Solved

VPN client disconnects after 60 seconds.

Posted on 2006-07-10
38
8,706 Views
Last Modified: 2011-08-18
Client is Windows XP/Pro connecting on VPN (PPTP) to SBS2000 server. Authentication is with Active Domain Remote access.  I have 5 or 6 users connecting from home using the Windows VPN client, authenticating with ID/password in AD.
Everyone works fine, and can remain on as long as they want. (No default time off idle values set).  The issue is only one of the users connects, and is working for 60 seconds then disconnects. (Event20148 in the System Log says user initiated disconnect) but the user did not disconnect.  Every connection by this user is followed by a disconnect after 59-61 seconds. Two weeks ago, she worked from home and was online for 4 hours.  What could have changed?  I am the server admin.  She is the only one having an issue.  I have walked her through delete and rebuild the VPN connection on her PC.  

During testing, from her side, we have turned off, disabled all firewalls.  Whatever allowed her to work 2 weeks ago is obviously gone or not present now.
0
Comment
Question by:crazycoonass
  • 15
  • 13
  • 7
  • +1
38 Comments
 
LVL 77

Expert Comment

by:Rob Williams
ID: 17077561
You mention "No default time off idle values set". Do you mean on the server end?
There is the possibility the idle time out on the VPN client is set. Best to check that; control panel | network connections | right click on VPN/virtual adapter | Options | Idle time out before hanging up | make sure not set to 1 minute.

Also if the user has a PPPoE Internet connection there are time out periods, but doubtful this would be as short as 60 seconds. If they have a router check the configuration, and as a safety enable "keep alive" and set to 30 seconds.
0
 

Author Comment

by:crazycoonass
ID: 17081745
Yes, Rob, on the server.  On the client side, when setting up the client, made no settings on the idle time.  I will check it however, because I notice the default time between redials is 1 minute, and if someone were poking around could easily set it to both thinking 'never' isn't a good setting. They do have a PPPoE connection, through a Linksys router.  I will set the keep alive to 30 seconds with them and report back.  I've never seen this before, and have setup many VPN connections, with Windows clients, and with proprietary clients at other site.  Thanks for the items to investigate.  
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 17083634
crazycoonass, must say I have never seen it drop after 60 seconds either, but it is an option on the client , as you say if someone was "poking around".  
The Keep alive feature is quite common as a repair for dropped connections, but the connection is not normally dropped in 60 seconds, and not usually so consistently. Shortest time I have seen was minimum of 3 minutes, but 30+ minutes is more common. Regardless, if that were the problem the Keep Alive option protects against the dropped connection.
Let us know how you make out.
--Rob
0
 

Author Comment

by:crazycoonass
ID: 17103597
Rob,
Forgive the two day absence.  The lady was running after school trips, etc.  Yesterday we did get some answers.  The client setting on the VPN client, for 'disconnect when idle' is NEVER.  I changed it to 8 hours, no difference, one minute after authentication, bam! gone.

Also, one test, in thinking of the keep alive with the router, after authentication, I had her start a 'ping -t server-name' which ran flawlessly until, envelope please, 1 minute, then got a time out on ping.

So, what else could be doing this deed?  We turn off all Symantec Internet Security, McAfee Internet firewall security, etc.  It still stops after 60 seconds.  Looking at what I know, the keep-alive traffic (ping) was useless in stopping the shutdown. She is the only user having this issue, so it has to be on her end.  But where?  Frustration level is going to make me up the value here.
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 17104990
Just to confirm there are no time outs set in the users profile in active directory, and no Radius server with any time out policies ???

Here is one I haven't heard of before. XP client time-out after 55 seconds:
http://support.microsoft.com/?kbid=331816
0
 

Author Comment

by:crazycoonass
ID: 17131680
Rob,
I saw that link when I started down this path.  There is one computer on their 'network' at home, going through a Linksys router.  No special configuration on the router or their desktop.  I had her go through the check for ICS being turned on and it is NOT.

Yes, no AD time out on the user's profile, and no Radius server on campus anywhere.

Her husband keeps the computer updated pretty consistently, so I don't think they are at SP1.  I would be surprised if they were.
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 17131926
I am stumped. Bizarre. Any chance of trying another computer from the same site? possibly even connected directly to the modem, by-passing the router.
Only other though I have is a software firewall. You mentioned they were disabled, and I don't see why it would disconnect after 60 seconds, rather than blocking the connection, but....if Symantec or Zone Alarm is installed, disabling those two, is often not enough. They need to be un-installed. The other thing that sometime affects VPN's is Symantec's Virus protection's "Internet worm protection". If installed, try disabling just that feature.
0
 

Author Comment

by:crazycoonass
ID: 17132838
We have disabled Zone Alarm, and McAfee, and connected with the same results.  I don't think there is Symantec installed.  I am getting to the point of making a house call.  The thing that has me stumped is that two or three weeks ago, she was at home and worked for 8 hours on the same computer, through the same router, with no issues.  I suspect an update to Zone or McAfee in between working and not-working.  It may be a couple of days before I can get onsite to get hands on.  
I will return however.
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 17134391
Curious as to how you make out. It is very baffling.
--Rob
0
 

Author Comment

by:crazycoonass
ID: 17147706
Rob,
I got up close and personal with the computer.  Removed some spyware, no viruses, McAfee for virus scan, ZoneA for firewall.  Rebooted, tested, got bumped at 59 seconds. Turned off ZoneA and McA tested, bot bumped at 59 seconds.  Rebooted, tested with ZA and McA active.  Connected and was on for 5 minutes.  Disconnected and tested again, Online 59 seconds. Abandoned the testing, to drive home (60min). While on the road, client called and didn't make any changes but got connected.  She would have stayed connected by was fixing supper.  Got off, and tried to connect again, and was bumped at 59 seconds.  

One item to note, when I got connected, with Zone Alarm active, I got a popup from Zone, saying it blocked my connection to the external server.  (huh? I'm connected, what do you mean blocked?) I clicked OK and stayed connected for 5 minutes.  So, I am leaning to remove McAfee, AND Zone Alarm, removing all settings, and test again for a few days.  PC is not used for web surfing or email unless through the office.  I suspect some corruption in the Zone Alarm area since I got a block notice, but was allowed through. (The firewall has the office network configured as a trusted zone, the external IP and the internal office network)

If it works, consistently, then reinstall McAfee virus, test some more.  If still working consistently, reinstall ZoneAlarm and hope for happiness in Houston.  

The link may be idle for a few days, with vacation and time off, but in General Mac's words, "I will return"

Richard
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 17147776
>>"blocked my connection to the external server"
Was it your server? It could be referring to some application looking for updates such as Java, quicktime, Virus app, even Lexmark printers.

Do they just loose the VPN connection or the network connection all together? Wondering about a physical problem such as a NIC, though unlikely it would be exactly 60sec.
No power management enabled on the NIC is there?
0
 

Author Comment

by:crazycoonass
ID: 17147917
No, the server that it said it was blocking access to was my server's IP at work. (But it didn't block it! I was just authenticated when it popped up)

When it dies, it is at 60 seconds, which is a magic number for the VPN PPTP protocol if I remember right.  No power management on the NIC active that I'm aware of.  The VPN connection is halted right at 60 seconds. (I connect, open DOS window, "ping -t server_at_work" so I can watch the connection.  It dies.  The network connection to the rest of the world is active still. "ping public_server" works after the VPN goes down.  I hate putting 'geek stuff' on someone's computer, but the thought did cross my mind to put Ethereal down and packet capture the session to see just what is happening.  I've plowed through many of Sniffer traces to solve problems in the past.  That might be a better approach before removal of Zone and McAfee.
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 17148010
Ethereal is the right way to go, but it can be time consuming. Then again you have invested a lot of time already. I am very curious as to the ultimate resolution, very odd.
0
 

Author Comment

by:crazycoonass
ID: 17148171
Client will allow another home visitation next week.  I too am curious as to what will fix this.
0
 

Author Comment

by:crazycoonass
ID: 17372776
If you need to close it, then do so.  It is still an open issue for me, and I will return to post the results of continued testing when the employee returns from their weeks of vacation and taking kids back to college next week.  Since it is a home machine that is having the problem, I am limited on testing and access.  The problem is not abandoned, though it may appear to be since I have not had any news to publish.
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 17372837
If this is an ongoing project, I too would love to see it to completion. Interesting problem.
  (for the record crazycoonass, I won't be around much the first couple of weeks of Sept)
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 17375021
If the call is still active then I will wait before actioning. Even if the update is 'still waiting' please add a post before 21 days elapses.

Thanks

Keith
0
 

Author Comment

by:crazycoonass
ID: 17375053
Thanks Keith, I'll check in and update it within 21 days, if not sooner.  The user should be back in the office next week.  Will make sure I get to her house then, if she is agreeable.

RobWill, that's okay, enjoy the time away. This will be here when you return.
0
Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 17375062
:)
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 17376631
Heh, I should stop and see Keith on my way through. Should be there for a couple of nights :-)

Good luck with it crazycoonass.
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 17376686
hey Rob, you're heading for my neck of the world?
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 17376905
I don't now how close, at least your side of the "pond". I am told a couple of days in London and then Italy for a week.
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 17377193
Woo. London is around 30 minutes for me (My base is London's Gatwick Airport)
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 17377226
Shall I wave as I am landing :-)
Suppose this is a little off topic.
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 17488943
Final query before I close this call off. If no response or update is received I will force-accept Rob's answer.

Regards
keith
0
 

Author Comment

by:crazycoonass
ID: 17494893
Thanks Keith.  I am scheduled to be at the client's home this week, and will update this issue after that trip.  I am in North Carolina today, but will be back in Houston later today.  If you can keep it open another 2 days or so, I'll post what I find, and accept Rob's answer. (As if there is another <grin>)

Thanks for your moderation of the forum, and for contributing to keeping EE such a great site.

Richard
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 17496374
:)
0
 

Author Comment

by:crazycoonass
ID: 17544339
I have taken two packet traces, from the same home.  One on my laptop going through their router, which works for longer than 1 minute.  The other on the PC which works for 1 minute and then stops talking.  I am reviewing the traces now, and have some interesting observations.  The PC that stops working, continues to try and talk to the remote server after the session is over.  Since I have only spent 20 mintues looking and comparing the two, I don't have a definite 'conclusion' to post today, but will this week.  

Thanks Keith and Rob for helping with the ideas and what to try next.
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 17545666
:)
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 17548579
Thanks for the update. Let us know what you find out.
--Rob
0
 

Expert Comment

by:justinivey
ID: 17628217
Stumbled on to this thread as I'm putting in a new "temporary" VPN solution.  And I'm seeing the exact same 60 to 90 seconds drops.  

We put up 2 2003 Server PPTP VPN servers (located in different parts of the country and different IP Schemes).  Each PPTP has it's own RADIUS server.  We're using a simple manual DNS change to provide a sort of failover.  We only expect to keep this up an running for about 6 months until it's oursourced.

Windows XP SP2 (fully patched) connects to VPN1.  Everything is great, no issues.  Can stay connected for hours / days.

Then we simulate a failover...  Disconnect from VPN1, and connect to VPN2.  Authentication is successful, and then I start up a rolling ping to say, a mail server.  Pings are rolling until about 60 second mark of the connection.  Once the ping drops, it actually appears the entire TCP stack is dropped.

So then it's time to bust out the Mac OSX.  PPTP switching with the Mac shows NONE of the drop issues.  It can go back and forth from one VPN to the other with no ping loss.  (Exit Server, firewall, and RADIUS issues.)

I'm pretty sure it's a Windows XP TCP/Stack thing, but I haven't been able to isolate it.  We're able to duplicate this issue with Windows XP connecting from around the country / different ISPs.  Maybe its some kind of low level security thing...  If you wait around 20 to 30 minutes after disconnecting from VPN1 to connect to VPN2 everything works great.  Reboot doesn't solve the problem either...  It's a strange one.
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 17628320
Feels better to know you are not alone doesn't it. :-)
If you are willing to spend the money, might be worth a call to Microsoft. They will stay on it until resolved.
0
 

Author Comment

by:crazycoonass
ID: 17628611
I've taken yet another packet capture, and of course, wouldn't you know it, captureing from the server AND the desktop to get both sides of the problem recorded, would be the time that the problem disappears.  If it is a TCP/IP stack issue, I may just delete/reinstall the stack and see what happens there.  The issue is not seen anywhere else from users working from home.  The fact that the problem is intermittent is very frustrating.  Made some changes (delete/rebuild the VPN connection) on the home machine, tested, and it was working. So, attempt to prove to the employee, that it is fixed, and I can head out, only to find that after 60 seconds, boom, no packets flow.  (with or without AV and firewall on !)  

I will try the new stack approach.  I may just whack the DHCP stuff in the stack and see if that fixes it first, since the IP is a DHCP provided address from the server connection, and some viruses have toyed with this stuff in the past. (Not that I am aware of on this PC however)

Thank you Justin for the input, and sharing your issue as well.  Rob, it is sounding better and better to perhaps give up some coins for access to the high priests of M$oft.

It isn't over yet...
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 17628666
It is actually quite a bizarre problem. Sorry earlier I was thinking you, crazycoonass, rather than justinivey posted the info.
Very curious as to the ultimate solution.
0
 

Author Comment

by:crazycoonass
ID: 17740139
That will be fine.  Accpet RobWill's solution.  

As a further note, I did the Microsoft remove TCP/IP stack (as much as you can in the XP environment) and let it rebuild itself.  Same results. (60 seconds, then gone)  Since it is her and her husbands personal PC, I am not going to reload or spend any other time on it, but give her a laptop to take home and use.  

It is indeed a perplexing issue.
0
 
LVL 77

Accepted Solution

by:
Rob Williams earned 350 total points
ID: 17740421
Thanks crazycoonass.
Very bizarre.
--Rob
0

Featured Post

What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

Join & Write a Comment

Some of you may have heard that SonicWALL has finally released an app for iOS devices giving us long awaited connectivity for our iPhone's, iPod's, and iPad's. This guide is just a quick rundown on how to get up and running quickly using the app. …
If you use NetMotion Mobility on your PC and plan to upgrade to Windows 10, it may not work unless you take these steps.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now