WatchGuard VPN client connection is dropped intermittently
My remote users connect to the corporate office using WatchGuard VPN Client on Windows XP. In the corporate office is a FireBox X Edge X55e.
Most of the time, clients can connect and use the FireBox to connect remotely to their desktops using Remote Desktop Connection. On enough occasions to warrant this post, however, the connection drops without warning in the middle of their session. There does not seem to be any particular task they are doing, they just loose connectivity. The way they know this is not that WatchGuard produces an error, but simply that there Remote Desktop ends the session with the standard, "The computer can't connect to the remote computer" message from Remote Desktop.
Besides that, the WatchGuard monitor in the tooltray, and the WatchGuard monitor screen still indicates a connection is established and active (Green Light!).
In order for the user to get "back in". They must click the "Disconnect" button, and then click the "Connect" button again. This will re-establish the connection, and they can work again. A few minutes later, the same thing happens.
There are some errors in the log such as:
"iked Received a packet from an unknown SA"
"kernel checkout_cb: freelist exhausted"
Since this is intermittent, it's very hard to track. Is anyone else having this problem?
Most of the time, clients can connect and use the FireBox to connect remotely to their desktops using Remote Desktop Connection. On enough occasions to warrant this post, however, the connection drops without warning in the middle of their session. There does not seem to be any particular task they are doing, they just loose connectivity. The way they know this is not that WatchGuard produces an error, but simply that there Remote Desktop ends the session with the standard, "The computer can't connect to the remote computer" message from Remote Desktop.
Besides that, the WatchGuard monitor in the tooltray, and the WatchGuard monitor screen still indicates a connection is established and active (Green Light!).
In order for the user to get "back in". They must click the "Disconnect" button, and then click the "Connect" button again. This will re-establish the connection, and they can work again. A few minutes later, the same thing happens.
There are some errors in the log such as:
"iked Received a packet from an unknown SA"
"kernel checkout_cb: freelist exhausted"
Since this is intermittent, it's very hard to track. Is anyone else having this problem?
ASKER
dpk wall:
Thanks for your message. Since the problem is intermittent, I cannot check on the items you suggested. Typically a user will come in the next day, or send an email messge at the end of the day that they were kicked off X number of times. This weekend, I kept a session open for a full 48 hours without interruption. I had Remote Desktop open over the VPN, and had a program reading a writing 2MB chunks to a file just for a lot of traffic. Not once did I drop the connection. During this test, I had no other programs open, including Outlook.
I also physically unplugged my machine (ethernet cable), and then plugged it back in about 20 seconds later. The VPN picked back up with no problem.
I have a ticket in with Watchguard to check on the problem. I don't have any client logs yet, as I was just assigned the problem on Fri.
The only common thread I can find so far is Outlook seems to be in use at the times the outages are reported. This can be Outlook on the client side using Exchange mode (not POP3 or IMAP), or Remote Desktop with Outlook running on the users desktop. We are also using Microsoft CRM 3.0.
Thanks.
Thanks for your message. Since the problem is intermittent, I cannot check on the items you suggested. Typically a user will come in the next day, or send an email messge at the end of the day that they were kicked off X number of times. This weekend, I kept a session open for a full 48 hours without interruption. I had Remote Desktop open over the VPN, and had a program reading a writing 2MB chunks to a file just for a lot of traffic. Not once did I drop the connection. During this test, I had no other programs open, including Outlook.
I also physically unplugged my machine (ethernet cable), and then plugged it back in about 20 seconds later. The VPN picked back up with no problem.
I have a ticket in with Watchguard to check on the problem. I don't have any client logs yet, as I was just assigned the problem on Fri.
The only common thread I can find so far is Outlook seems to be in use at the times the outages are reported. This can be Outlook on the client side using Exchange mode (not POP3 or IMAP), or Remote Desktop with Outlook running on the users desktop. We are also using Microsoft CRM 3.0.
Thanks.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Shagrat13,
So are you saying it was a memory exhaustion issue after you talked to WG support? If so, what was the resolution to the original issue? Newer watchguard with more memory? Software upgrade?
Thanks,
Berne
So are you saying it was a memory exhaustion issue after you talked to WG support? If so, what was the resolution to the original issue? Newer watchguard with more memory? Software upgrade?
Thanks,
Berne
>> kernel checkout_cb: freelist exhausted
If you have current support contract with Watchguard I would suggest you to chcek with them what this entry indicates; to me; this entry indicates some exhaustion [may be memory]; if that is the case; it can be a potential bug in the code.
Regarding the problem I would like to know the frequency with which the problem occurs; is it specific to specific user/time; or can you check if the problem happens when the box is under heavy load. When the problem occurs is it possible for you to take a snapshot of the current memory and CPU utilization; also, the traffic load and number of remote users logged in.
Finally, if you also paste some logs from the client that might be helpful as well.
Please check and update.
Thank you.