SUPER SLOW Internet Explorer performance while connected VPN to Windows RRAS Server

This is a fun one! I have had a paid open support case with Microsoft Support on this issue for the past two months and have received no real answers or solutions to fix this problem. The case is still open but does not seem to be going anywhere, so I turn to the internet community for some real help!

My problem is that internet browsing with Internet Explorer SIGNIFICANTLY SLOWS and HANGS when a Windows XP SP2 VPN connection is established to our office RRAS server (Windows server 2003 or 2000).  The slow down and hanging disappears once the VPN connection is disconnected.  

You may ask, how much of a slow down are we talking about? In gathering logs for Microsoft Support, I performed a test where I brought up the same 4 web sites one after another and waited for the entire page to load and for the status at the bottom of internet explorer to read “Done.”  Browsing to these 4 websites with VPN disconnected took approx 40 seconds to load all 4 sites.  Now, with my VPN connection established, the same 4 websites took right at 5 minutes to load completely.

I can assure that the problem that I am experining is not bandwidth related. The remote location connection is a 4MB down 400KB up cable connection.  The connection at the office is a dedicated T1 line.  Neither of these are used to full capacity.  However, another test that I performed also verifies that the problem is not lack of bandwidth.  It also proves that my problem is not related to the extra bandwidth overhead that establishing a VPN connection creates on the client and RRAS server machines.

This test involved using the FireFox browser.  Using FireFox, web pages loaded at the same pace, unlike ie,  both connected or disconnected to VPN.  In fact, (while connected to VPN) I have had Internet Explorer and Firefox opened side by side on the screen and will type in the same web site address on both browsers and hit “Go” at the same time.  Firefox will load the page in a few seconds while Internet Explorer will sit there for up to several minutes trying to render the page and graphics.  I have reported this to MS Support and all they tell me is that it is because IE waits for a response for every request it sends before it loads the next piece of the site whereas Firefox does not require this response.   They also have said, and I quote,  “In Firefox, it will open 14 ports to download data which does not follow the RFC for HTTP 1.0 and HTTP 1.1 In IE we default to the RFC specification.  For HTTP 1.1 it is 2 connections, for HTTP 1.0 it is 4 connections.”  However, they gave me a registry hack that allows IE to open up to 15 port connections and it still did not resolve my problem.

I know that there is a checkbox setting in the VPN client connection properties called “Use default gateway on remote network.”  Contrary to what it seems like it would do, the problem exists whether this box is checked or unchecked.  This is really weird to me because if you have this box unchecked, the internet traffic does not even flow through the vpn connection to get to websites outside of the local network.

Virus scans and adware scans return nothing.  

Ping response times look fine when pinging website addresses through vpn connection.

I could go on and on with details of what has been tried, however I will stop here to get feedback or answer any questions as to additional info needed.

However, a brief scenarios of our office and remote networks may be helpful.

Office environment where RRAS server resides:
Dedicated T1 internet connection connected via Cisco 2600 router. The router connects directly to a Sonicwall TZ-170 firewall that performs static NAT mapping to our local 192.168.0.0 office network.  PPTP port is opened up on the Sonicwall and points to the RRAS server.

RRAS server:
P4 Xeon 1GB RAM
Windows Server 2003 Standard edition with Service Pack 1.
Hotfix 898060 Installed.

Domain Controller
P4 Xeon 1GB RAM
Windows Server 2003 Standard edition with Service Pack 1.
Handles AD Integrated DNS, DHCP for RRAS server.
Hotfix 898060 installed.


Remote Environment experiencing problem:
Cable internet 4MB download, 400KB upload.  Connected to Dlink DI-624 router.  Router hands our DHCP 10.0.0.x ip addresses to local Pentium 4 connected client PCs.
Using standard Microsoft Windows XP VPN client to establish VPN connection to remote office RRAS server.

Thank you,
-David
dbwilder911Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

bbaoIT ConsultantCommented:
for better understanding to your current networrk configuration, please post your IPCONFIG /ALL and ROUTE PRINT results BEFORE and AFTER your VPN connected. you may mask some sensitive information (hostname, IP) if you concern about privacy. thanks, bbao
dbwilder911Author Commented:
I hope this text posts correctly to the web without wrapping...looks good in this textbox.  Anyway, below are the IPCONFIG /ALL and Route Print's requested with and without vpn.  The 216.x.x.x address is the last route print is the IP address of the RRAS server.  I did notice that with the vpn connected it listed my dns servers at the office twice...don't know why here but that hopefully is not my problem.
-------------------------------------------------------------------------------------
IPCONFIG NO VPN
Windows IP Configuration
        Host Name . . . . . . . . . . . . : homeclient
        Primary Dns Suffix  . . . . . . . : somewhere.net
        Node Type . . . . . . . . . . . . : Hybrid
        IP Routing Enabled. . . . . . . . : No
        WINS Proxy Enabled. . . . . . . . : No
        DNS Suffix Search List. . . . . . : somewhere.net
Ethernet adapter Local Area Connection:
        Connection-specific DNS Suffix  . :
        Description . . . . . . . . . . . : Intel(R) PRO/100 VE Network Connection
        Physical Address. . . . . . . . . : 00-12-3F-A2-54-01
        Dhcp Enabled. . . . . . . . . . . : Yes
        Autoconfiguration Enabled . . . . : Yes
        IP Address. . . . . . . . . . . . : 10.0.0.102
        Subnet Mask . . . . . . . . . . . : 255.0.0.0
        Default Gateway . . . . . . . . . : 10.0.0.1
        DHCP Server . . . . . . . . . . . : 10.0.0.1
        DNS Servers . . . . . . . . . . . : 10.0.0.1
        Lease Obtained. . . . . . . . . . : Friday, October 21, 2005 8:27:51 AM
        Lease Expires . . . . . . . . . . : Friday, October 28, 2005 8:27:51 AM
-------------------------------------------------------------------------------------
ROUTE PRINT NO VPN
===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x10003 ...00 12 3f a2 54 01 ...... Intel(R) PRO/100 VE Network Connection - Packet Scheduler Miniport
===========================================================================
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0                  0.0.0.0         10.0.0.1      10.0.0.102        20
         10.0.0.0             255.0.0.0       10.0.0.102      10.0.0.102        20
       10.0.0.102      255.255.255.255        127.0.0.1       127.0.0.1        20
   10.255.255.255   255.255.255.255       10.0.0.102      10.0.0.102        20
        127.0.0.0              255.0.0.0        127.0.0.1       127.0.0.1        1
        224.0.0.0              240.0.0.0       10.0.0.102      10.0.0.102        20
  255.255.255.255  255.255.255.255       10.0.0.102      10.0.0.102        1
Default Gateway:          10.0.0.1
===========================================================================
Persistent Routes:
  None
----------------------------------------------------------------------------------------
IPCONFIG WITH VPN
Windows IP Configuration
        Host Name . . . . . . . . . . . . : homeclient
        Primary Dns Suffix  . . . . . . . : somewhere.net
        Node Type . . . . . . . . . . . . : Hybrid
        IP Routing Enabled. . . . . . . . : No
        WINS Proxy Enabled. . . . . . . . : No
        DNS Suffix Search List. . . . . . : somewhere.net
Ethernet adapter Local Area Connection:
        Connection-specific DNS Suffix  . :
        Description . . . . . . . . . . . : Intel(R) PRO/100 VE Network Connection
        Physical Address. . . . . . . . . : 00-12-3F-A2-54-01
        Dhcp Enabled. . . . . . . . . . . : Yes
        Autoconfiguration Enabled . . . . : Yes
        IP Address. . . . . . . . . . . . : 10.0.0.102
        Subnet Mask . . . . . . . . . . . : 255.0.0.0
        Default Gateway . . . . . . . . . : 10.0.0.1
        DHCP Server . . . . . . . . . . . : 10.0.0.1
        DNS Servers . . . . . . . . . . . : 10.0.0.1
        Lease Obtained. . . . . . . . . . : Tuesday, October 18, 2005 3:08:44 PM
        Lease Expires . . . . . . . . . . : Tuesday, October 25, 2005 3:08:44 PM
PPP adapter Office VPN Connection:
        Connection-specific DNS Suffix  . :
        Description . . . . . . . . . . . : WAN (PPP/SLIP) Interface
        Physical Address. . . . . . . . . : 00-53-45-00-00-00
        Dhcp Enabled. . . . . . . . . . . : No
        IP Address. . . . . . . . . . . . : 192.168.0.14
        Subnet Mask . . . . . . . . . . . : 255.255.255.255
        Default Gateway . . . . . . . . . : 192.168.0.14
        DNS Servers . . . . . . . . . . . : 192.168.0.21
                                            192.168.0.125
                                            192.168.0.21
                                            192.168.0.125
        Primary WINS Server . . . . . . . : 192.168.0.21
----------------------------------------------------------------------------------------
ROUTE PRINT WITH VPN
===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x10003 ...00 12 3f a2 54 01 ...... Intel(R) PRO/100 VE Network Connection - Packet Scheduler Miniport
0x120004 ...00 53 45 00 00 00 ...... WAN (PPP/SLIP) Interface
===========================================================================
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0                 0.0.0.0         10.0.0.1      10.0.0.102        21
          0.0.0.0               0.0.0.0     192.168.0.14    192.168.0.14        1
         10.0.0.0            255.0.0.0       10.0.0.102      10.0.0.102        20
       10.0.0.102      255.255.255.255        127.0.0.1       127.0.0.1        20
   10.255.255.255   255.255.255.255       10.0.0.102      10.0.0.102        20
        127.0.0.0        255.0.0.0        127.0.0.1       127.0.0.1        1
      192.168.0.0    255.255.255.0     192.168.0.14    192.168.0.14        1
     192.168.0.14  255.255.255.255        127.0.0.1       127.0.0.1        50
    192.168.0.255  255.255.255.255     192.168.0.14    192.168.0.14        50
   216.x.x.x           255.255.255.255         10.0.0.1      10.0.0.102        20
        224.0.0.0        240.0.0.0       10.0.0.102      10.0.0.102        20
        224.0.0.0        240.0.0.0     192.168.0.14    192.168.0.14        1
  255.255.255.255  255.255.255.255       10.0.0.102      10.0.0.102        1
  255.255.255.255  255.255.255.255     192.168.0.14    192.168.0.14        1
Default Gateway:      192.168.0.14
===========================================================================
Persistent Routes:
  None
-------------------------------------------------------------------------------------
Thanks,
-David

winterfrostCommented:
I would guess that your problem is probably right here:
   Default Gateway:      192.168.0.14

Your VPN connection is configured to "Use default gateway on remote network" so all of your web browsing goes through the tunnel and out through the internet connection on the remote network when it's connected.  Routing problems along the way, the additional overhead from encryption, and/or a slower internet connection being used on the remote network could all be causing slowdowns.

To turn it off open the Properties of the VPN connection, go to the Networking tab, and view TCP/IP Properties.  Click the Advanced button and on the General tab uncheck the checkbox.  This setting is only required if you need to access resources on the remote network which aren't on the same subnet as the VPN server.
JavaScript Best Practices

Save hours in development time and avoid common mistakes by learning the best practices to use for JavaScript.

bbaoIT ConsultantCommented:
> I would guess that your problem is probably right here: Default Gateway: 192.168.0.14

it is normal. as a WAN (PPP/SLIP) interface, the obtained IP address is same as its default gateway address.
winterfrostCommented:
It may be the "default", but it is not "normal."  The VPN client's default gateway will change only if "Use default gateway on remote network" is checked.

While that option is checked all traffic to non-local subnets (like all web browsing) will be directed across the VPN connection and out through the remote network's default gateway.  Due to all of the reasons I mentioned above, this can potentially make web browsing much slower.

If it is not checked his default gateway will remain the same whether his VPN is connected or not.  Therefore he will still be able to reach any host on the same subnet as the remote network's RAS server, but all of his web browsing traffic will go out through his regular default gateway and surfing speed will not be affected.

The only reason you should be checking "Use default gateway on remote network" is if the resources you are accessing by VPN are not on the same subnet and you must use routers on the remote network to access them.
bbaoIT ConsultantCommented:
> I know ...  “Use default gateway on remote network.”
> ..., the problem exists whether this box is checked or unchecked.

hi winterfrost, please see above-mentioned sentences in the question.
winterfrostCommented:
I apologize, I completely missed that. :-o
winterfrostCommented:
By the routing configuration you've given it appears that the remote gateway is being used...  Is the checkbox checked or unchecked in the routing examples you have above?
dbwilder911Author Commented:
Hello all,

Thanks for the responses so far.  Winterfrost, you are correct that the routing configuration shown in this post does have the "Use default Gateway on Remote network" checked.  The reason I do use this setting is because I have an Exchange mail server that I use Outlook with and want to resolve its name/IP address locally and not over the public internet due to firewall reasons.

