Re: VPN Timeouts
- From: "Peter" <Peter@xxxxxxxxxxxxxxxxx>
- To: isalist@xxxxxxxxxxxxx
- Date: Wed, 30 Jan 2002 15:22:05 -0700
An update to this issue.
It was discovered that the VPN being connected to is a Watchguard VPN. The
disconnect is happening after 18 minutes and it is a known problem with
Watchguard when a connection is being made through Microsoft ICS and ISA
Server. See a copy of the log below and the comment from Watchguard.
If anyone has seen this issue and has heard of a solution, please let me
know. The issue is logged with Watchguard and I will forward their
solution when and if it arrives.
E-mail from Watchguard first line support:
Issue: Under certain conditions, Windows 2000 PPTP clients will become
disconnected after 18 minutes of connect time, regardless of network
activity. Date Reported: 6/10/2001
Description: When negotiating PPTP tunnels with a Windows 2000 client,
sometimes the 2000 client fails to send a TCP ACK to the Firebox in
response to a PPTP "set-link-info" packet. The Firebox attempts to send
this packet every minute with no response from the 2000 client. This is a
TCP mis-timing issue that seems to happen when ICS (Internet Connection
Sharing) is enabled on the Windows 2000 system.
Workaround: Internal testing has revealed that disabling ICS with Windows
2000 stops this timing issue from occurring.
To disable ICS:
From the desktop, right-click My Network Places, select Properties.
Right-click Local Area Connection, select Properties.
Note: If you have more than one Local Area Connection, repeat this
procedure for each entry to make sure ICS is completely disabled.
Double-click TCP/IP.
Select the Sharing tab.
Disable Internet Connection Sharing.
Click OK.
Click OK.
Current Status: 3rd party issue.
Software Version: All Firebox versions.
Copy of the log file and we can see the heartbeat disconnect:
16:10:35 pptpd[1869] Terminating on signal 2.
16:10:35 pptpd[1869] Connection terminated.
16:10:35 pptpd[1869] Persist flag not set, so we are exiting.
16:10:35 kernel pptp5: pptp_sock_close
16:10:35 pptpd[1869] Drop Host 14 202.27.160.45 pptp_users amr succeeded
16:10:35 pptpd[1869] User amr at 202.27.160.45 logged out
16:10:35 pptpd[1869] Exit.
16:10:40 pptpd[2352] Watchguard pptpd 2.2.0 started
16:10:40 pptpd[2352] Using interface pptp5
16:10:40 kernel pptp5: daemon attached.
16:10:40 pptpd[2352] Connect: pptp5 [5] <-->203.202.185.62
16:10:41 tunneld[113] process_stop_request: invalid state for
203.202.185.62
16:10:41 tunneld[113] process_rfds: unable to process packet from
203.202.185.62
16:10:41 pptpd[2352] Terminating on signal 2.
16:10:41 pptpd[2352] Connection terminated.
16:10:41 pptpd[2352] Persist flag not set, so we are exiting.
16:10:41 kernel pptp5: pptp_sock_close
16:10:41 pptpd[2352] Exit.
16:12:08 pptpd[1929] Terminating on signal 2.
16:12:09 pptpd[1929] Connection terminated.
16:12:09 pptpd[1929] Persist flag not set, so we are exiting.
16:12:09 kernel pptp2: pptp_sock_close
16:12:09 pptpd[1929] Drop Host 14 202.27.160.42 pptp_users pas succeeded
16:12:09 pptpd[1929] User pas at 202.27.160.42 logged out
16:12:09 pptpd[1929] Exit.
16:19:38 pptpd[2583] Watchguard pptpd 2.2.0 started
16:19:38 pptpd[2583] Using interface pptp2
16:19:38 kernel pptp2: daemon attached.
16:19:38 pptpd[2583] Connect: pptp2 [2] <-->203.202.185.62
16:19:38 kernel GRE: out of order: as:0 seq:0 from:0x3eb9cacb
16:19:41 pptpd[2583] User jjc at 202.27.160.42 logged in
16:19:41 pptpd[2583] Add Host 14 202.27.160.42 pptp_users jjc succeeded
16:19:42 pptpd[2583] Compression enabled
16:19:42 pptpd[2583] Using PPTP encryption RC4 40-bit.
