Link to home
Start Free TrialLog in
Avatar of crazycoonass
crazycoonass

asked on

VPN client disconnects after 60 seconds.

Client is Windows XP/Pro connecting on VPN (PPTP) to SBS2000 server. Authentication is with Active Domain Remote access.  I have 5 or 6 users connecting from home using the Windows VPN client, authenticating with ID/password in AD.
Everyone works fine, and can remain on as long as they want. (No default time off idle values set).  The issue is only one of the users connects, and is working for 60 seconds then disconnects. (Event20148 in the System Log says user initiated disconnect) but the user did not disconnect.  Every connection by this user is followed by a disconnect after 59-61 seconds. Two weeks ago, she worked from home and was online for 4 hours.  What could have changed?  I am the server admin.  She is the only one having an issue.  I have walked her through delete and rebuild the VPN connection on her PC.  

During testing, from her side, we have turned off, disabled all firewalls.  Whatever allowed her to work 2 weeks ago is obviously gone or not present now.
Avatar of Rob Williams
Rob Williams
Flag of Canada image

You mention "No default time off idle values set". Do you mean on the server end?
There is the possibility the idle time out on the VPN client is set. Best to check that; control panel | network connections | right click on VPN/virtual adapter | Options | Idle time out before hanging up | make sure not set to 1 minute.

Also if the user has a PPPoE Internet connection there are time out periods, but doubtful this would be as short as 60 seconds. If they have a router check the configuration, and as a safety enable "keep alive" and set to 30 seconds.
Avatar of crazycoonass
crazycoonass

ASKER

Yes, Rob, on the server.  On the client side, when setting up the client, made no settings on the idle time.  I will check it however, because I notice the default time between redials is 1 minute, and if someone were poking around could easily set it to both thinking 'never' isn't a good setting. They do have a PPPoE connection, through a Linksys router.  I will set the keep alive to 30 seconds with them and report back.  I've never seen this before, and have setup many VPN connections, with Windows clients, and with proprietary clients at other site.  Thanks for the items to investigate.  
crazycoonass, must say I have never seen it drop after 60 seconds either, but it is an option on the client , as you say if someone was "poking around".  
The Keep alive feature is quite common as a repair for dropped connections, but the connection is not normally dropped in 60 seconds, and not usually so consistently. Shortest time I have seen was minimum of 3 minutes, but 30+ minutes is more common. Regardless, if that were the problem the Keep Alive option protects against the dropped connection.
Let us know how you make out.
--Rob
Rob,
Forgive the two day absence.  The lady was running after school trips, etc.  Yesterday we did get some answers.  The client setting on the VPN client, for 'disconnect when idle' is NEVER.  I changed it to 8 hours, no difference, one minute after authentication, bam! gone.

Also, one test, in thinking of the keep alive with the router, after authentication, I had her start a 'ping -t server-name' which ran flawlessly until, envelope please, 1 minute, then got a time out on ping.

So, what else could be doing this deed?  We turn off all Symantec Internet Security, McAfee Internet firewall security, etc.  It still stops after 60 seconds.  Looking at what I know, the keep-alive traffic (ping) was useless in stopping the shutdown. She is the only user having this issue, so it has to be on her end.  But where?  Frustration level is going to make me up the value here.
Just to confirm there are no time outs set in the users profile in active directory, and no Radius server with any time out policies ???

Here is one I haven't heard of before. XP client time-out after 55 seconds:
http://support.microsoft.com/?kbid=331816
Rob,
I saw that link when I started down this path.  There is one computer on their 'network' at home, going through a Linksys router.  No special configuration on the router or their desktop.  I had her go through the check for ICS being turned on and it is NOT.

Yes, no AD time out on the user's profile, and no Radius server on campus anywhere.

