from using the proxy.

The AF5000 Series VPNA is the default HTTP Proxy Parent for VPNA-100 Prefetching
HTTP Proxies. Therefore, the AF5000 Series VPNA needs to resolve URL's via one or
more Domain Name System (DNS) servers. Configure the DNS server search from
the Prefetch Configuration Menu. The DNS servers will be searched in the order in
which you add them.

42
 TACHYON VPNA HANDBOOK

STATUS

This menu provides current status on the VPNA-100 including the Version number of
the software.

LINK TEST

Follow these steps to verify your VPNA has been set up correctly. Do not proceed to
the next step if the current test is not successful. This test assumes you have a
client VPNA-100, which is being brought online with the AF5000 Series VPNA.

43
 TACHYON VPNA HANDBOOK

1. Ping the VPNA-100 and AF5000 Series VPNA from a client on your LAN. This
should succeed if you have been using the LAN Ethernet port to configure the
VPNA. If the ping does not work check that the LAN and WAN Ethernet ports are
cabled up correctly and the interface's link lights are on. Verify the IP address
and Netmask is correct on both the client and VPNA.

2. From the same client on the LAN, ping the WAN Router (IPSec device) on the
other side of the VPNA. This will test the VPNAs local routes. If this fails check
the Routes page on the VPNA and make sure there is an entry for the local
network(s). If pings from the client fail try a ping of the WAN Router from the
VPNA. There is a link to the Ping Menu from the VPNA's Main Menu. If this fails
reboot the VPNA and the WAN Router. It is possible that the ARP cache on these
machines is incorrect.

3. From a client on the LAN that has access permission to a remote network behind
a VPNA-100, do a ping of the VPNA-100 at a remote site. If the VPNA-100 at the
remote site is in Route Mode, Ping the WAN interface. If this fails make sure the
Headquarters’ VPNA has a route to the remote site. Also make sure your IPSec
equipment is configured correctly. Since the IPSec equipment sits 'inside' the
VPNAs, connectivity between IPSec devices on the WAN is not affected by the
VPNAs.

4. From this client Ping a machine on the remote network. If this fails it is possible
that the VPNA-100 needs to be updated with the route information to reach the
remote subnet.

TCP TEST

When commissioning a new AF5000 Series VPNA it is suggested TCP acceleration be

verified. The TCP Test conducts a TCP connection test directly between the AF5000
Series VPNA and the designated VPNA-100. This simplified test can help isolate
IPSec, IP Route, and TSP Route problems.

Before performing the TCP Test use the Ping utility to verify basic IP connectivity
between the AF5000 Series VPNA and the VPNA-100.

Once you have verified basic IP connectivity using Ping, go to the TCP Test menu.

The only entry in the TCP Test menu is the IP address of the VPNA-100 with which
you wish to test TCP acceleration.

44
 TACHYON VPNA HANDBOOK

The following figure shows the TCP Test menu screen:

If the test fails, verify both machines have TCP acceleration enabled. You can find
the TCP acceleration menu in the Services Menu, which is accessed from the
Advanced Functions menu. If you find one or both of the machines have TCP
acceleration disabled, enable TCP acceleration and retry the tests beginning with the
Ping.

If the test still fails, review your exact steps and make sure the IP address you are
using for the Ping and for the TCP Test are the same and are the IP address of the
AF5000 Series VPNA.

If the test still fails contact your service provider.

SHUTDOWN
Use this menu to reboot or halt the VPNA before powering down.

45
 TACHYON VPNA HANDBOOK

ADVANCED TOPICS
The VPNA has several menus that you probably will not need to access for normal
operation. To lessen security concerns, Telnet and SNMP are not permitted in the
default configuration of the VPNA. If you have relocated a VPNA from another site
be sure to review these menus to make sure the state of these protocols meets your
security guidelines.

The menus for these features are located under the Advanced Functions link in the
Main Menu. If you select Advanced Functions you will see the following menu.

SERVICES

By disabling certain types of access to the AF5000 Series VPNA, you can increase
the security of your network. From this screen you can enable or disable telnet and
http access. You can also disable or enable TSP accleration.

If you disable both telnet and http access, the only way to access your AF5000
Series VPNA is by connecting to the serial port at the back of the AF5000 Series
VPNA.

46
 TACHYON VPNA HANDBOOK

Generally, you will only need to disable TSP acceleration to aid in debugging the
network. Both your remote VPNA-100 and the corporate AF5000 Series VPNA must
have TSP acceleration disabled or enabled to pass traffic. Note that an alternate way
of disabling TSP acceleration on the AF5000 Series VPNA is to change the TSP Route
type from remote to none.

SNMP C ONFIGURATION

From the SNMP menu you can enable LAN and/or WAN SNMP access, as well as add
community strings.