16:19:42 pptpd[2583] Not using any PPTP software compression.
16:19:42 pptpd[2583] Using stateless mode.
16:19:42 pptpd[2583] Allowing unsafe packet transfer mode for lossy
links.
16:19:42 pptpd[2583] local IP address 202.27.160.5
16:19:42 pptpd[2583] remote IP address 202.27 .160.42
16:19:42 pptpd[2583] found interface eth0 for proxy arp
16:19:42 pptpd[2583] found interface eth1 for proxy arp
16:19:42 pptpd[2583] found interface eth2 forproxy arp
> You don't get alerts for no reason, though the causes aren't always clear.
> Take a look in the registry for this value:
>
> [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fpc\Arrays\{GUID}\Servers\{GUID}]
> "msFPCIntraArrayAddress"="<someIPaddress>"
> ..replace {GUID} with the huge number you find there..
>
> If it doesn't match your internal IP, change it so that it does.
>
> Jim Harrison
> MCP(NT4, W2K), A+, Network+, PCG
> http://isaserver.org/authors/harrison/
> Read the books!
>
> ----- Original Message -----
> From: "Peter" <Peter@xxxxxxxxxxxxxxxxx>
> To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
> Sent: Friday, January 25, 2002 13:01
> Subject: [isalist] Re: VPN Timeouts
>
>
> Still no solution. If anyone has seen this issue, please respond with
> comments!!
>
> We have an ISA Server running very well but every 16 or so minutes the
> clients (on the internal side of the ISA server) are disconnected from
> their external VPN's.
>
> It is 16 or so minutes after VPN connection not all at the same time. I
> have tried to disable the QOS on the external side. I have very few errors
> in the logs. The errors I have are;
>
> 1. On boot I get a "<I>IntraArrayAddress</I> defined on this server is not
> in
> the Local Address Table". However we only have one ISA server running in
> intgrated mode.
>
> 2. I get a "Cannot read configuration" from time to time in the alert
> section.
>
> The server has publishing rules (eg OWA, some servers etc) and they all
> work fine.
>
> From the ISA Server A VPN session does not drop.
>
>
> If anyone has an idea what is causing this issue, please comment.
>
> Note. I configured the VPN's with the wizards. I have tried to do
> everything by the rules.
>
> Thanks & HELP!!
>
> > We have an ISA Server running very well but every 16 or so minutes the
> > clients (on the internal side of the ISA server) are disconnected from
> > their external VPN's.
> >
> > It is 16 or so minutes after VPN connection not all at the same time. I
> > have tried to disable the QOS on the external side. I have very few errors
> > in the logs. The errors I have are;
> >
> > 1. On boot I get a "<I>IntraArrayAddress</I> defined on this server is
> not in
> > the Local Address Table". However we only have one ISA server running in
> > intgrated mode.
> >
> > 2. I get a "Cannot read configuration" from time to time in the alert
> > section.
> >
> > The server has publishing rules (eg OWA, some servers etc) and they all
> > work fine.
> >
> > From the ISA Server A VPN session does not drop.
> >
> > I purchased the book but the lists seem to be riddled with PGP near the
> > answer to issues.
> >
> > If anyone has an idea what is causing this issue, please comment.
> >
> > Note. I configured the VPN's with the wizards. I have tried to do
> > everything by the rules.
> >
> > Thanks..
> >
> > > Was there ever a response to this issue?
> > >
> > > Peter@xxxxxxxxxxxxxxxxx
> > >
> > >
> > >
> > > > This is a multi-part message in MIME format.