Her husband keeps the computer updated pretty consistently, so I don't think they are at SP1.  I would be surprised if they were.
I am stumped. Bizarre. Any chance of trying another computer from the same site? possibly even connected directly to the modem, by-passing the router.
Only other though I have is a software firewall. You mentioned they were disabled, and I don't see why it would disconnect after 60 seconds, rather than blocking the connection, but....if Symantec or Zone Alarm is installed, disabling those two, is often not enough. They need to be un-installed. The other thing that sometime affects VPN's is Symantec's Virus protection's "Internet worm protection". If installed, try disabling just that feature.
We have disabled Zone Alarm, and McAfee, and connected with the same results.  I don't think there is Symantec installed.  I am getting to the point of making a house call.  The thing that has me stumped is that two or three weeks ago, she was at home and worked for 8 hours on the same computer, through the same router, with no issues.  I suspect an update to Zone or McAfee in between working and not-working.  It may be a couple of days before I can get onsite to get hands on.  
I will return however.
Curious as to how you make out. It is very baffling.
--Rob
Rob,
I got up close and personal with the computer.  Removed some spyware, no viruses, McAfee for virus scan, ZoneA for firewall.  Rebooted, tested, got bumped at 59 seconds. Turned off ZoneA and McA tested, bot bumped at 59 seconds.  Rebooted, tested with ZA and McA active.  Connected and was on for 5 minutes.  Disconnected and tested again, Online 59 seconds. Abandoned the testing, to drive home (60min). While on the road, client called and didn't make any changes but got connected.  She would have stayed connected by was fixing supper.  Got off, and tried to connect again, and was bumped at 59 seconds.  

One item to note, when I got connected, with Zone Alarm active, I got a popup from Zone, saying it blocked my connection to the external server.  (huh? I'm connected, what do you mean blocked?) I clicked OK and stayed connected for 5 minutes.  So, I am leaning to remove McAfee, AND Zone Alarm, removing all settings, and test again for a few days.  PC is not used for web surfing or email unless through the office.  I suspect some corruption in the Zone Alarm area since I got a block notice, but was allowed through. (The firewall has the office network configured as a trusted zone, the external IP and the internal office network)

If it works, consistently, then reinstall McAfee virus, test some more.  If still working consistently, reinstall ZoneAlarm and hope for happiness in Houston.  

The link may be idle for a few days, with vacation and time off, but in General Mac's words, "I will return"

Richard
>>"blocked my connection to the external server"
Was it your server? It could be referring to some application looking for updates such as Java, quicktime, Virus app, even Lexmark printers.

Do they just loose the VPN connection or the network connection all together? Wondering about a physical problem such as a NIC, though unlikely it would be exactly 60sec.
No power management enabled on the NIC is there?
No, the server that it said it was blocking access to was my server's IP at work. (But it didn't block it! I was just authenticated when it popped up)

When it dies, it is at 60 seconds, which is a magic number for the VPN PPTP protocol if I remember right.  No power management on the NIC active that I'm aware of.  The VPN connection is halted right at 60 seconds. (I connect, open DOS window, "ping -t server_at_work" so I can watch the connection.  It dies.  The network connection to the rest of the world is active still. "ping public_server" works after the VPN goes down.  I hate putting 'geek stuff' on someone's computer, but the thought did cross my mind to put Ethereal down and packet capture the session to see just what is happening.  I've plowed through many of Sniffer traces to solve problems in the past.  That might be a better approach before removal of Zone and McAfee.
Ethereal is the right way to go, but it can be time consuming. Then again you have invested a lot of time already. I am very curious as to the ultimate resolution, very odd.
Client will allow another home visitation next week.  I too am curious as to what will fix this.
If you need to close it, then do so.  It is still an open issue for me, and I will return to post the results of continued testing when the employee returns from their weeks of vacation and taking kids back to college next week.  Since it is a home machine that is having the problem, I am limited on testing and access.  The problem is not abandoned, though it may appear to be since I have not had any news to publish.
If this is an ongoing project, I too would love to see it to completion. Interesting problem.
  (for the record crazycoonass, I won't be around much the first couple of weeks of Sept)
If the call is still active then I will wait before actioning. Even if the update is 'still waiting' please add a post before 21 days elapses.

Thanks

Keith
Thanks Keith, I'll check in and update it within 21 days, if not sooner.  The user should be back in the office next week.  Will make sure I get to her house then, if she is agreeable.

RobWill, that's okay, enjoy the time away. This will be here when you return.
Heh, I should stop and see Keith on my way through. Should be there for a couple of nights :-)

Good luck with it crazycoonass.
hey Rob, you're heading for my neck of the world?
I don't now how close, at least your side of the "pond". I am told a couple of days in London and then Italy for a week.
Woo. London is around 30 minutes for me (My base is London's Gatwick Airport)
Shall I wave as I am landing :-)
Suppose this is a little off topic.
Final query before I close this call off. If no response or update is received I will force-accept Rob's answer.

