Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium


RD Connections lost using FortiClient VPN with IPSec

Posted on 2007-11-14
Medium Priority
Last Modified: 2013-11-21
I work for a small company that has various users spread geographically across the country. They all use PCs running WinXP (one using Vista) and usually using a wireless connection for Internet access. We have an Exchange 2003 server and a Terminal Server running Server 2003.
Users acquire an Internet connection, connect to our VPN using FortiClient 3.0 software through our FortiNet appliance. Then each user connects to the TS via Remote Desktop Connection.
The users are connecting (when able to establish a wireless connection) most often from hotel networks, coffee shops, corporate client sites, as well as from their own homes.
 Right now our issue is with the VPN and RD connections being flaky at best. Sometimes the RDC will freeze up momentarily or entirely, other times a "reconnecting" dialogue box appears and cycles through 20 connection attempts--sometimes reconnecting and other times just dropping. Sometimes the RDC drops, but the VPN connection remains intact. Usually both connections are lost entirely. Usually web browsing is still possible and general internet connectivity is there.
We need some serious help here. Constant interruptions are simply unacceptable to my teammates as well as their clients. I simply don't know what to do. I'm waiting on our hosting vendor to respond, but nothing yet.
Question by:nicholasjwolf
  • 5
  • 3

Expert Comment

ID: 20287855
Remote desktop connection will generate considerable amount of traffic load.
are the wireless connectivities you told have ample bandwidth ?
or is this happening recently ?
while you looose the connection does your vpn connectivity disconnects ?
what is the version of Fortinet box (firmware version ) is it MR5 ?
have a health check on your fortinet box..
do have a close study on the bandwidth utilization required and the current bandwidth on the internet links you are holding.


Author Comment

ID: 20295705
Thanks Renill. Those are good suggestions. Our IT provider checked the box and couldn't find anything out of the ordinary. He said he changed one thing that *may* or may not help (didn't say what, I asked him to please clarify). I also suggested that all users change their RD connection "Experience" settings to the lowest (Modem 28.8 Kbps) and see if that helps. Here is what I'm thinking next if no fix:
 I sent an email to all BW employees and independent contractors explaining how to configure the Remote Desktop connection settings for a very slow connection to see if that helps at all. Here is what else I have in mind:

- The main server was badly fragmented, so I installed a trial of Diskeeper.

o        Confirm network drivers installed are Microsoft-approved/compliant with Windows operating system installed

o        Scan for spyware/malware

o        Test connectivity with only necessary programs open (i.e. the remote desktop and nothing else)

o        Monitor network activity by installing a program that will log incoming and outgoing data connections (what ports are being used and where data is coming/going and when connectivity is lost, etc.)

o        Compare logged network activity to the Windows Event Viewer (monitors errors and other activity in the background) to the network activity log.


Author Comment

ID: 20295713
Oops, sorry, "I sent an email to all BW employees..." was leftover from the email I sent out.
Evaluating UTMs? Here's what you need to know!

Evaluating a UTM appliance and vendor can prove to be an overwhelming exercise.  How can you make sure that you're getting the security that your organization needs without breaking the bank? Check out our UTM Buyer's Guide for more information on what you should be looking for!


Expert Comment

ID: 20296572

 you can even try vnc as this is a low bandwidth product. much better in performance compared to microsoft remote desktop client. but you may have to give in your clients some training ;)


Author Comment

ID: 20306542
This is what our IT vendor said he changed on the FortiGate:
"I modified the settings for the Dead Peer Detection option.  I used the command line to up the retries and time intervals used to determine dead peers on the VPN.  Hopefully if the wireless connections or anything else are causing interference or dropping, this will allow for a little more cushion before the VPN disconnects."

We are still experiencing disconnected. I submitted a support ticket directly to FortiNet and I am waiting for a response from them.

I will also try VNC.

Author Comment

ID: 20323548
I am noticing a pattern of events right before the connection is lost:

DHCP 1003 "Your computer was not able to renew its address from the network (from the DHCP Server) for the Network Card with network address 00166F208F74.  The following error occurred:
The operation was canceled by the user. . Your computer will continue to try and obtain an address on its own from the network address (DHCP) server."

TCPIP 4201 "The system detected that network adapter \DEVICE\TCPIP_{BC56609C-F05E-4828-BCC7-4650388C2F32} was connected to the network, and has initiated normal operation over the network adapter."

These events occur simultaneously every 5 seconds for approximately 2 minutes until the connection drops.

Both the VPN and wireless networks are assigning IPs. After looking up dhcp 1003 at technet, I found this Microsoft KB article

"When you have two Dynamic Host Configuration Protocol (DHCP) servers connected to the network, and the DHCP Server Service of the unauthorized server is running, it may intercept a 'Discover' broadcast from a client computer and generate the following error message:
The DHCP client could not obtain an IP address.
Also, Error ID 1003 may appear in the Event Log with the following description:
DHCP failed to obtain a lease for the card with Network Address MAC address of client. Access is denied." - http://support.microsoft.com/kb/244978

So, static virtual IPs for the FortiGate VPN seem to be the way to go huh?

Accepted Solution

nicholasjwolf earned 0 total points
ID: 20460106
I am not certain if this is why, but since assigned static IP addresses, dropped connections have not occurred.

Expert Comment

ID: 20461690
good work.

Capture it as a learining. Great day !


Expert Comment

ID: 20584791
Closed, 500 points refunded.
Community Support Moderator

Featured Post

Who's Defending Your Organization from Threats?

Protecting against advanced threats requires an IT dream team – a well-oiled machine of people and solutions working together to defend your organization. Download our resource kit today to learn more about the tools you need to build you IT Dream Team!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

How to set-up an On Demand, IPSec, Site to SIte, VPN from a Draytek Vigor Router to a Cyberoam UTM Appliance. A concise guide to the settings required on both devices
Will you be ready when the clock on GDPR compliance runs out? Is GDPR even something you need to worry about? Find out more about the upcoming regulation changes and download our comprehensive GDPR checklist today !
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…

572 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question