> > > >
> > > > ------=_NextPart_000_060C_01C16927.1499A860
> > > > Content-Type: text/plain;
> > > > charset="iso-8859-1"
> > > > Content-Transfer-Encoding: quoted-printable
> > > >
> > > > RE: [isalist] Re: VPN Timeoutsdiito here:
> > > >
> > > > My internal win98 snat clients connecting to external VPN server times
> =
> > > > out after approx 20mins
> > > > ----- Original Message -----=20
> > > > From: Jeff_Bevans@xxxxxxxxxxx=20
> > > > To: [ISAserver.org Discussion List]=20
> > > > Sent: Friday, November 09, 2001 10:22 AM
> > > > Subject: [isalist] Re: VPN Timeouts
> > > >
> > > >
> > > > http://www.ISAserver.org
> > > >
> > > >
> > > > I have the problem as well, but for clients connecting into the vpn
> =
> > > > server. If I click on redial it authenticates right away.
> > > >
> > > > Jeff Bevans=20
> > > >
> > > > -----Original Message-----=20
> > > > From: Thor@xxxxxxxxxxxxxxx [mailto:Thor@xxxxxxxxxxxxxxx]=20
> > > > Sent: November 9, 2001 10:17 AM=20
> > > > To: [ISAserver.org Discussion List]=20
> > > > Subject: [isalist] Re: VPN Timeouts=20
> > > >
> > > >
> > > >
> > > > http://www.ISAserver.org=20
> > > >
> > > >
> > > >
> > > >
> > > > -----BEGIN PGP SIGNED MESSAGE-----=20
> > > > Hash: SHA1=20
> > > >
> > > >
> > > >
> > > > I noticed! I'm just having similar problems with one site, and I
> was=20
> > > > waiting for Jim to tell us how to fix it!!!=20
> > > >
> > > > At 12:13 PM 11/9/2001 -0600, you wrote:=20
> > > > >http://www.ISAserver.org=20
> > > > >=20
> > > > >I asked this question yesterday, but no one noticed.=20
> > > > >=20
> > > > >On two separate ISA servers I am getting VPN Timeouts. It
> connects, =
> > > > sits=20
> > > > >at verifying username & password, then times out saying no
> response.=20
> > > > >=20
> > > > >What might I have missed ?=20
> > > > >=20
> > > > >TIA=20
> > > > >=20
> > > > >Paul Nuernberger=20
> > > > >Manager=20
> > > > >BARON Computers, Inc.=20
> > > > >=20
> > > > >------------------------------------------------------=20
> > > > >You are currently subscribed to this ISAserver.org Discussion List
> =
> > > > as:=20
> > > > >thor@xxxxxxxxxxxxxxx=20
> > > > >To unsubscribe send a blank email to =
> > > > $subst('Email.Unsub')=20
> > > >
> > > > -----BEGIN PGP SIGNATURE-----=20
> > > > Version: PGP 7.1=20
> > > >
> > > > iQA/AwUBO+wdg4hsmyD15h5gEQKb1QCgr1WL6vRz+3AC/V7TadkuBoUcLNwAniJp=20
> > > > /BvGwYJ7FcQ0iJUMbCsZ78vh=20
> > > > =3D/9MD=20
> > > > -----END PGP SIGNATURE-----=20
> > > >
> > > > ------------------------------------------------------=20
> > > > You are currently subscribed to this ISAserver.org Discussion List
> as: =
> > > > jeff_bevans@xxxxxxxxxxx=20
> > > > To unsubscribe send a blank email to =
> > > > $subst('Email.Unsub')=20
> > > >
> > > > ------------------------------------------------------
> > > > You are currently subscribed to this ISAserver.org Discussion List
> as: =
> > > > jim@xxxxxxxxxxxxxxxxxx
> > > > To unsubscribe send a blank email to =
> > > > $subst('Email.Unsub')=20
> > > >
