Hi All,
Basically i am having a problem! I have created two IPSEC tunnels from Forefront TMG, which is running on the Security server of an EBS2008 Installtion. Both remote ends are D-link 824VUP+ routers.
The VPN will establish just fine, but under load, will often drop out - a soft reboot of the Dlink on the dropped connection will have it back online within seconds. These same modems were stably connecting to our Cisco 857W when it was hosting the VPN.
Once a VPN drops, it will not re-establish, the VPN status according to the Dlink will often be "IKE established", but no longer be reporting as fully established. My assumption for this is that ISA is fully dropping the connection for some reason, where the Dlink thinks its only termporary and continues to try to re-do Phase 2 of the VPN auth process thingy. Once you soft reboot the dlink, it tries from Phase1 of the IKE process (the beginning), and comes online instantly.
Anyway, i have conducted a lot of research, not knowing really what to do - and have come across this post, which seems to mostly suit my scenario:
http://forums.isaserver.org/m_2002026753/mpage_1/key_/tm.htm#2002029896In that thread, he points to a MS article
http://support.microsoft.com/default.aspx?scid=kb;EN-US;902347.
I have implemented the required settings in that article, setting the value of EnablePMTUDiscovery to 1 (Key did not exist), and created the access rule as per the ISA 2004 Standard suggestions.
I did some MTU testing before implementing these changes, and found i could ping packet sizes up to 1464 out to google.com, but 1473 to both of the remote VPN ends. After implementing these changes, i am still limited to the same packet sizes, i am not sure if this matters?
As a side note, pinging from a client PC on the remote end, to a machine behind our Forefront TMG box, i can ping any size... tested up to 4000 bytes, clearly packet splitting is working there?
Thats all my background info, right now i'm stuffed on what to do next. I can't even for the life of me get the live logging in forefront TMG to display ANY vpn logging, so that i can monitor for reasons why the VPN connection might get dropped.
Throwing it out there, what can i try next? Soon as our VPN's go under heavy load, they break...
Charles
