Learn how to a build a cloud-first strategyRegister Now

  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 738
  • Last Modified:

vpn clients hang and need to disconnect/reconnect

Not sure if anybody will have any suggestions for this but for max points, maybe someone will...
Here is the setup:

VPN Server: Win2k server (SP4), RRAS, ISA Server 2k Standard (SP2), RainConnect load balancing 2 broadband ISP links.

Clients: Win XP Pro (SP1) connecting from various home cable/DSL setups.  ICS firewall disabled.  They use built in Microsoft VPN client.  Main functionality is Outlook-Exchange connection.

Problem frequency: Intermittently- some days worse than others

Problem: The clients can always work for a while (lets say 10 minutes).  At some point, the clients will still appear in RRAS clients MMC with a status of "connected".  Their connection time will still be ticking but I cannot ping them from the LAN.  They obviously cannot perform any network related tasks as they can't see the network anymore.  They will then disconnect/reconnect the VPN and as soon as they reconnect I can ping them and they are up and running.  The process will then repeat itself...

This issue was not always here and I am trying to figure out what has caused it.  The event log doesn't display anything relevant.
  • 2
1 Solution
Is it possible that RainConnect is improperly balancing VPN connections?  I beleive these type of ISP sharing systems use NAT to change the source ip based on which outbound ISP link is selected.  Perhaps the VPN connections are being moved away from the original ISP link to another ISP link and something is being confused by this.  Perhaps a bug in the RainConnect software?

Of course the best way to track this would be to sniff one of the connections at 2 points:  At the client end (tricky, since the user wont have Netmon installed), at the point where the ISP's connect to your RainConnect Windows Server.  You would want to look for any change in the VPN connection.  Look at the session data, which maintain session state (TCP Port 1723 for PPTP, UDP port 500 for IPSec).  It looks like this is going through ok, hence the "connected" status.  It is likely that although the session is up, the data packets are being dropped.  Look for the data traffic (protocol 47 for PPTP, protocol 50 for IPSec).  I think you'll find that the data traffic packets are being dropped and the control (session) packets are going through.

As for an explaination as to this happening recently, perhaps something has changed in the level of service of one (or both) of the ISP connections that RainConnect is balancing, causing connections to be moved about due to poor performance (or better performance) of an ISP link


jcneil4Author Commented:
That's a definate possibility.  Let me do some testing... I'll post what I find and we'll go from there.
jcneil4Author Commented:
That worked.  I forced all tcp 1723 and GRE to use a single ISP in RainConnect and it seems better to be fixed.
Thanks- I awarded you the points.

Featured Post

Get free NFR key for Veeam Availability Suite 9.5

Veeam is happy to provide a free NFR license (1 year, 2 sockets) to all certified IT Pros. The license allows for the non-production use of Veeam Availability Suite v9.5 in your home lab, without any feature limitations. It works for both VMware and Hyper-V environments

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now