[2 days left] What’s wrong with your cloud strategy? Learn why multicloud solutions matter with Nimble Storage.Register Now


Unstable VPN Connection: Is it the Remote Office setup or the Netscreen VPN device?

Posted on 2008-10-02
Medium Priority
Last Modified: 2012-05-05

This question examines a problem I'm experiencing users at the Remote Office experiencing difficulty connecting back to HQ using an IPSec VPN client connection. I believe the Netscreen VPN device at HQ to be configured correctly it's to the Remote Office setup I want to spend most of our time in discussion.

I have a user in the Remote Office who connects to the Internet through a Linksys Wireless Router. the Linksys WAP distributes DHCP and serves as the office switch as well as gateway to the ISP router. This user wants to connect back to HQ using a pre-configured Netscreen Remote Client. The software is setup to use IKE with XAuth and a Pre-Shared Key. The Netscreen VPN device at HQ has a Public IP of and distributes IP addresses to requesting VPN clients from an IP Pool range of The user connects fine and gets assigned an IP Address of, which, for all intents and purposes should be enough to allow the remote user to clearly access any network resources on the subnet...in particular, the webserver, 192.1268.2.25.

The remote user reports that their IPSec tunnel back to HQ is unstable and often get booted off for no apparent reason. here's where it gets weird. From HQ, i am unable to PING the WAN IP of the Remote Office router,, which is very odd. but I can PING the Linksys WAP configured with a Public IP of Again, so weird. My sneaky suspicion is that IPSec packets are getting dropped or confounded by the setup at the Remote Office. I'd like your insight in finding out if this is truly the case.

Here is some log information from the Netscreen device in HQ about the remote user's connection status:
(Initial Connection)
2008-10-02 05:59:33 info IKE<> Phase 2 msg ID <e63e3a26>: Completed negotiations with SPI <9750d120>, tunnel ID <32820>, and lifetime <3600> seconds/<0> KB.
2008-10-02 05:59:33 info IKE<> Phase 2 msg ID <e63e3a26>: Responded to the peer's first message.
2008-10-02 05:59:33 info IKE<>: XAuth login was passed for gateway <VPN GW>, username <Bill Jones>, retry: 0, Client IP Addr<>, IPPool name:<Employee>, Session-Timeout:<0s>, Idle-Timeout:<0s>.
2008-10-02 05:59:02 info IKE<>: Received initial contact notification and removed Phase 1 SAs.
2008-10-02 05:59:02 info IKE<> Phase 1: Completed Aggressive mode negotiations with a <28800>-second lifetime.
2008-10-02 05:59:02 info IKE<> Phase 1: Completed for user <Bill Jones>.
2008-10-02 05:59:02 info IKE<>: Received initial contact notification and removed Phase 2 SAs.
2008-10-02 05:59:02 info IKE<>: Received a notification message for DOI <1> <24578> <INITIAL-CONTACT>.
2008-10-02 05:59:02 info IKE<>: Received a notification message for DOI <1> <24577> <REPLAY-STATUS>.
2008-10-02 05:59:02 info IKE<> Phase 1: Responder starts AGGRESSIVE mode negotiations.

(Unexpected Disconnect)
2008-10-02 07:26:21 info IKE<>: XAuth login expired and was terminated for username <Sally Peters> at <>.
2008-10-02 07:25:21 info IKE<>: XAuth login expired and was terminated for username <Bill Jones> at <>.
2008-10-02 07:24:21 info IKE<>: XAuth login expired and was terminated for username <Phil Smith> at <>.
2008-10-02 07:24:21 info Phase 2 SA for tunnel ID 8035 has been idle too long. Deactivated P2 SA and sent a Delete msg to peer.


The clients are Windows XP machines using the latest Netscreen Remote client software. The VPN device in HQ is a Netscreen-5GT.

I need to stabilize the client VPN connections at this Remote Office. At least i need to rule out that the problem is NOT with the Netscreen VPN device itself. I'm sure there is something amiss with the Linksys to Router relationship at the Remote Office that's part of the problem here. Let me know what you think...

Question by:juckyt
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
LVL 32

Expert Comment

ID: 22632456
The log message which you have posted indicate that the  idle timeout is reached causing the tunnel termination.

>> XAuth login expired
>> info Phase 2 SA for tunnel ID 8035 has been idle too long

For first case; check the idle timeout settings on your server and increase them; or for both the cases; create a batch file which the users which would send 1 ping packet on the VPN tunnel every 1 minute; this way idle timeout would not be reached; the users would need to execute the file once the VPN get established.

The sample batch file can look like this:
ping <ip-address-of-remote-end> -n 1
sleep 60

Above script uses sleep utility [not found natively on windows] this can be downloaded from internet and needs to be present on each client machine.

Thank you.

Accepted Solution

juckyt earned 0 total points
ID: 22696011
The Cisco Router at the remote office is part of the problem, what I have is a NAT-ted Linksys WAP behind a Cisco router set in Bridge mode. Secondly, the Firewall b ack in HQ is malfunctioning, being unable to process DNS properly to multiple IP Sec connections coming from the same remote location.

I'm going in another direction with this case. Thanks for responding

Featured Post


Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Tired of waiting for your show or movie to load?  Are buffering issues a constant problem with your internet connection?  Check this article out to see if these simple adjustments are the solution for you.
Using in-flight Wi-Fi when you travel? Business travelers beware! In-flight Wi-Fi networks could rip the door right off your digital privacy portal. That’s no joke either, as it might also provide a convenient entrance for bad threat actors.
This Micro Tutorial will show you how to maximize your wireless card to its maximum capability. This will be demonstrated using Intel(R) Centrino(R) Wireless-N 2230 wireless card on Windows 8 operating system.
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
Suggested Courses

649 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question