47
 TACHYON VPNA HANDBOOK

INTERFACE ALIASES

Aliases provide additional integration and management flexibility. An alias adds an

IP address to the VPNA's physical Ethernet port (LAN or WAN). IP addresses
configured before adding an alias remain functional.

MTU C ONFIGURATION

Some IPSec devices expand the size of TCP packets. If this is done and the VPNA
MTU size is not large enough to fit the encrypted packet then the packet is
fragmented. In some cases these fragmented packets will be rejected when
received at the other end.

Setting the MTU size should be done carefully and with full knowledge of the IPSec
equipment connected to the VPNA. Incorrect MTU size entries will adversely affect
performance.

The default value for the MTU size is 1400 bytes.

48
 TACHYON VPNA HANDBOOK

RADIUS C ONFIGURATION

This menu allows you to configure the VPNA to use one or more RADIUS
authentication servers to control who has administration access to the VPNA. When
RADIUS authentication is not enabled, the built-in username admin is the only
username allowed access into the VPNA. The admin password can be changed on
the Password Menu, which is reachable from the Main Menu. This is the default
configuration when you receive your VPNA.

Once RADIUS authentication is enabled, remote access via telnet must authenticate
against a username/password configured in a RADIUS server. Starting at the first
server on the page and working down each server is checked for authentication.
Only if the server does not respond is the next server in the list checked. Therefore,
users configured to access the VPNA should be configured identically in each
RADIUS server.

49
 TACHYON VPNA HANDBOOK

Serial port access works like telnet access when RADIUS authentication is activated
with an additional check of the built-in username. This additional check allows you
to still access the VPNA if your network connecting to the RADIUS authentication
server(s) is down.

HTTP access never checks the RADIUS servers. It is therefore suggested that HTTP
access be disabled after RADIUS authentication is enabled.

In order for RADIUS authentication to be enabled you must enter at least one
RADIUS Server IP into the page. The Port is optional and may be left blank to reach
the server at the default authentication port of 1812 and accounting port of 1813. If
you specify a Port, p, then the accounting port will be p + 1. The Time field is the
number of seconds to wait for a response from the server before moving onto the
next server. The Key is the shared secret key that needs to be the same on the
RADIUS server.

AUTO FAIL-OVER C ONFIGURATION

This menu allows you to configure the VPNA to act as a backup for other 5000
Series VPNAs in your network.

50
 TACHYON VPNA HANDBOOK

Selecting the example link will bring up a new window with the following
detailed description:

51
 TACHYON VPNA HANDBOOK

The Auto Fail-Over feature of the 5000 Series VPNA (VPNA 5000) allows multiple
VPNA 5000s to provide backup capacity for each other. The following diagram shows
a generic network with a Primary VPNA 5000 and a single Backup VPNA 5000. When
the backup VPNA 5000 is properly configured, it will accelerate traffic not only for its
own network, but for the primary VPNA 5000's network as well.

Network redundancy may be implemented using protocols such as RIP, EIGRP,

OSPF, manual switch-over, etc. The implementation of network redundancy is
irrelevant to the VPNA 5000 functionality, as long as symmetric routing is
guaranteed.

1000 series VPNA accelerators (VPNA 1000) typically have a default TSP route to a
VPNA 5000 acting as the TSP Gateway. When Auto Fail-Over is disabled, a VPNA
5000 will pass-through accelerated traffic, that has a TSP Gateway that is different
from its own IP address. When Virtual IP Address mode is enabled a VPNA 5000 will
accept accelerated traffic whose TSP Gateway matches its Virtual IP Address, and
mark accelerated packets as being sourced from the Virtual IP Address.

When Network Address Translation (NAT) is enabled a VPNA 5000 will accept
accelerated traffic when the pair of (source IP, TSG Gateway IP) match an entry in
the NAT Table. Also, the VPNA 5000 will mark accelerated packets to one of the NAT
sources as originating from the TSP Gateway IP in the matched pair.

Auto Fail-Over may be configured to use a single Virtual IP Address, or a NAT Table
containing source/destination IP address pairs. Both the Virtual IP Address and the
NAT Table entries may be specified. However, only one mode may be Enabled at
any given time. Virtual IP Address and NAT Table modes may both be Disabled at
the same time.

A TSP route must be entered in the Basic Functions | Routes page for each VPNA
1000 for which this VPNA 5000 is serving as a backup gateway.

