Unstable VPN Connection: Is it the Remote Office setup or the Netscreen VPN device?

Posted on 2008-10-02
Last Modified: 2012-05-05

This question examines a problem I'm experiencing users at the Remote Office experiencing difficulty connecting back to HQ using an IPSec VPN client connection. I believe the Netscreen VPN device at HQ to be configured correctly it's to the Remote Office setup I want to spend most of our time in discussion.

I have a user in the Remote Office who connects to the Internet through a Linksys Wireless Router. the Linksys WAP distributes DHCP and serves as the office switch as well as gateway to the ISP router. This user wants to connect back to HQ using a pre-configured Netscreen Remote Client. The software is setup to use IKE with XAuth and a Pre-Shared Key. The Netscreen VPN device at HQ has a Public IP of and distributes IP addresses to requesting VPN clients from an IP Pool range of The user connects fine and gets assigned an IP Address of, which, for all intents and purposes should be enough to allow the remote user to clearly access any network resources on the particular, the webserver, 192.1268.2.25.

The remote user reports that their IPSec tunnel back to HQ is unstable and often get booted off for no apparent reason. here's where it gets weird. From HQ, i am unable to PING the WAN IP of the Remote Office router,, which is very odd. but I can PING the Linksys WAP configured with a Public IP of Again, so weird. My sneaky suspicion is that IPSec packets are getting dropped or confounded by the setup at the Remote Office. I'd like your insight in finding out if this is truly the case.

Here is some log information from the Netscreen device in HQ about the remote user's connection status:
(Initial Connection)
2008-10-02 05:59:33 info IKE<> Phase 2 msg ID <e63e3a26>: Completed negotiations with SPI <9750d120>, tunnel ID <32820>, and lifetime <3600> seconds/<0> KB.
2008-10-02 05:59:33 info IKE<> Phase 2 msg ID <e63e3a26>: Responded to the peer's first message.
2008-10-02 05:59:33 info IKE<>: XAuth login was passed for gateway <VPN GW>, username <Bill Jones>, retry: 0, Client IP Addr<>, IPPool name:<Employee>, Session-Timeout:<0s>, Idle-Timeout:<0s>.
2008-10-02 05:59:02 info IKE<>: Received initial contact notification and removed Phase 1 SAs.
2008-10-02 05:59:02 info IKE<> Phase 1: Completed Aggressive mode negotiations with a <28800>-second lifetime.
2008-10-02 05:59:02 info IKE<> Phase 1: Completed for user <Bill Jones>.
2008-10-02 05:59:02 info IKE<>: Received initial contact notification and removed Phase 2 SAs.
2008-10-02 05:59:02 info IKE<>: Received a notification message for DOI <1> <24578> <INITIAL-CONTACT>.
2008-10-02 05:59:02 info IKE<>: Received a notification message for DOI <1> <24577> <REPLAY-STATUS>.
2008-10-02 05:59:02 info IKE<> Phase 1: Responder starts AGGRESSIVE mode negotiations.

(Unexpected Disconnect)
2008-10-02 07:26:21 info IKE<>: XAuth login expired and was terminated for username <Sally Peters> at <>.
2008-10-02 07:25:21 info IKE<>: XAuth login expired and was terminated for username <Bill Jones> at <>.
2008-10-02 07:24:21 info IKE<>: XAuth login expired and was terminated for username <Phil Smith> at <>.
2008-10-02 07:24:21 info Phase 2 SA for tunnel ID 8035 has been idle too long. Deactivated P2 SA and sent a Delete msg to peer.


The clients are Windows XP machines using the latest Netscreen Remote client software. The VPN device in HQ is a Netscreen-5GT.

I need to stabilize the client VPN connections at this Remote Office. At least i need to rule out that the problem is NOT with the Netscreen VPN device itself. I'm sure there is something amiss with the Linksys to Router relationship at the Remote Office that's part of the problem here. Let me know what you think...

Question by:juckyt
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
LVL 32

Expert Comment

ID: 22632456
The log message which you have posted indicate that the  idle timeout is reached causing the tunnel termination.

>> XAuth login expired
>> info Phase 2 SA for tunnel ID 8035 has been idle too long

For first case; check the idle timeout settings on your server and increase them; or for both the cases; create a batch file which the users which would send 1 ping packet on the VPN tunnel every 1 minute; this way idle timeout would not be reached; the users would need to execute the file once the VPN get established.

The sample batch file can look like this:
ping <ip-address-of-remote-end> -n 1
sleep 60

Above script uses sleep utility [not found natively on windows] this can be downloaded from internet and needs to be present on each client machine.

Thank you.

Accepted Solution

juckyt earned 0 total points
ID: 22696011
The Cisco Router at the remote office is part of the problem, what I have is a NAT-ted Linksys WAP behind a Cisco router set in Bridge mode. Secondly, the Firewall b ack in HQ is malfunctioning, being unable to process DNS properly to multiple IP Sec connections coming from the same remote location.

I'm going in another direction with this case. Thanks for responding

Featured Post

Free learning courses: Active Directory Deep Dive

Get a firm grasp on your IT environment when you learn Active Directory best practices with Veeam! Watch all, or choose any amount, of this three-part webinar series to improve your skills. From the basics to virtualization and backup, we got you covered.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
A 2007 NCSA Cyber Security survey revealed that a mere 4% of the population has a full understanding of firewalls. As business owner, you should be part of that 4% that has a full understanding.
This Micro Tutorial will show you how to maximize your wireless card to its maximum capability. This will be demonstrated using Intel(R) Centrino(R) Wireless-N 2230 wireless card on Windows 8 operating system.
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…

696 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question