Solved

RD Connections lost using FortiClient VPN with IPSec

Posted on 2007-11-14
10
6,596 Views
Last Modified: 2013-11-21
I work for a small company that has various users spread geographically across the country. They all use PCs running WinXP (one using Vista) and usually using a wireless connection for Internet access. We have an Exchange 2003 server and a Terminal Server running Server 2003.
Users acquire an Internet connection, connect to our VPN using FortiClient 3.0 software through our FortiNet appliance. Then each user connects to the TS via Remote Desktop Connection.
The users are connecting (when able to establish a wireless connection) most often from hotel networks, coffee shops, corporate client sites, as well as from their own homes.
 Right now our issue is with the VPN and RD connections being flaky at best. Sometimes the RDC will freeze up momentarily or entirely, other times a "reconnecting" dialogue box appears and cycles through 20 connection attempts--sometimes reconnecting and other times just dropping. Sometimes the RDC drops, but the VPN connection remains intact. Usually both connections are lost entirely. Usually web browsing is still possible and general internet connectivity is there.
We need some serious help here. Constant interruptions are simply unacceptable to my teammates as well as their clients. I simply don't know what to do. I'm waiting on our hosting vendor to respond, but nothing yet.
0
Comment
Question by:nicholasjwolf
  • 5
  • 3
10 Comments
 
LVL 5

Expert Comment

by:renill
ID: 20287855
Remote desktop connection will generate considerable amount of traffic load.
are the wireless connectivities you told have ample bandwidth ?
or is this happening recently ?
.....
while you looose the connection does your vpn connectivity disconnects ?
............
what is the version of Fortinet box (firmware version ) is it MR5 ?
http://kc.forticare.com/default.asp?id=2047&Lang=1&SID=
...
have a health check on your fortinet box..
do have a close study on the bandwidth utilization required and the current bandwidth on the internet links you are holding.

renill
0
 

Author Comment

by:nicholasjwolf
ID: 20295705
Thanks Renill. Those are good suggestions. Our IT provider checked the box and couldn't find anything out of the ordinary. He said he changed one thing that *may* or may not help (didn't say what, I asked him to please clarify). I also suggested that all users change their RD connection "Experience" settings to the lowest (Modem 28.8 Kbps) and see if that helps. Here is what I'm thinking next if no fix:
 I sent an email to all BW employees and independent contractors explaining how to configure the Remote Desktop connection settings for a very slow connection to see if that helps at all. Here is what else I have in mind:

- The main server was badly fragmented, so I installed a trial of Diskeeper.

o        Confirm network drivers installed are Microsoft-approved/compliant with Windows operating system installed

o        Scan for spyware/malware

o        Test connectivity with only necessary programs open (i.e. the remote desktop and nothing else)

o        Monitor network activity by installing a program that will log incoming and outgoing data connections (what ports are being used and where data is coming/going and when connectivity is lost, etc.)

o        Compare logged network activity to the Windows Event Viewer (monitors errors and other activity in the background) to the network activity log.

0
 

Author Comment

by:nicholasjwolf
ID: 20295713
Oops, sorry, "I sent an email to all BW employees..." was leftover from the email I sent out.
0
 
LVL 5

Expert Comment

by:renill
ID: 20296572
nicholas,

 you can even try vnc as this is a low bandwidth product. much better in performance compared to microsoft remote desktop client. but you may have to give in your clients some training ;)

renill
0
Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 

Author Comment

by:nicholasjwolf
ID: 20306542
This is what our IT vendor said he changed on the FortiGate:
"I modified the settings for the Dead Peer Detection option.  I used the command line to up the retries and time intervals used to determine dead peers on the VPN.  Hopefully if the wireless connections or anything else are causing interference or dropping, this will allow for a little more cushion before the VPN disconnects."

We are still experiencing disconnected. I submitted a support ticket directly to FortiNet and I am waiting for a response from them.

I will also try VNC.
0
 

Author Comment

by:nicholasjwolf
ID: 20323548
I am noticing a pattern of events right before the connection is lost:

DHCP 1003 "Your computer was not able to renew its address from the network (from the DHCP Server) for the Network Card with network address 00166F208F74.  The following error occurred:
The operation was canceled by the user. . Your computer will continue to try and obtain an address on its own from the network address (DHCP) server."

TCPIP 4201 "The system detected that network adapter \DEVICE\TCPIP_{BC56609C-F05E-4828-BCC7-4650388C2F32} was connected to the network, and has initiated normal operation over the network adapter."

These events occur simultaneously every 5 seconds for approximately 2 minutes until the connection drops.

Both the VPN and wireless networks are assigning IPs. After looking up dhcp 1003 at technet, I found this Microsoft KB article

"When you have two Dynamic Host Configuration Protocol (DHCP) servers connected to the network, and the DHCP Server Service of the unauthorized server is running, it may intercept a 'Discover' broadcast from a client computer and generate the following error message:
The DHCP client could not obtain an IP address.
Also, Error ID 1003 may appear in the Event Log with the following description:
DHCP failed to obtain a lease for the card with Network Address MAC address of client. Access is denied." - http://support.microsoft.com/kb/244978

So, static virtual IPs for the FortiGate VPN seem to be the way to go huh?
0
 

Accepted Solution

by:
nicholasjwolf earned 0 total points
ID: 20460106
I am not certain if this is why, but since assigned static IP addresses, dropped connections have not occurred.
0
 
LVL 5

Expert Comment

by:renill
ID: 20461690
good work.

Capture it as a learining. Great day !

renill
0
 
LVL 1

Expert Comment

by:Vee_Mod
ID: 20584791
Closed, 500 points refunded.
Vee_Mod
Community Support Moderator
0

Featured Post

How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

Join & Write a Comment

Envision that you are chipping away at another e-business site with a team of pundit developers and designers. Everything seems, by all accounts, to be going easily.
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now