That said, as mentioned, I have tried many times with this setting unchecked and it does the same thing on hanging in internet explorer...really weird I know because it should just bypass the vpn connection for all traffic destined to the rest of the internet outside of our LAN.

I had a conference call with Microsoft Friday afternoon on this.  While I had everybody on the line at once that had been working with me on this, they still were not able to find the root problem yet.  The developer guy that I spoke with said that he thinks the problem is in the way wininet and winsock are talking to one another when the vpn connection is established.  He said that the reason Firefox is not affected while IE is, is because Firefox does not use wininet for accessing the internet.

MS is supposed to create another tool that we can use to capture some more logging information.  I will update here on EE when I know more.  I don't think I mentioned this, but I am not using any proxy servers on the LAN where the RRAS server resides.

Thanks,
-David
bbaoIT ConsultantCommented:
that comment from winterfrost is not the answer, please see the discussions followed up.

> I will update here on EE when I know more.

hi dbwilder911, are you still here with us? any new feedback please?
dbwilder911Author Commented:
Well, actually I just figured this out last week "by chance" on my own.  The culprit was a standard Microsoft Windows XP service called "Remote Access Auto Connection Manager".  I disabled this service and stopped it from starting upon a system reboot.  

After I discovered that this fixed the problem, I told this to the MS Support guy that I was working on the issue with and he drilled down further to figure out "why" this service was indeed causing the slow ie over vpn problem.

He said that the fact that our RRAS server uses a NAT address to access the internet, that this confuses the clients that connect remotely to the RRAS vpn server and start browsing the internet into trying to determine the NETBIOS NODE status of each web server that it is in contact with.  Since NETBIOS is disabled on web servers for security, this would timeout the NETBIOS NODE status request which caused my SUPER SLOW load times on browsing web sites.

Below is quoted exactly what the MS Support guy said...maybe this will make a little more sense.

START QUOTE

"Since your VPN is using NAT to gain access to the Internet the service will attempt to determine Node Status of the machines that it will be connecting.  Since the servers are being directly touched as far as the client computer is concerned the Internet servers are being requested for Node Status, however it is the default recommended action that NETBIOS be disabled on Servers that have direct access to the Internet.

This make sense now.

Since IE has no knowledge of the Internet Connection for the VPN it believes that it is using a Direct Connection and therefore for each DNS Name Resolution the Node Status would be requested.

If I configure IE over the VPN to use a Proxy Server then the only DNS Name Resolutions that occur are to resolve the name of the Proxy Server.
After that all communication is sent directly to the Proxy Server itself to resolve on the Internet."

END QUOTE

Hope this provides some closure to those who were as confused as I was on this issue.  I had literally been working on this problem for a year and several months and had reinstalled OS's, replaced routers, computers, firewalls, etc and nothing would seem to work.

I don't mind giving bbao and winterfrost some points for taking a stab at this but don't want it to look like a post is the solution and its not.  As this is my first post on EE, is there a way to do this?  

Thanks for the help,
-David



bbaoIT ConsultantCommented:
> I had literally been working on this problem for a year and several months and had reinstalled OS's, replaced routers, computers, firewalls, etc and nothing would seem to work.

you are the one that should be awarded actually, hehe. :))

so please ask the EE moderator to accept your last comment as the answer and get the refund for your excellent contribution on your own question. hehe. :-D

PAQing it should be helpful to all of us. thanks.

regards,
bbao
winterfrostCommented:
Why the web browser would be making any kind of NetBIOS request to a web server baffles me, but... good detective work dbwilder911! :)
dbwilder911Author Commented:
Andy, please accept my last post as the answer as this issue is resolved now.

bbao & winterfrost.  Thanks for taking a stab at this one with me.  I didn't totally understand the NetBIOS issue either, I just know that it was indeed causing the problem when that Remote Connection service was enabled and running.

Thanks all,
-David
DarthModCommented:
PAQed with points (500) refunded

DarthMod
Community Support Moderator

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Networking

From novice to tech pro — start learning today.