RD Connections lost using FortiClient VPN with IPSec
I work for a small company that has various users spread geographically across the country. They all use PCs running WinXP (one using Vista) and usually using a wireless connection for Internet access. We have an Exchange 2003 server and a Terminal Server running Server 2003.
Users acquire an Internet connection, connect to our VPN using FortiClient 3.0 software through our FortiNet appliance. Then each user connects to the TS via Remote Desktop Connection.
The users are connecting (when able to establish a wireless connection) most often from hotel networks, coffee shops, corporate client sites, as well as from their own homes.
Right now our issue is with the VPN and RD connections being flaky at best. Sometimes the RDC will freeze up momentarily or entirely, other times a "reconnecting" dialogue box appears and cycles through 20 connection attempts--sometimes reconnecting and other times just dropping. Sometimes the RDC drops, but the VPN connection remains intact. Usually both connections are lost entirely. Usually web browsing is still possible and general internet connectivity is there.
We need some serious help here. Constant interruptions are simply unacceptable to my teammates as well as their clients. I simply don't know what to do. I'm waiting on our hosting vendor to respond, but nothing yet.
Users acquire an Internet connection, connect to our VPN using FortiClient 3.0 software through our FortiNet appliance. Then each user connects to the TS via Remote Desktop Connection.
The users are connecting (when able to establish a wireless connection) most often from hotel networks, coffee shops, corporate client sites, as well as from their own homes.
Right now our issue is with the VPN and RD connections being flaky at best. Sometimes the RDC will freeze up momentarily or entirely, other times a "reconnecting" dialogue box appears and cycles through 20 connection attempts--sometimes reconnecting and other times just dropping. Sometimes the RDC drops, but the VPN connection remains intact. Usually both connections are lost entirely. Usually web browsing is still possible and general internet connectivity is there.
We need some serious help here. Constant interruptions are simply unacceptable to my teammates as well as their clients. I simply don't know what to do. I'm waiting on our hosting vendor to respond, but nothing yet.
ASKER
Thanks Renill. Those are good suggestions. Our IT provider checked the box and couldn't find anything out of the ordinary. He said he changed one thing that *may* or may not help (didn't say what, I asked him to please clarify). I also suggested that all users change their RD connection "Experience" settings to the lowest (Modem 28.8 Kbps) and see if that helps. Here is what I'm thinking next if no fix:
I sent an email to all BW employees and independent contractors explaining how to configure the Remote Desktop connection settings for a very slow connection to see if that helps at all. Here is what else I have in mind:
- The main server was badly fragmented, so I installed a trial of Diskeeper.
o Confirm network drivers installed are Microsoft-approved/complia
o Scan for spyware/malware
o Test connectivity with only necessary programs open (i.e. the remote desktop and nothing else)
o Monitor network activity by installing a program that will log incoming and outgoing data connections (what ports are being used and where data is coming/going and when connectivity is lost, etc.)
o Compare logged network activity to the Windows Event Viewer (monitors errors and other activity in the background) to the network activity log.
I sent an email to all BW employees and independent contractors explaining how to configure the Remote Desktop connection settings for a very slow connection to see if that helps at all. Here is what else I have in mind:
- The main server was badly fragmented, so I installed a trial of Diskeeper.
o Confirm network drivers installed are Microsoft-approved/complia
o Scan for spyware/malware
o Test connectivity with only necessary programs open (i.e. the remote desktop and nothing else)
o Monitor network activity by installing a program that will log incoming and outgoing data connections (what ports are being used and where data is coming/going and when connectivity is lost, etc.)
o Compare logged network activity to the Windows Event Viewer (monitors errors and other activity in the background) to the network activity log.
ASKER
Oops, sorry, "I sent an email to all BW employees..." was leftover from the email I sent out.
nicholas,
you can even try vnc as this is a low bandwidth product. much better in performance compared to microsoft remote desktop client. but you may have to give in your clients some training ;)
renill
you can even try vnc as this is a low bandwidth product. much better in performance compared to microsoft remote desktop client. but you may have to give in your clients some training ;)
renill
ASKER
This is what our IT vendor said he changed on the FortiGate:
"I modified the settings for the Dead Peer Detection option. I used the command line to up the retries and time intervals used to determine dead peers on the VPN. Hopefully if the wireless connections or anything else are causing interference or dropping, this will allow for a little more cushion before the VPN disconnects."
We are still experiencing disconnected. I submitted a support ticket directly to FortiNet and I am waiting for a response from them.
I will also try VNC.
"I modified the settings for the Dead Peer Detection option. I used the command line to up the retries and time intervals used to determine dead peers on the VPN. Hopefully if the wireless connections or anything else are causing interference or dropping, this will allow for a little more cushion before the VPN disconnects."
We are still experiencing disconnected. I submitted a support ticket directly to FortiNet and I am waiting for a response from them.
I will also try VNC.
ASKER
I am noticing a pattern of events right before the connection is lost:
DHCP 1003 "Your computer was not able to renew its address from the network (from the DHCP Server) for the Network Card with network address 00166F208F74. The following error occurred:
The operation was canceled by the user. . Your computer will continue to try and obtain an address on its own from the network address (DHCP) server."
TCPIP 4201 "The system detected that network adapter \DEVICE\TCPIP_{BC56609C-F0
These events occur simultaneously every 5 seconds for approximately 2 minutes until the connection drops.
Both the VPN and wireless networks are assigning IPs. After looking up dhcp 1003 at technet, I found this Microsoft KB article
"When you have two Dynamic Host Configuration Protocol (DHCP) servers connected to the network, and the DHCP Server Service of the unauthorized server is running, it may intercept a 'Discover' broadcast from a client computer and generate the following error message:
The DHCP client could not obtain an IP address.
Also, Error ID 1003 may appear in the Event Log with the following description:
DHCP failed to obtain a lease for the card with Network Address MAC address of client. Access is denied." - http://support.microsoft.com/kb/244978
So, static virtual IPs for the FortiGate VPN seem to be the way to go huh?
DHCP 1003 "Your computer was not able to renew its address from the network (from the DHCP Server) for the Network Card with network address 00166F208F74. The following error occurred:
The operation was canceled by the user. . Your computer will continue to try and obtain an address on its own from the network address (DHCP) server."
TCPIP 4201 "The system detected that network adapter \DEVICE\TCPIP_{BC56609C-F0
These events occur simultaneously every 5 seconds for approximately 2 minutes until the connection drops.
Both the VPN and wireless networks are assigning IPs. After looking up dhcp 1003 at technet, I found this Microsoft KB article
"When you have two Dynamic Host Configuration Protocol (DHCP) servers connected to the network, and the DHCP Server Service of the unauthorized server is running, it may intercept a 'Discover' broadcast from a client computer and generate the following error message:
The DHCP client could not obtain an IP address.
Also, Error ID 1003 may appear in the Event Log with the following description:
DHCP failed to obtain a lease for the card with Network Address MAC address of client. Access is denied." - http://support.microsoft.com/kb/244978
So, static virtual IPs for the FortiGate VPN seem to be the way to go huh?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
good work.
Capture it as a learining. Great day !
renill
Capture it as a learining. Great day !
renill
Closed, 500 points refunded.
Vee_Mod
Community Support Moderator
Vee_Mod
Community Support Moderator
are the wireless connectivities you told have ample bandwidth ?
or is this happening recently ?
.....
while you looose the connection does your vpn connectivity disconnects ?
............
what is the version of Fortinet box (firmware version ) is it MR5 ?
http://kc.forticare.com/default.asp?id=2047&Lang=1&SID=
...
have a health check on your fortinet box..
do have a close study on the bandwidth utilization required and the current bandwidth on the internet links you are holding.
renill