> > > > ------=_NextPart_000_060C_01C16927.1499A860
> > > > Content-Type: text/html;
> > > > charset="iso-8859-1"
> > > > Content-Transfer-Encoding: quoted-printable
> > > >
> > > > <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
> > > > <HTML><HEAD><TITLE>RE: [isalist] Re: VPN Timeouts</TITLE>
> > > > <META http-equiv=3DContent-Type content=3D"text/html; =
> > > > charset=3Diso-8859-1">
> > > > <META content=3D"MSHTML 5.50.4807.2300" name=3DGENERATOR>
> > > > <STYLE></STYLE>
> > > > </HEAD>
> > > > <BODY bgColor=3D#ffffff>http://www.ISAserver.org<BR>
> <BR>
>
>
> > > > <DIV><FONT face=3DArial size=3D2>diito here:</FONT></DIV>
> > > > <DIV> </DIV>
> > > > <DIV><FONT face=3DArial size=3D2>My internal win98 snat clients =
> > > > connecting to=20
> > > > external VPN server times out after approx 20mins</FONT></DIV>
> > > > <BLOCKQUOTE=20
> > > > style=3D"PADDING-RIGHT: 0px; PADDING-LEFT: 5px; MARGIN-LEFT: 5px; =
> > > > BORDER-LEFT: #000000 2px solid; MARGIN-RIGHT: 0px">
> > > > <DIV style=3D"FONT: 10pt arial">----- Original Message ----- </DIV>
> > > > <DIV=20
> > > > style=3D"BACKGROUND: #e4e4e4; FONT: 10pt arial; font-color: =
> > > > black"><B>From:</B>=20
> > > > <A title=3DJeff_Bevans@xxxxxxxxxxx=20
> > > > href=3D"mailto:Jeff_Bevans@xxxxxxxxxxx";>Jeff_Bevans@xxxxxxxxxxx</A>
> =
> > > > </DIV>
> > > > <DIV style=3D"FONT: 10pt arial"><B>To:</B> <A =
> > > > title=3Disalist@xxxxxxxxxxxxx=20
> > > > href=3D"mailto:isalist@xxxxxxxxxxxxx";>[ISAserver.org Discussion =
> > > > List]</A> </DIV>
> > > > <DIV style=3D"FONT: 10pt arial"><B>Sent:</B> Friday, November 09,
> 2001 =
> > > > 10:22=20
> > > > AM</DIV>
> > > > <DIV style=3D"FONT: 10pt arial"><B>Subject:</B> [isalist] Re: VPN =
> > > > Timeouts</DIV>
> > > > <DIV><BR></DIV><A=20
> > > > =
> > > >
> href=3D"http://www.ISAserver.org";>http://www.ISAserver.org</A><BR><BR><!-=
> > > > - Converted from text/plain format -->
> > > > <P><FONT size=3D2>I have the problem as well, but for clients =
> > > > connecting into=20
> > > > the vpn server. If I click on redial it authenticates right=20
> > > > away.</FONT></P>
> > > > <P><FONT size=3D2>Jeff Bevans</FONT> </P>
> > > > <P><FONT size=3D2>-----Original Message-----</FONT> <BR><FONT =
> > > > size=3D2>From: <A=20
> > > > href=3D"mailto:Thor@xxxxxxxxxxxxxxx";>Thor@xxxxxxxxxxxxxxx</A> [<A=20
> > > > =
> > > >
> href=3D"mailto:Thor@xxxxxxxxxxxxxxx";>mailto:Thor@xxxxxxxxxxxxxxx</A>]</FO=
> > > > NT>=20
> > > > <BR><FONT size=3D2>Sent: November 9, 2001 10:17 AM</FONT> <BR><FONT
> =
> > > > size=3D2>To:=20
> > > > [ISAserver.org Discussion List]</FONT> <BR><FONT size=3D2>Subject: =
> > > > [isalist] Re:=20
> > > > VPN Timeouts</FONT> </P><BR>
> > > > <P><FONT size=3D2><A=20
> > > >
> href=3D"http://www.ISAserver.org";>http://www.ISAserver.org</A></FONT>=20
> > > > </P><BR><BR>
> > > > <P><FONT size=3D2>-----BEGIN PGP SIGNED MESSAGE-----</FONT>
> <BR><FONT=20
> > > > size=3D2>Hash: SHA1</FONT> </P><BR>
> > > > <P><FONT size=3D2>I noticed! I'm just having similar problems
> =
