Solved

Unstable VPN Connection: Is it the Remote Office setup or the Netscreen VPN device?

Posted on 2008-10-02
2
3,369 Views
Last Modified: 2012-05-05
Experts:

This question examines a problem I'm experiencing users at the Remote Office experiencing difficulty connecting back to HQ using an IPSec VPN client connection. I believe the Netscreen VPN device at HQ to be configured correctly it's to the Remote Office setup I want to spend most of our time in discussion.

Topology:
I have a user in the Remote Office who connects to the Internet through a Linksys Wireless Router. the Linksys WAP distributes DHCP and serves as the office switch as well as gateway to the ISP router. This user wants to connect back to HQ using a pre-configured Netscreen Remote Client. The software is setup to use IKE with XAuth and a Pre-Shared Key. The Netscreen VPN device at HQ has a Public IP of 84.189.20.18 and distributes IP addresses to requesting VPN clients from an IP Pool range of 10.88.84.100-199. The user connects fine and gets assigned an IP Address of 10.88.84.110, which, for all intents and purposes should be enough to allow the remote user to clearly access any network resources on the 192.168.2.0 subnet...in particular, the webserver, 192.1268.2.25.

Problem:
The remote user reports that their IPSec tunnel back to HQ is unstable and often get booted off for no apparent reason. here's where it gets weird. From HQ, i am unable to PING the WAN IP of the Remote Office router, 217.33.77.58, which is very odd. but I can PING the Linksys WAP configured with a Public IP of 217.33.77.57. Again, so weird. My sneaky suspicion is that IPSec packets are getting dropped or confounded by the setup at the Remote Office. I'd like your insight in finding out if this is truly the case.

Here is some log information from the Netscreen device in HQ about the remote user's connection status:
(Initial Connection)
2008-10-02 05:59:33 info IKE<217.33.77.58> Phase 2 msg ID <e63e3a26>: Completed negotiations with SPI <9750d120>, tunnel ID <32820>, and lifetime <3600> seconds/<0> KB.
2008-10-02 05:59:33 info IKE<217.33.77.58> Phase 2 msg ID <e63e3a26>: Responded to the peer's first message.
2008-10-02 05:59:33 info IKE<217.33.77.58>: XAuth login was passed for gateway <VPN GW>, username <Bill Jones>, retry: 0, Client IP Addr<10.88.84.110>, IPPool name:<Employee>, Session-Timeout:<0s>, Idle-Timeout:<0s>.
2008-10-02 05:59:02 info IKE<217.33.77.58>: Received initial contact notification and removed Phase 1 SAs.
2008-10-02 05:59:02 info IKE<217.33.77.58> Phase 1: Completed Aggressive mode negotiations with a <28800>-second lifetime.
2008-10-02 05:59:02 info IKE<217.33.77.58> Phase 1: Completed for user <Bill Jones>.
2008-10-02 05:59:02 info IKE<217.33.77.58>: Received initial contact notification and removed Phase 2 SAs.
2008-10-02 05:59:02 info IKE<217.33.77.58>: Received a notification message for DOI <1> <24578> <INITIAL-CONTACT>.
2008-10-02 05:59:02 info IKE<217.33.77.58>: Received a notification message for DOI <1> <24577> <REPLAY-STATUS>.
2008-10-02 05:59:02 info IKE<217.33.77.58> Phase 1: Responder starts AGGRESSIVE mode negotiations.


(Unexpected Disconnect)
2008-10-02 07:26:21 info IKE<217.33.77.58>: XAuth login expired and was terminated for username <Sally Peters> at <10.88.84.108/255.255.255.255>.
2008-10-02 07:25:21 info IKE<217.33.77.58>: XAuth login expired and was terminated for username <Bill Jones> at <10.88.84.110/255.255.255.255>.
2008-10-02 07:24:21 info IKE<217.33.77.58>: XAuth login expired and was terminated for username <Phil Smith> at <10.88.84.109/255.255.255.255>.
2008-10-02 07:24:21 info Phase 2 SA for tunnel ID 8035 has been idle too long. Deactivated P2 SA and sent a Delete msg to peer.


NOTICE HOW ALL REMOTE USERS CONNECTED BACK TO HQ WERE DISCONNECTED AT THE SAME TIME!

The clients are Windows XP machines using the latest Netscreen Remote client software. The VPN device in HQ is a Netscreen-5GT.

I need to stabilize the client VPN connections at this Remote Office. At least i need to rule out that the problem is NOT with the Netscreen VPN device itself. I'm sure there is something amiss with the Linksys to Router relationship at the Remote Office that's part of the problem here. Let me know what you think...


juckyt
Remote-Office-VPN-Problem.png
0
Comment
Question by:juckyt
2 Comments
 
LVL 32

Expert Comment

by:dpk_wal
ID: 22632456
The log message which you have posted indicate that the  idle timeout is reached causing the tunnel termination.

>> XAuth login expired
>> info Phase 2 SA for tunnel ID 8035 has been idle too long

For first case; check the idle timeout settings on your server and increase them; or for both the cases; create a batch file which the users which would send 1 ping packet on the VPN tunnel every 1 minute; this way idle timeout would not be reached; the users would need to execute the file once the VPN get established.

The sample batch file can look like this:
ping <ip-address-of-remote-end> -n 1
sleep 60

Above script uses sleep utility [not found natively on windows] this can be downloaded from internet and needs to be present on each client machine.

Thank you.
0
 

Accepted Solution

by:
juckyt earned 0 total points
ID: 22696011
The Cisco Router at the remote office is part of the problem, what I have is a NAT-ted Linksys WAP behind a Cisco router set in Bridge mode. Secondly, the Firewall b ack in HQ is malfunctioning, being unable to process DNS properly to multiple IP Sec connections coming from the same remote location.

I'm going in another direction with this case. Thanks for responding
0

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Available cert SBS2008 for L2TP /IPSec 4 63
By pass website on ASA for Websense 4 85
ASA 5505 latency problem 8 47
port redirection on cisco asa 5520 5 17
This subject  of securing wireless devices conjures up visions of your PC or mobile phone connecting to the Internet through some hotspot at Starbucks. But it is so much more than that. Let’s look at the facts: devices#sthash.eoFY7dic.
How to set-up an On Demand, IPSec, Site to SIte, VPN from a Draytek Vigor Router to a Cyberoam UTM Appliance. A concise guide to the settings required on both devices
This Micro Tutorial will show you how to maximize your wireless card to its maximum capability. This will be demonstrated using Intel(R) Centrino(R) Wireless-N 2230 wireless card on Windows 8 operating system.
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…

829 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question