If a Virtual IP Address is specified, all traffic accelerated to the Virtual IP Address

that is routed to the VPNA 5000 will be processed. To configure the Backup VPNA
5000 in the example diagram:

• In the Routes page, add a TSP route with a Destination of 172.20.2.0, and a
TSP Gateway of 172.20.2.2

• Set the Virtual IP Address to 172.20.3.2

• Enable Virtual IP Address Mode

If the NAT Table is enabled, only traffic bound to/from the source/destination
address entries will be processed (in addition to traffic normally targeted to this
VPNA 5000.)
In the NAT Table, the Source IP is the IP Address of a VPNA 1000 for which this
VPNA 5000 is serving as a backup gateway. The Destination IP is the IP Address of a
VPNA 5000 for which this VPNA 5000 is serving as a backup gateway. To configure
the Backup VPNA 5000 in the example diagram:
• In the Routes page, add a TSP route with a Destination of 172.20.2.0, and a
TSP Gateway of 172.20.2.2

52
 TACHYON VPNA HANDBOOK

• Add an entry in the NAT Table with a Source IP of 172.20.2.2, and a

Destination IP of 172.20.3.2

• Enable NAT Table Mode

LOAD CONFIGURATION

This menu allows the current operating configuration to be loaded from the
computer that is being used to configure the AF5000 Series VPNA. You are
prompted to locate the configuration file you want to load.

NOTE: When you commit the change all operating parameters will be replaced with
the ones in the configuration file. You may want to save your current configuration
to a temporary file before loading a new configuration.

53
 TACHYON VPNA HANDBOOK

SAVE CONFIGURATION

This menu allows the current operating configuration to be stored to the computer
that is being used to configure the AF5000 Series VPNA. You are prompted to enter
a file name (which will be appended with a .conf extension) and select a location to
save the configuration file.

54
 TACHYON VPNA HANDBOOK

5 TROUBLESHOOTING

IPSec networks are often difficult to This section includes:

troubleshoot because end-to-end
encryption prevents visibility • Troubleshooting procedures for
between the ends. partial connectivity.

This section identifies key problems • Troubleshooting procedures for

and suggests methods for
identifying the source of the
problems. In some cases, network
security policy may disqualify the
proposed method.
interrupted connectivity
• Troubleshooting procedures for
degraded performance

For problems that are not corrected

by the troubleshooting techniques
described in this section, contact
the Service Provider for technical
support.

Before performing any of the troubleshooting procedures in this chapter, it is

important to read Chapter 2 - VPNA Safety Information. Follow all safety
procedures when performing any troubleshooting operations.

55
 TACHYON VPNA HANDBOOK

PING WORKS BUT TCP/IP FAILS

It is sometimes the case that using ping to check connectivity between two
sites will succeed, but a TCP connection between the same two sites will fail.
This symptom usually indicates that TSP acceleration routing is incorrect. But
it may also indicate an error in IP routing for the VPNAs that are in Bridge
Mode, or one of the VPNAs has TSP acceleration disabled. When the VPNA
intercepts TCP packets, it originates accelerated IP packets to move the TCP
data. The VPNA’s IP routes are used to determine where to send these
accelerated IP packets.

1 Verify that both VPNAs have Go to the service menu on each VPNA
TSP acceleration enabled. and verify that TSP acceleration is
marked as enabled.

2 Verify that the CPE-side If the Headquarters VPNA is in Route

VPNA has a TSP acceleration Mode then, use the Headquarters-side
route marked as remote to VPNA’s WAN address
the Headquarters-side VPNA
address.

3 Verify that the If the CPE-side VPNA is in Route Mode

Headquarters-side VPNA has use the CPE-side VPNA’s WAN
a TSP acceleration route address.
marked as remote to the
CPE-side VPNA address.

4 Verify IP routes for CPE-side IP routing is not used in Bridge Mode

VPNAs in Bridge Mode.
when a packet can simply be bridged.
Since ping packets are simply bridged
an error in IP routing will not be
revealed by ping. However, TSP
acceleration does not simply bridge
packets, so IP routes must be correct.

56
 TACHYON VPNA HANDBOOK
LOSS OF WAN COMMUNICATION
Follow the systematic troubleshooting procedure described here if there is no
communication between a remote site and Headquarters.
1 Verify that the power to the
Tachyon VPNA is on - the
green LED on the front panel
is lit
2 Verify Link Integrity - the
Link LED on the Network
Interface Cards (NIC) at the
rear of the VPNA are lit
3 Verify the connection
between your Workstation
and the VPNA device
57
If the Power indicator is not lit, check
that the power cord is securely
connected to the Tachyon VPNA and
to the AC power source. If the power
is connected, and the Power LED is
not lit, follow the troubleshooting
procedure in this section for Loss of
Power to the Tachyon Network Server.
If the Power indicator is lit, proceed to
the next step.
Both the WAN and LAN ports should
be lit.
If the Link indicator is not lit check
that the cable is properly seated and
make sure the device on the other
end is powered up.
If the Link indicator is lit, proceed to
the next step.
Using the Ping utility on your
workstation, ping the VPNA device. If
the VPNA does not respond:
1. Go to the VPNA configuration
menus and check the "status"
menu for error messages.
• If you cannot reach the VPNA
configuration menus either by
the Ethernet address or the
serial port then reboot the
VPNA manually by cycling
power to the unit.
2. If the configuration looks correct
and there are no error messages
 TACHYON VPNA HANDBOOK
4 Verify the connection
between your Workstation
and the IPSec device
5 Verify the CPE is up and
connected to the Tachyon
network.
58
to act on, reboot the unit from the
Shutdown menu. It will take a few
minutes for the unit to reboot.
3. If you are still unable to unable to
access the VPNA unit via the
Ethernet port or serial port after a
power cycle then contact your
service provider for assistance.
Using the Ping utility on your
workstation, ping the IPSec device. If
the IPSec device does not respond:
1. Make sure the IPSec device is
power up.
2. Check the Link light on the VPNA
again. If it is out make sure the
cables are seated properly. You
may want to change cables.
3. Refer to the documentation for the
IPSec device for troubleshooting
ideas.
Reboot the IPSec device and try
again.
If you cannot ping the IPSec device
you may have a faulty device.
In order to perform this step you will
need direct access to the CPE
bypassing the IPSec device. If this is
not possible the skip this step. Note:
when connecting directly to the CPE
with PC or workstation use a
crossover cable.
If direct access to the CPE is possible
follow the Internet Connectivity
procedures in the Troubleshooting
section of the CPE Handbook.
 TACHYON VPNA HANDBOOK

6 Verify the IPSec devices are Refer to the User Manual for your
functioning properly IPSec devices for diagnostic utilities.

7 If there is still no The ISP providing Tachyon service will

connectivity after verifying provide technical support for CPE
the above items, contact connectivity issues.
your Service Provider for
technical support

LOSS OF WAN PERFORMANCE

1 Verify Clear Text If your network allows IP packets

performance destined for the public Internet to
pass the IPSec device without
encryption then test the link on a few
well known sites. Try to download a
few files from our demo web server at
63.103.96.229. If performance is not
close to your Tachyon service level,
point your web browser to the CPE
and access its Web Admin page. View
the Faults page and look for any
errors. If errors are found reboot the
CPE and try again. If the errors persist
contact your service provider.

59
 6 TECHNICAL SPECIFICATIONS

This section provides detailed This section includes:

technical specifications for the
Tachyon VPNA device. • Specifications for the VPNA.

Tachyon AF 5000 SERIES VPNA Specifications

System Specifications
Nominally support for up to 500 VPNA-100s

Rear Panel Port Specifications

WAN Interface Ethernet, 10/100 BaseTX, RJ-45, full

duplex operation

LAN Interface Ethernet, 10/100 BaseTX, RJ-45, full

duplex operation

Serial Interface RS-232, 9-pin Male. DCE

Ethernet Port Pinout:

 TACHYON VPNA HANDBOOK

RJ-45 Signal Pin

Pin# Name Description

1 TD+ Transmit Data

2 TD- Transmit Data

3 RD+ Receive Data

4 N/C No connect

5 N/C No connect

6 RD- Receive Data

7 N/C No connect

8 N/C No connect

Environmental Specifications

Temperature 10 to +35o C ambient air

temperature (operating)

Warm-up ≤ 15 minutes

Humidity 5 to 95% non-condensing

Mechanical Specifications

Size 8.4 cm (h) x 42.5 cm (w) x 66.7 cm (d)

Weight 22.6 kg (50 lbs.)

Shipping Weight 24.9 kg (55 lbs.)

61
 TACHYON VPNA HANDBOOK

Power Specifications

Input Voltage Switch selectable voltage range:

110/220 Volts

Frequency 50/60 Hz

Power 330 Watts

62
 INDEX
Advanced Topics, 47 Software Version Number, 44

Aliases, 48 Specifications

Bridge Mode, 19, 21, 30 Environmental, 58

Configuration Mechanical, 58

Load, 51 Power, 59

Save, 51 Rear Panel, 57

CPE, 17 SSL, 18

IPSec, 18 Status, 44

WAN Router, 33 Tachyon Access Point, 17

Login, 27 Tachyon Satellite Gateway, 16

Main Menu, 29 Tachyon, Inc. 15

MTU Configuration, 49 TCP Test, 45

Password, 27 TCP/IP, 17

Forgotten, 27 Techinal Support, 6

Prefetch, 43 Theory of Operation, 15

Local Machines, 43 Toplogies

Quick Start, 25 Multiple Remote Sites with Multiple

Headquarters, 22
Restore Default Configuration, 29
Multiple Remote Sites with Single
Route Mode, 37
Headquarters, 22
Safety, 8
Single Remote Site, 20
Serial Port, 27
Version Number, 44
Setup Wizard, 29
Warranty, 5
SNMP, 48