> > > > with one=20
> > > > site, and I was </FONT><BR><FONT size=3D2>waiting for Jim to tell us
> =
> > > > how to fix=20
> > > > it!!!</FONT> </P>
> > > > <P><FONT size=3D2>At 12:13 PM 11/9/2001 -0600, you wrote:</FONT> =
> > > > <BR><FONT=20
> > > > size=3D2>><A=20
> > > >
> href=3D"http://www.ISAserver.org";>http://www.ISAserver.org</A></FONT> =
> > > > <BR><FONT=20
> > > > size=3D2>></FONT> <BR><FONT size=3D2>>I asked this question =
> > > > yesterday, but=20
> > > > no one noticed.</FONT> <BR><FONT size=3D2>></FONT> <BR><FONT =
> > > > size=3D2>>On=20
> > > > two separate ISA servers I am getting VPN Timeouts. It
> connects, =
> > > > sits=20
> > > > </FONT><BR><FONT size=3D2>>at verifying username & password,
> =
> > > > then times=20
> > > > out saying no response.</FONT> <BR><FONT size=3D2>></FONT> =
> > > > <BR><FONT=20
> > > > size=3D2>>What might I have missed ?</FONT> <BR><FONT =
> > > > size=3D2>></FONT>=20
> > > > <BR><FONT size=3D2>>TIA</FONT> <BR><FONT size=3D2>></FONT> =
> > > > <BR><FONT=20
> > > > size=3D2>>Paul Nuernberger</FONT> <BR><FONT =
> > > > size=3D2>>Manager</FONT>=20
> > > > <BR><FONT size=3D2>>BARON Computers, Inc.</FONT> <BR><FONT =
> > > > size=3D2>></FONT>=20
> > > > <BR><FONT=20
> > > > =
> > > >
> size=3D2>>------------------------------------------------------</FONT=
> > > > >=20
> > > > <BR><FONT size=3D2>>You are currently subscribed to this =
> > > > ISAserver.org=20
> > > > Discussion List as: </FONT><BR><FONT =
> > > > size=3D2>>thor@xxxxxxxxxxxxxxx</FONT>=20
> > > > <BR><FONT size=3D2>>To unsubscribe send a blank email to=20
> > > > $subst('Email.Unsub')</FONT> </P>
> > > > <P><FONT size=3D2>-----BEGIN PGP SIGNATURE-----</FONT> <BR><FONT =
> > > > size=3D2>Version:=20
> > > > PGP 7.1</FONT> </P>
> > > > <P><FONT=20
> > > > =
> > > >
> size=3D2>iQA/AwUBO+wdg4hsmyD15h5gEQKb1QCgr1WL6vRz+3AC/V7TadkuBoUcLNwAniJp=
> > > > </FONT>=20
> > > > <BR><FONT size=3D2>/BvGwYJ7FcQ0iJUMbCsZ78vh</FONT> <BR><FONT =
> > > > size=3D2>=3D/9MD</FONT>=20
> > > > <BR><FONT size=3D2>-----END PGP SIGNATURE-----</FONT> </P>
> > > > <P><FONT =
> > > >
> size=3D2>------------------------------------------------------</FONT>=20
> > > > <BR><FONT size=3D2>You are currently subscribed to this
> ISAserver.org =
> > > > Discussion=20
> > > > List as: jeff_bevans@xxxxxxxxxxx</FONT> <BR><FONT size=3D2>To =
> > > > unsubscribe send a=20
> > > > blank email to $subst('Email.Unsub')</FONT>=20
> > > > </P>------------------------------------------------------<BR>You
> are=20
> > > > currently subscribed to this ISAserver.org Discussion List as:=20
> > > > jim@xxxxxxxxxxxxxxxxxx<BR>To unsubscribe send a blank email to=20
> > > > $subst('Email.Unsub') </BLOCKQUOTE>
> ------------------------------------------------------<BR>
> You are currently subscribed to this ISAserver.org Discussion List as:
> jim@xxxxxxxxxxxx<BR>
> To unsubscribe send a blank email to $subst('Email.Unsub')
> </BODY></HTML>
> > > >
> > > > ------=_NextPart_000_060C_01C16927.1499A860--
Other related posts:
