Unstable VPN Connection: Is it the Remote Office setup or the Netscreen VPN device?
Experts:
This question examines a problem I'm experiencing users at the Remote Office experiencing difficulty connecting back to HQ using an IPSec VPN client connection. I believe the Netscreen VPN device at HQ to be configured correctly it's to the Remote Office setup I want to spend most of our time in discussion.
Topology:
I have a user in the Remote Office who connects to the Internet through a Linksys Wireless Router. the Linksys WAP distributes DHCP and serves as the office switch as well as gateway to the ISP router. This user wants to connect back to HQ using a pre-configured Netscreen Remote Client. The software is setup to use IKE with XAuth and a Pre-Shared Key. The Netscreen VPN device at HQ has a Public IP of 84.189.20.18 and distributes IP addresses to requesting VPN clients from an IP Pool range of 10.88.84.100-199. The user connects fine and gets assigned an IP Address of 10.88.84.110, which, for all intents and purposes should be enough to allow the remote user to clearly access any network resources on the 192.168.2.0 subnet...in particular, the webserver, 192.1268.2.25.
Problem:
The remote user reports that their IPSec tunnel back to HQ is unstable and often get booted off for no apparent reason. here's where it gets weird. From HQ, i am unable to PING the WAN IP of the Remote Office router, 217.33.77.58, which is very odd. but I can PING the Linksys WAP configured with a Public IP of 217.33.77.57. Again, so weird. My sneaky suspicion is that IPSec packets are getting dropped or confounded by the setup at the Remote Office. I'd like your insight in finding out if this is truly the case.
Here is some log information from the Netscreen device in HQ about the remote user's connection status:
(Initial Connection)
2008-10-02 05:59:33 info IKE<217.33.77.58> Phase 2 msg ID <e63e3a26>: Completed negotiations with SPI <9750d120>, tunnel ID <32820>, and lifetime <3600> seconds/<0> KB.
2008-10-02 05:59:33 info IKE<217.33.77.58> Phase 2 msg ID <e63e3a26>: Responded to the peer's first message.
2008-10-02 05:59:33 info IKE<217.33.77.58>: XAuth login was passed for gateway <VPN GW>, username <Bill Jones>, retry: 0, Client IP Addr<10.88.84.110>, IPPool name:<Employee>, Session-Timeout:<0s>, Idle-Timeout:<0s>.
2008-10-02 05:59:02 info IKE<217.33.77.58>: Received initial contact notification and removed Phase 1 SAs.
2008-10-02 05:59:02 info IKE<217.33.77.58> Phase 1: Completed Aggressive mode negotiations with a <28800>-second lifetime.
2008-10-02 05:59:02 info IKE<217.33.77.58> Phase 1: Completed for user <Bill Jones>.
2008-10-02 05:59:02 info IKE<217.33.77.58>: Received initial contact notification and removed Phase 2 SAs.
2008-10-02 05:59:02 info IKE<217.33.77.58>: Received a notification message for DOI <1> <24578> <INITIAL-CONTACT>.
2008-10-02 05:59:02 info IKE<217.33.77.58>: Received a notification message for DOI <1> <24577> <REPLAY-STATUS>.
2008-10-02 05:59:02 info IKE<217.33.77.58> Phase 1: Responder starts AGGRESSIVE mode negotiations.
(Unexpected Disconnect)
2008-10-02 07:26:21 info IKE<217.33.77.58>: XAuth login expired and was terminated for username <Sally Peters> at <10.88.84.108/255.255.255.
2008-10-02 07:25:21 info IKE<217.33.77.58>: XAuth login expired and was terminated for username <Bill Jones> at <10.88.84.110/255.255.255.
2008-10-02 07:24:21 info IKE<217.33.77.58>: XAuth login expired and was terminated for username <Phil Smith> at <10.88.84.109/255.255.255.
2008-10-02 07:24:21 info Phase 2 SA for tunnel ID 8035 has been idle too long. Deactivated P2 SA and sent a Delete msg to peer.
NOTICE HOW ALL REMOTE USERS CONNECTED BACK TO HQ WERE DISCONNECTED AT THE SAME TIME!
The clients are Windows XP machines using the latest Netscreen Remote client software. The VPN device in HQ is a Netscreen-5GT.
I need to stabilize the client VPN connections at this Remote Office. At least i need to rule out that the problem is NOT with the Netscreen VPN device itself. I'm sure there is something amiss with the Linksys to Router relationship at the Remote Office that's part of the problem here. Let me know what you think...
juckyt
Remote-Office-VPN-Problem.png
This question examines a problem I'm experiencing users at the Remote Office experiencing difficulty connecting back to HQ using an IPSec VPN client connection. I believe the Netscreen VPN device at HQ to be configured correctly it's to the Remote Office setup I want to spend most of our time in discussion.
Topology:
I have a user in the Remote Office who connects to the Internet through a Linksys Wireless Router. the Linksys WAP distributes DHCP and serves as the office switch as well as gateway to the ISP router. This user wants to connect back to HQ using a pre-configured Netscreen Remote Client. The software is setup to use IKE with XAuth and a Pre-Shared Key. The Netscreen VPN device at HQ has a Public IP of 84.189.20.18 and distributes IP addresses to requesting VPN clients from an IP Pool range of 10.88.84.100-199. The user connects fine and gets assigned an IP Address of 10.88.84.110, which, for all intents and purposes should be enough to allow the remote user to clearly access any network resources on the 192.168.2.0 subnet...in particular, the webserver, 192.1268.2.25.
Problem:
The remote user reports that their IPSec tunnel back to HQ is unstable and often get booted off for no apparent reason. here's where it gets weird. From HQ, i am unable to PING the WAN IP of the Remote Office router, 217.33.77.58, which is very odd. but I can PING the Linksys WAP configured with a Public IP of 217.33.77.57. Again, so weird. My sneaky suspicion is that IPSec packets are getting dropped or confounded by the setup at the Remote Office. I'd like your insight in finding out if this is truly the case.
Here is some log information from the Netscreen device in HQ about the remote user's connection status:
(Initial Connection)
2008-10-02 05:59:33 info IKE<217.33.77.58> Phase 2 msg ID <e63e3a26>: Completed negotiations with SPI <9750d120>, tunnel ID <32820>, and lifetime <3600> seconds/<0> KB.
2008-10-02 05:59:33 info IKE<217.33.77.58> Phase 2 msg ID <e63e3a26>: Responded to the peer's first message.
2008-10-02 05:59:33 info IKE<217.33.77.58>: XAuth login was passed for gateway <VPN GW>, username <Bill Jones>, retry: 0, Client IP Addr<10.88.84.110>, IPPool name:<Employee>, Session-Timeout:<0s>, Idle-Timeout:<0s>.
2008-10-02 05:59:02 info IKE<217.33.77.58>: Received initial contact notification and removed Phase 1 SAs.
2008-10-02 05:59:02 info IKE<217.33.77.58> Phase 1: Completed Aggressive mode negotiations with a <28800>-second lifetime.
2008-10-02 05:59:02 info IKE<217.33.77.58> Phase 1: Completed for user <Bill Jones>.
2008-10-02 05:59:02 info IKE<217.33.77.58>: Received initial contact notification and removed Phase 2 SAs.
2008-10-02 05:59:02 info IKE<217.33.77.58>: Received a notification message for DOI <1> <24578> <INITIAL-CONTACT>.
2008-10-02 05:59:02 info IKE<217.33.77.58>: Received a notification message for DOI <1> <24577> <REPLAY-STATUS>.
2008-10-02 05:59:02 info IKE<217.33.77.58> Phase 1: Responder starts AGGRESSIVE mode negotiations.
(Unexpected Disconnect)
2008-10-02 07:26:21 info IKE<217.33.77.58>: XAuth login expired and was terminated for username <Sally Peters> at <10.88.84.108/255.255.255.
2008-10-02 07:25:21 info IKE<217.33.77.58>: XAuth login expired and was terminated for username <Bill Jones> at <10.88.84.110/255.255.255.
2008-10-02 07:24:21 info IKE<217.33.77.58>: XAuth login expired and was terminated for username <Phil Smith> at <10.88.84.109/255.255.255.
2008-10-02 07:24:21 info Phase 2 SA for tunnel ID 8035 has been idle too long. Deactivated P2 SA and sent a Delete msg to peer.
NOTICE HOW ALL REMOTE USERS CONNECTED BACK TO HQ WERE DISCONNECTED AT THE SAME TIME!
The clients are Windows XP machines using the latest Netscreen Remote client software. The VPN device in HQ is a Netscreen-5GT.
I need to stabilize the client VPN connections at this Remote Office. At least i need to rule out that the problem is NOT with the Netscreen VPN device itself. I'm sure there is something amiss with the Linksys to Router relationship at the Remote Office that's part of the problem here. Let me know what you think...
juckyt
Remote-Office-VPN-Problem.png
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
>> XAuth login expired
>> info Phase 2 SA for tunnel ID 8035 has been idle too long
For first case; check the idle timeout settings on your server and increase them; or for both the cases; create a batch file which the users which would send 1 ping packet on the VPN tunnel every 1 minute; this way idle timeout would not be reached; the users would need to execute the file once the VPN get established.
The sample batch file can look like this:
ping <ip-address-of-remote-end>
sleep 60
Above script uses sleep utility [not found natively on windows] this can be downloaded from internet and needs to be present on each client machine.
Thank you.