VPN Timeout at 18 minutes when connecting to a Watchguard VPN
- From: "Peter" <Peter@xxxxxxxxxxxxxxxxx>
- To: isalist@xxxxxxxxxxxxx
- Date: Wed, 30 Jan 2002 15:56:06 -0700
It was discovered that a VPN being connected to is a Watchguard VPN Server
through an ISA Server can disconnect after being connected to the remote
Watchguard VPN for 18 minutes.
The issue is a known problem with Watchguard when a connection is being
made through Microsoft ICS and ISA Server. Watchguard tell me that it has
a problem with Microsoft's NAT. (See a copy of the log below and the
comment from Watchguard.)
As you can see from the log below an ACK packet that is not responded to
is disconnecting the VPN Session. A connection can be re-established after
the disconnect, but at the 18 minute mark of the new connection, the ACK
disconnects the session once again.
I thought of installing a static ARP entry to try to overcome this issue,
but I think it would become too messy.
If anyone has seen this issue or has any sugestions on how to alive the
issue at the ISA Server end, please let me know. The issue is logged with
Watchguard and I will forward their solution when and if it arrives.
E-mail from Watchguard first line support:
Issue: Under certain conditions, Windows 2000 PPTP clients will become
disconnected after 18 minutes of connect time, regardless of network
activity. Date Reported: 6/10/2001
Description: When negotiating PPTP tunnels with a Windows 2000 client,
sometimes the 2000 client fails to send a TCP ACK to the Firebox in
response to a PPTP "set-link-info" packet. The Firebox attempts to send
this packet every minute with no response from the 2000 client. This is a
TCP mis-timing issue that seems to happen when ICS (Internet Connection
Sharing) is enabled on the Windows 2000 system.
Workaround: Internal testing has revealed that disabling ICS with Windows
2000 stops this timing issue from occurring. To disable ICS:
From the desktop, right-click My Network Places, select Properties.
Right-click Local Area Connection, select Properties.
Note: If you have more than one Local Area Connection, repeat this
procedure for each entry to make sure ICS is completely disabled.
Double-click TCP/IP.
Select the Sharing tab.
Disable Internet Connection Sharing.
Click OK.
Click OK.
Current Status: 3rd party issue.
Software Version: All Firebox versions.
Note: This response from Watchguard does not address ISA Server, but we
know the background of ICS and its relationship to ISA and Proxy version
x.
Copy of the log file and we can see the ACK (or heartbeat) disconnect:
16:10:35 pptpd[1869] Terminating on signal 2.
16:10:35 pptpd[1869] Connection terminated.
16:10:35 pptpd[1869] Persist flag not set, so we are exiting.
16:10:35 kernel pptp5: pptp_sock_close
16:10:35 pptpd[1869] Drop Host 14 202.27.160.45 pptp_users amr succeeded
16:10:35 pptpd[1869] User amr at 202.27.160.45 logged out
16:10:35 pptpd[1869] Exit.
16:10:40 pptpd[2352] Watchguard pptpd 2.2.0 started
16:10:40 pptpd[2352] Using interface pptp5
16:10:40 kernel pptp5: daemon attached.
16:10:40 pptpd[2352] Connect: pptp5 [5] <-->203.202.185.62
16:10:41 tunneld[113] process_stop_request: invalid state for
203.202.185.62
16:10:41 tunneld[113] process_rfds: unable to process packet from
203.202.185.62
16:10:41 pptpd[2352] Terminating on signal 2.
16:10:41 pptpd[2352] Connection terminated.
16:10:41 pptpd[2352] Persist flag not set, so we are exiting.
16:10:41 kernel pptp5: pptp_sock_close
16:10:41 pptpd[2352] Exit.
16:12:08 pptpd[1929] Terminating on signal 2.
16:12:09 pptpd[1929] Connection terminated.
16:12:09 pptpd[1929] Persist flag not set, so we are exiting.
16:12:09 kernel pptp2: pptp_sock_close
16:12:09 pptpd[1929] Drop Host 14 202.27.160.42 pptp_users pas succeeded
16:12:09 pptpd[1929] User pas at 202.27.160.42 logged out
16:12:09 pptpd[1929] Exit.
16:19:38 pptpd[2583] Watchguard pptpd 2.2.0 started
16:19:38 pptpd[2583] Using interface pptp2
16:19:38 kernel pptp2: daemon attached.
16:19:38 pptpd[2583] Connect: pptp2 [2] <-->203.202.185.62
16:19:38 kernel GRE: out of order: as:0 seq:0 from:0x3eb9cacb
16:19:41 pptpd[2583] User jjc at 202.27.160.42 logged in
16:19:41 pptpd[2583] Add Host 14 202.27.160.42 pptp_users jjc succeeded
16:19:42 pptpd[2583] Compression enabled
16:19:42 pptpd[2583] Using PPTP encryption RC4 40-bit.
16:19:42 pptpd[2583] Not using any PPTP software compression.
16:19:42 pptpd[2583] Using stateless mode.
16:19:42 pptpd[2583] Allowing unsafe packet transfer mode for lossy
links.
16:19:42 pptpd[2583] local IP address 202.27.160.5
16:19:42 pptpd[2583] remote IP address 202.27 .160.42
16:19:42 pptpd[2583] found interface eth0 for proxy arp
16:19:42 pptpd[2583] found interface eth1 for proxy arp
16:19:42 pptpd[2583] found interface eth2 forproxy arp
If anyone has other Opinions on this issue, I welcome comments.
Other related posts:
- » VPN Timeout at 18 minutes when connecting to a Watchguard VPN