Regards
keith
Thanks Keith.  I am scheduled to be at the client's home this week, and will update this issue after that trip.  I am in North Carolina today, but will be back in Houston later today.  If you can keep it open another 2 days or so, I'll post what I find, and accept Rob's answer. (As if there is another <grin>)

Thanks for your moderation of the forum, and for contributing to keeping EE such a great site.

Richard
I have taken two packet traces, from the same home.  One on my laptop going through their router, which works for longer than 1 minute.  The other on the PC which works for 1 minute and then stops talking.  I am reviewing the traces now, and have some interesting observations.  The PC that stops working, continues to try and talk to the remote server after the session is over.  Since I have only spent 20 mintues looking and comparing the two, I don't have a definite 'conclusion' to post today, but will this week.  

Thanks Keith and Rob for helping with the ideas and what to try next.
Thanks for the update. Let us know what you find out.
--Rob
Stumbled on to this thread as I'm putting in a new "temporary" VPN solution.  And I'm seeing the exact same 60 to 90 seconds drops.  

We put up 2 2003 Server PPTP VPN servers (located in different parts of the country and different IP Schemes).  Each PPTP has it's own RADIUS server.  We're using a simple manual DNS change to provide a sort of failover.  We only expect to keep this up an running for about 6 months until it's oursourced.

Windows XP SP2 (fully patched) connects to VPN1.  Everything is great, no issues.  Can stay connected for hours / days.

Then we simulate a failover...  Disconnect from VPN1, and connect to VPN2.  Authentication is successful, and then I start up a rolling ping to say, a mail server.  Pings are rolling until about 60 second mark of the connection.  Once the ping drops, it actually appears the entire TCP stack is dropped.

So then it's time to bust out the Mac OSX.  PPTP switching with the Mac shows NONE of the drop issues.  It can go back and forth from one VPN to the other with no ping loss.  (Exit Server, firewall, and RADIUS issues.)

I'm pretty sure it's a Windows XP TCP/Stack thing, but I haven't been able to isolate it.  We're able to duplicate this issue with Windows XP connecting from around the country / different ISPs.  Maybe its some kind of low level security thing...  If you wait around 20 to 30 minutes after disconnecting from VPN1 to connect to VPN2 everything works great.  Reboot doesn't solve the problem either...  It's a strange one.
Feels better to know you are not alone doesn't it. :-)
If you are willing to spend the money, might be worth a call to Microsoft. They will stay on it until resolved.
I've taken yet another packet capture, and of course, wouldn't you know it, captureing from the server AND the desktop to get both sides of the problem recorded, would be the time that the problem disappears.  If it is a TCP/IP stack issue, I may just delete/reinstall the stack and see what happens there.  The issue is not seen anywhere else from users working from home.  The fact that the problem is intermittent is very frustrating.  Made some changes (delete/rebuild the VPN connection) on the home machine, tested, and it was working. So, attempt to prove to the employee, that it is fixed, and I can head out, only to find that after 60 seconds, boom, no packets flow.  (with or without AV and firewall on !)  

I will try the new stack approach.  I may just whack the DHCP stuff in the stack and see if that fixes it first, since the IP is a DHCP provided address from the server connection, and some viruses have toyed with this stuff in the past. (Not that I am aware of on this PC however)

Thank you Justin for the input, and sharing your issue as well.  Rob, it is sounding better and better to perhaps give up some coins for access to the high priests of M$oft.

It isn't over yet...
It is actually quite a bizarre problem. Sorry earlier I was thinking you, crazycoonass, rather than justinivey posted the info.
Very curious as to the ultimate solution.
That will be fine.  Accpet RobWill's solution.  

As a further note, I did the Microsoft remove TCP/IP stack (as much as you can in the XP environment) and let it rebuild itself.  Same results. (60 seconds, then gone)  Since it is her and her husbands personal PC, I am not going to reload or spend any other time on it, but give her a laptop to take home and use.  

It is indeed a perplexing issue.
ASKER CERTIFIED SOLUTION
Avatar of Rob Williams
Rob Williams
Flag of Canada image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial