Solved

VPN Continues to time out and drop...

Posted on 2006-11-02
11
1,419 Views
Last Modified: 2008-01-09
This is the log....and at the end is where it times out and drops :(  I'm using a ZyWall 2 PLUS with the SafeNet client.  This problem was happening with a Buffalo Secure Gateway as well and its driving me nuts!!

Thanks guys!

11-02: 22:48:03.578 My Connections\nationscr - RECEIVED<<< ISAKMP OAK MM *(ID, HASH, NOTIFY:STATUS_INITIAL_CONTACT)
11-02: 22:48:03.578 My Connections\nationscr - Using cached address.  (Hostname=nationscr.dyndns.org) (IP ADDR=67.81.88.57)
11-02: 22:48:03.578 My Connections\nationscr - Established IKE SA
11-02: 22:48:03.578    MY COOKIE 95 9d f7 4c f2 5f 11 80
11-02: 22:48:03.578    HIS COOKIE 68 41 c d5 cc ad d0 8a
11-02: 22:48:03.578 My Connections\nationscr - RECEIVED<<< ISAKMP OAK TRANS *(HASH, ATTR)
11-02: 22:48:08.171 My Connections\nationscr - SENDING>>>> ISAKMP OAK TRANS *(HASH, ATTR)
11-02: 22:48:08.203 My Connections\nationscr - RECEIVED<<< ISAKMP OAK TRANS *(HASH, ATTR)
11-02: 22:48:08.203 My Connections\nationscr - IKE Extended Authentication successful.
11-02: 22:48:08.203 My Connections\nationscr - SENDING>>>> ISAKMP OAK TRANS *(HASH, ATTR)
11-02: 22:48:08.296
11-02: 22:48:08.296 My Connections\nationscr - Initiating IKE Phase 2 with Client IDs (message id: 50EF4C57)
11-02: 22:48:08.296 My Connections\nationscr -   Initiator = IP ADDR=192.168.11.151, prot = 0 port = 0
11-02: 22:48:08.296 My Connections\nationscr -   Responder = IP SUBNET/MASK=192.168.24.0/255.255.255.0, prot = 0 port = 0
11-02: 22:48:08.296 My Connections\nationscr - SENDING>>>> ISAKMP OAK QM *(HASH, SA, NON, ID 2x)
11-02: 22:48:08.312 My Connections\nationscr - RECEIVED<<< ISAKMP OAK QM *(HASH, SA, NON, ID 2x)
11-02: 22:48:08.312 My Connections\nationscr - Filter entry 3: SECURE  192.168.011.151&255.255.255.255  192.168.024.000&255.255.255.000  DNS.DNS.DNS.DNS added.
11-02: 22:48:08.312 My Connections\nationscr - SENDING>>>> ISAKMP OAK QM *(HASH)
11-02: 22:48:08.312 My Connections\nationscr - Loading IPSec SA (Message ID = 50EF4C57 OUTBOUND SPI = 37EB5989 INBOUND SPI = B94D6C48)
11-02: 22:48:08.312
11-02: 22:59:08.812 My Connections\nationscr - Disconnecting IPSec SA
11-02: 22:59:08.812 My Connections\nationscr - Deleting IPSec SA (OUTBOUND SPI = 37EB5989 INBOUND SPI = B94D6C48)
11-02: 22:59:08.812 My Connections\nationscr - SENDING>>>> ISAKMP OAK INFO *(HASH, DEL)
11-02: 22:59:08.812 My Connections\nationscr - Disconnecting IKE SA negotiation
11-02: 22:59:08.812 My Connections\nationscr - Deleting IKE SA (IP ADDR=67.81.88.57)
11-02: 22:59:08.812    MY COOKIE 95 9d f7 4c f2 5f 11 80
11-02: 22:59:08.812    HIS COOKIE 68 41 c d5 cc ad d0 8a
11-02: 22:59:08.843 My Connections\nationscr - SENDING>>>> ISAKMP OAK INFO *(HASH, DEL)
11-02: 22:59:08.843 My Connections\nationscr - Filter entry 3: SECURE  192.168.011.151&255.255.255.255  192.168.024.000&255.255.255.000  DNS.DNS.DNS.DNS removed.
11-02: 22:59:13.796 My Connections\nationscr - Attempting to resolve Hostname (nationscr.dyndns.org)
11-02: 22:59:13.875
11-02: 22:59:13.875 My Connections\nationscr - Initiating IKE Phase 1 (Hostname=nationscr.dyndns.org) (IP ADDR=67.81.88.57)
11-02: 22:59:13.875 My Connections\nationscr - SENDING>>>> ISAKMP OAK MM (SA, VID 2x)
11-02: 22:59:14.046 My Connections\nationscr - RECEIVED<<< ISAKMP OAK MM (SA, VID 2x)
11-02: 22:59:14.140 My Connections\nationscr - Peer supports Dead Peer Detection Version 0.0
11-02: 22:59:14.140 My Connections\nationscr - Dead Peer Detection disabled
11-02: 22:59:14.234 My Connections\nationscr - SENDING>>>> ISAKMP OAK MM (KE, NON, VID 3x)
11-02: 22:59:14.421 My Connections\nationscr - RECEIVED<<< ISAKMP OAK MM (KE, NON)
11-02: 22:59:14.515 My Connections\nationscr - SENDING>>>> ISAKMP OAK MM *(ID, HASH, NOTIFY:STATUS_REPLAY_STATUS, NOTIFY:STATUS_INITIAL_CONTACT)
11-02: 22:59:14.531 My Connections\nationscr - RECEIVED<<< ISAKMP OAK MM *(ID, HASH, NOTIFY:STATUS_INITIAL_CONTACT)
11-02: 22:59:14.531 My Connections\nationscr - Using cached address.  (Hostname=nationscr.dyndns.org) (IP ADDR=67.81.88.57)
11-02: 22:59:14.531 My Connections\nationscr - Established IKE SA
11-02: 22:59:14.531    MY COOKIE c9 dc 25 64 be 13 a2 64
11-02: 22:59:14.531    HIS COOKIE b4 7d db 96 9e a 36 91
11-02: 22:59:14.531 My Connections\nationscr - RECEIVED<<< ISAKMP OAK TRANS *(HASH, ATTR)
11-02: 22:59:18.515 My Connections\nationscr - SENDING>>>> ISAKMP OAK TRANS *(HASH, ATTR)
11-02: 22:59:18.531 My Connections\nationscr - RECEIVED<<< ISAKMP OAK TRANS *(HASH, ATTR)
11-02: 22:59:18.531 My Connections\nationscr - IKE Extended Authentication successful.
11-02: 22:59:18.531 My Connections\nationscr - SENDING>>>> ISAKMP OAK TRANS *(HASH, ATTR)
11-02: 22:59:18.625
11-02: 22:59:18.625 My Connections\nationscr - Initiating IKE Phase 2 with Client IDs (message id: 29076C7C)
11-02: 22:59:18.625 My Connections\nationscr -   Initiator = IP ADDR=192.168.11.151, prot = 0 port = 0
11-02: 22:59:18.625 My Connections\nationscr -   Responder = IP SUBNET/MASK=192.168.24.0/255.255.255.0, prot = 0 port = 0
11-02: 22:59:18.625 My Connections\nationscr - SENDING>>>> ISAKMP OAK QM *(HASH, SA, NON, ID 2x)
11-02: 22:59:18.640 My Connections\nationscr - RECEIVED<<< ISAKMP OAK QM *(HASH, SA, NON, ID 2x)
11-02: 22:59:18.640 My Connections\nationscr - Filter entry 4: SECURE  192.168.011.151&255.255.255.255  192.168.024.000&255.255.255.000  DNS.DNS.DNS.DNS added.
11-02: 22:59:18.640 My Connections\nationscr - SENDING>>>> ISAKMP OAK QM *(HASH)
11-02: 22:59:18.640 My Connections\nationscr - Loading IPSec SA (Message ID = 29076C7C OUTBOUND SPI = DCA9A23C INBOUND SPI = F81DA711)
11-02: 22:59:18.640
11-02: 23:02:05.781 My Connections\nationscr - Disconnecting IPSec SA
11-02: 23:02:05.781 My Connections\nationscr - Deleting IPSec SA (OUTBOUND SPI = DCA9A23C INBOUND SPI = F81DA711)
11-02: 23:02:05.781 My Connections\nationscr - SENDING>>>> ISAKMP OAK INFO *(HASH, DEL)
11-02: 23:02:05.781 My Connections\nationscr - Disconnecting IKE SA negotiation
11-02: 23:02:05.781 My Connections\nationscr - Deleting IKE SA (IP ADDR=67.81.88.57)
11-02: 23:02:05.781    MY COOKIE c9 dc 25 64 be 13 a2 64
11-02: 23:02:05.781    HIS COOKIE b4 7d db 96 9e a 36 91
11-02: 23:02:05.812 My Connections\nationscr - SENDING>>>> ISAKMP OAK INFO *(HASH, DEL)
11-02: 23:02:05.812 My Connections\nationscr - Filter entry 4: SECURE  192.168.011.151&255.255.255.255  192.168.024.000&255.255.255.000  DNS.DNS.DNS.DNS removed.
11-02: 23:02:05.828 NO MATCHING SECURE CONNECTION - RECEIVED<<< ISAKMP OAK INFO *(Opaque)
11-02: 23:02:05.828 NO MATCHING SECURE CONNECTION - Received message for non-active SA
11-02: 23:02:11.671 My Connections\nationscr - Attempting to resolve Hostname (nationscr.dyndns.org)
11-02: 23:02:11.750
11-02: 23:02:11.750 My Connections\nationscr - Initiating IKE Phase 1 (Hostname=nationscr.dyndns.org) (IP ADDR=67.81.88.57)
11-02: 23:02:11.750 My Connections\nationscr - SENDING>>>> ISAKMP OAK MM (SA, VID 2x)
11-02: 23:02:11.921 My Connections\nationscr - RECEIVED<<< ISAKMP OAK MM (SA, VID 2x)
11-02: 23:02:12.031 My Connections\nationscr - Peer supports Dead Peer Detection Version 0.0
11-02: 23:02:12.031 My Connections\nationscr - Dead Peer Detection disabled
11-02: 23:02:12.109 My Connections\nationscr - SENDING>>>> ISAKMP OAK MM (KE, NON, VID 3x)
11-02: 23:02:12.312 My Connections\nationscr - RECEIVED<<< ISAKMP OAK MM (KE, NON)
11-02: 23:02:12.390 My Connections\nationscr - SENDING>>>> ISAKMP OAK MM *(ID, HASH, NOTIFY:STATUS_REPLAY_STATUS, NOTIFY:STATUS_INITIAL_CONTACT)
11-02: 23:02:12.421 My Connections\nationscr - RECEIVED<<< ISAKMP OAK MM *(ID, HASH, NOTIFY:STATUS_INITIAL_CONTACT)
11-02: 23:02:12.421 My Connections\nationscr - Using cached address.  (Hostname=nationscr.dyndns.org) (IP ADDR=67.81.88.57)
11-02: 23:02:12.421 My Connections\nationscr - Established IKE SA
11-02: 23:02:12.421    MY COOKIE e0 29 a3 4a e 70 e7 58
11-02: 23:02:12.421    HIS COOKIE 91 3d 80 23 ff 45 4e 7
11-02: 23:02:12.421 My Connections\nationscr - RECEIVED<<< ISAKMP OAK TRANS *(HASH, ATTR)
11-02: 23:02:16.000 My Connections\nationscr - SENDING>>>> ISAKMP OAK TRANS *(HASH, ATTR)
11-02: 23:02:16.015 My Connections\nationscr - RECEIVED<<< ISAKMP OAK TRANS *(HASH, ATTR)
11-02: 23:02:16.015 My Connections\nationscr - IKE Extended Authentication successful.
11-02: 23:02:16.031 My Connections\nationscr - SENDING>>>> ISAKMP OAK TRANS *(HASH, ATTR)
11-02: 23:02:16.109
11-02: 23:02:16.109 My Connections\nationscr - Initiating IKE Phase 2 with Client IDs (message id: 3A36955E)
11-02: 23:02:16.109 My Connections\nationscr -   Initiator = IP ADDR=192.168.11.151, prot = 0 port = 0
11-02: 23:02:16.109 My Connections\nationscr -   Responder = IP SUBNET/MASK=192.168.24.0/255.255.255.0, prot = 0 port = 0
11-02: 23:02:16.109 My Connections\nationscr - SENDING>>>> ISAKMP OAK QM *(HASH, SA, NON, ID 2x)
11-02: 23:02:16.125 My Connections\nationscr - RECEIVED<<< ISAKMP OAK QM *(HASH, SA, NON, ID 2x)
11-02: 23:02:16.125 My Connections\nationscr - Filter entry 5: SECURE  192.168.011.151&255.255.255.255  192.168.024.000&255.255.255.000  DNS.DNS.DNS.DNS added.
11-02: 23:02:16.125 My Connections\nationscr - SENDING>>>> ISAKMP OAK QM *(HASH)
11-02: 23:02:16.125 My Connections\nationscr - Loading IPSec SA (Message ID = 3A36955E OUTBOUND SPI = ADF2CB38 INBOUND SPI = 3AC31151)
11-02: 23:02:16.125
0
Comment
Question by:NJ_CONSULTANT
  • 4
  • 4
11 Comments
 
