Solved

Unstable VPN Connection: Is it the Remote Office setup or the Netscreen VPN device?

Posted on 2008-10-02
2
3,346 Views
Last Modified: 2012-05-05
Experts:

This question examines a problem I'm experiencing users at the Remote Office experiencing difficulty connecting back to HQ using an IPSec VPN client connection. I believe the Netscreen VPN device at HQ to be configured correctly it's to the Remote Office setup I want to spend most of our time in discussion.

Topology:
I have a user in the Remote Office who connects to the Internet through a Linksys Wireless Router. the Linksys WAP distributes DHCP and serves as the office switch as well as gateway to the ISP router. This user wants to connect back to HQ using a pre-configured Netscreen Remote Client. The software is setup to use IKE with XAuth and a Pre-Shared Key. The Netscreen VPN device at HQ has a Public IP of 84.189.20.18 and distributes IP addresses to requesting VPN clients from an IP Pool range of 10.88.84.100-199. The user connects fine and gets assigned an IP Address of 10.88.84.110, which, for all intents and purposes should be enough to allow the remote user to clearly access any network resources on the 192.168.2.0 subnet...in particular, the webserver, 192.1268.2.25.

Problem:
The remote user reports that their IPSec tunnel back to HQ is unstable and often get booted off for no apparent reason. here's where it gets weird. From HQ, i am unable to PING the WAN IP of the Remote Office router, 217.33.77.58, which is very odd. but I can PING the Linksys WAP configured with a Public IP of 217.33.77.57. Again, so weird. My sneaky suspicion is that IPSec packets are getting dropped or confounded by the setup at the Remote Office. I'd like your insight in finding out if this is truly the case.

Here is some log information from the Netscreen device in HQ about the remote user's connection status:
(Initial Connection)
2008-10-02 05:59:33 info IKE<217.33.77.58> Phase 2 msg ID <e63e3a26>: Completed negotiations with SPI <9750d120>, tunnel ID <32820>, and lifetime <3600> seconds/<0> KB.
2008-10-02 05:59:33 info IKE<217.33.77.58> Phase 2 msg ID <e63e3a26>: Responded to the peer's first message.
2008-10-02 05:59:33 info IKE<217.33.77.58>: XAuth login was passed for gateway <VPN GW>, username <Bill Jones>, retry: 0, Client IP Addr<10.88.84.110>, IPPool name:<Employee>, Session-Timeout:<0s>, Idle-Timeout:<0s>.
2008-10-02 05:59:02 info IKE<217.33.77.58>: Received initial contact notification and removed Phase 1 SAs.
2008-10-02 05:59:02 info IKE<217.33.77.58> Phase 1: Completed Aggressive mode negotiations with a <28800>-second lifetime.
2008-10-02 05:59:02 info IKE<217.33.77.58> Phase 1: Completed for user <Bill Jones>.
2008-10-02 05:59:02 info IKE<217.33.77.58>: Received initial contact notification and removed Phase 2 SAs.
2008-10-02 05:59:02 info IKE<217.33.77.58>: Received a notification message for DOI <1> <24578> <INITIAL-CONTACT>.
2008-10-02 05:59:02 info IKE<217.33.77.58>: Received a notification message for DOI <1> <24577> <REPLAY-STATUS>.
2008-10-02 05:59:02 info IKE<217.33.77.58> Phase 1: Responder starts AGGRESSIVE mode negotiations.


(Unexpected Disconnect)
2008-10-02 07:26:21 info IKE<217.33.77.58>: XAuth login expired and was terminated for username <Sally Peters> at <10.88.84.108/255.255.255.255>.
2008-10-02 07:25:21 info IKE<217.33.77.58>: XAuth login expired and was terminated for username <Bill Jones> at <10.88.84.110/255.255.255.255>.
2008-10-02 07:24:21 info IKE<217.33.77.58>: XAuth login expired and was terminated for username <Phil Smith> at <10.88.84.109/255.255.255.255>.
2008-10-02 07:24:21 info Phase 2 SA for tunnel ID 8035 has been idle too long. Deactivated P2 SA and sent a Delete msg to peer.


NOTICE HOW ALL REMOTE USERS CONNECTED BACK TO HQ WERE DISCONNECTED AT THE SAME TIME!

The clients are Windows XP machines using the latest Netscreen Remote client software. The VPN device in HQ is a Netscreen-5GT.

I need to stabilize the client VPN connections at this Remote Office. At least i need to rule out that the problem is NOT with the Netscreen VPN device itself. I'm sure there is something amiss with the Linksys to Router relationship at the Remote Office that's part of the problem here. Let me know what you think...


juckyt
Remote-Office-VPN-Problem.png
0
Comment
Question by:juckyt
2 Comments
 
LVL 32

Expert Comment

by:dpk_wal
ID: 22632456
The log message which you have posted indicate that the  idle timeout is reached causing the tunnel termination.

>> XAuth login expired
>> info Phase 2 SA for tunnel ID 8035 has been idle too long

For first case; check the idle timeout settings on your server and increase them; or for both the cases; create a batch file which the users which would send 1 ping packet on the VPN tunnel every 1 minute; this way idle timeout would not be reached; the users would need to execute the file once the VPN get established.

The sample batch file can look like this:
ping <ip-address-of-remote-end> -n 1
sleep 60

Above script uses sleep utility [not found natively on windows] this can be downloaded from internet and needs to be present on each client machine.

Thank you.
0
 

Accepted Solution

by:
juckyt earned 0 total points
ID: 22696011
The Cisco Router at the remote office is part of the problem, what I have is a NAT-ted Linksys WAP behind a Cisco router set in Bridge mode. Secondly, the Firewall b ack in HQ is malfunctioning, being unable to process DNS properly to multiple IP Sec connections coming from the same remote location.

I'm going in another direction with this case. Thanks for responding
0

Featured Post

Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

Join & Write a Comment

This article is a step by step guide on how to create a basic PTP link using Ubiquiti airOS devices. This guide can be used on the following Ubiquiti AirMAX devices. Nanostation, Bullets, AirBridge, Nanobeam, NanoBridge to name a few. Please review …
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
This Micro Tutorial will show you how to maximize your wireless card to its maximum capability. This will be demonstrated using Intel(R) Centrino(R) Wireless-N 2230 wireless card on Windows 8 operating system.
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

23 Experts available now in Live!

Get 1:1 Help Now