LVL 77

Expert Comment

by:Rob Williams
Comment Utility
I am assuming you can establish a working connection, but then after a period of time it drops the connection ?
Do all users get dropped ?
Is there any consistency as to how thong before the connection is dropped ?
I noticed in the log above "Dead Peer Detection disabled". There should be an option to enable this. It will help with disconnects.
0
 

Author Comment

by:NJ_CONSULTANT
Comment Utility
Some of the users do and some dont.  Its strange because of I run a continuous ping to the host machine it will run for hours and hours....as soon as i start tranferring any files thru a mapped drive or use a remote takeover such as pcANywhere....it takes up to 10min to time out and drop the connection.

I will look into enabling the "Dead Peer Detection" and see if it makes a difference.

thanks.
0
 
LVL 77

Expert Comment

by:Rob Williams
Comment Utility
I know this was discussed with your Buffalo, but MTU can often be the source of disconnect when you they occur during copying of large files. If interested in "tinkering" try dropping to 1300  (default is 1500 or auto) and see if there is any improvement. Change it on the connecting PC using Dr TCP and on that client's local router.
http://www.dslreports.com/drtcp

Check for any other "keep alive" options on the router as well. However "keep alive" should not be the cause of the problem if the disconnect occurs during a file transfer. That really only affects idle connections.
0
 

Author Comment

by:NJ_CONSULTANT
Comment Utility
Okay....im at 1430 right now and I beleive I tried 1300 but will give it a shot again.....why would this have to be adjusted....? is it the role of the ISP's link that affects MTU packet sizes??

thanks again
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 77

Expert Comment

by:Rob Williams
Comment Utility
Has to do with packet fragmentation, usually due with slightly degraded or slower connections. I have seen it even have to be adjusted on a LAN, but that is extremely rare. A couple of links outlining the issue:
http://www.dslreports.com/faq/7752
http://www.chicagotech.net/vpnissues/vpndorp1.htm
How to test for optimum MTU size, though not truly accurate with VPN's as there is additional "overhead".
http://www.dslreports.com/faq/5793

For test purposes you can drop it as low as you want. Dial up connections actually use 576, I have had total loss of connection sometimes, if I go too low. PPTP VPN's require 1430 or less, but I have never seen a reduced requirement with IPSec VPN's such as yours.
0
 

Author Comment

by:NJ_CONSULTANT
Comment Utility
okay i lowered my MTU to 1200 and still it disconnects...im only doing this on the client side correct?

I dont understand why this is happening, its killing me...i really need this to work. :(  

Im changing the MTU on my NIC but when i connect it creates the PPP Adapter...does that virtual adapter adopt the MTU settings from my NIC?

I spoke to a friend who deals with VPNs alot and he says that the MTU should be auto negotiated when connected....maybe Buffalo and ZyXel dont have this feature...what do you think??

I called my ISP and he says there are thousands of people using VPN on their network yada yada yada.....my speed is 7 down and 1mb up

can i just hire you to figure this out?? :)

thanks again for ur efforts!
0
 
LVL 77

Expert Comment

by:Rob Williams
Comment Utility
>>"Im changing the MTU on my NIC but when i connect it creates the PPP Adapter...does that virtual adapter adopt the MTU settings from my NIC?"
You should use the Dr TCP tool which should affect all Ethernet adapters in the PC.
http://www.dslreports.com/drtcp
It's also a good idea to also change it on the router at the client site.

>>"he says that the MTU should be auto negotiated when connected
Correct.  However with some problematic systems it is one area where "tinkering" can occasionally resolve dropped connections, as per:
http://www.chicagotech.net/vpnissues/vpndorp1.htm

Dropped connections can be a few things, but where yours seems to drop when increasing the load, by using other services or transferring files, it is most often MTU. Are you able to try the same equipment at a different site?


0
 

Author Comment

by:NJ_CONSULTANT
Comment Utility
The resolution was this...

This worked with a more expensive VPN device (SonicWALL).  The Buffalo VPN router would not work along with another less expensive solution such as ZyXEL 2 PLUS.  Both would not work with my ISP with very frequent drops.  Once replaced with a SonicWALL...worked like a champ and has been working for months now.  Some customers had the same problem I experienced with other ISP's and others didn't.  I guess the backbone of certain ISPs are more sensitive??...not sure what the answer to that is.
0
 
LVL 1

Accepted Solution

by:
Computer101 earned 0 total points
Comment Utility
PAQed with points refunded (500)

Computer101
EE Admin
0

Featured Post

Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

Join & Write a Comment

The Need In an Active Directory enviroment, the PDC emulator provide time synchronization for the domain. This is important since Active Directory uses Kerberos for authentication.  By default, if the time difference between systems is off by more …
I'm a big fan of Windows' offline folder caching and have used it on my laptops for over a decade.  One thing I don't like about it, however, is how difficult Microsoft has made it for the cache to be moved out of the Windows folder.  Here's how to …
Illustrator's Shape Builder tool will let you combine shapes visually and interactively. This video shows the Mac version, but the tool works the same way in Windows. To follow along with this video, you can draw your own shapes or download the file…
This tutorial demonstrates a quick way of adding group price to multiple Magento products.

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now