ProSafe FVG318 Only Allowing One Client-Side VPN Connection at a Time

Posted on 2008-10-28
Last Modified: 2012-05-05
Hello all,

One of our clients recently opened an out-of-state branch office with three workstations. We set up a Netgear ProSafe FVG318 VPN Firewall and shipped it to them (we're *not* using the built-in VPN functionality on the router). Walking them through set up was uneventful, and internet works fine through the router. One person at the new branch uses a built-in Windows VPN connection back to a server running 2003 with RAS at the home office. Lots of this client's employees are using a Windows VPN with no problem, but the user at this new branch said she is intermittently disconnected from the VPN 5-6 times throughout the day.

Additionally, last week a couple of the execs visited the branch and wanted to connect to the VPN but they discovered only one person could be connected from that location at a time. I've tested this and verified that's the case. Using different user names on different computers, only one can connect at a time.

When the second person attempts to connect, they stay at "Verifying username and password..." for about 25 seconds and then receive Error 721: "Disconnected" (see attached). In the server Event Log, event ID 20209 shows up (see attached):

A connection between the VPN server and the VPN client XXX.XXX.XXX.XX has been established, but the VPN connection cannot be completed. The most common cause for this is that a firewall or router between the VPN server and the VPN client is not configured to allow Generic Routing Encapsulation (GRE) packets (protocol 47). Verify that the firewalls and routers between your VPN server and the Internet allow GRE packets. Make sure the firewalls and routers on the user's network are also configured to allow GRE packets. If the problem persists, have the user contact the Internet service provider (ISP) to determine whether the ISP might be blocking GRE packets.

i have gone through all the FVG318 settings and everything checks out from what I can tell. The MTU size is at the default of 1500, the inbound and outbound rules are set to allow all possible VPN traffic, all the VPN pass-through boxes are checked. I also did the most recent firmware update to the firewall but the symptoms I described don't change.

I've been unable to find any documtation related to being able to establish only one VPN connection at a time behind a given firewall. Any help is greatly appreciated.

Question by:egmtech
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
LVL 15

Expert Comment

ID: 22853288
IPSec is an IP to IP relationship when you are behind a router using PAT (port address translation) you only have one IP address so only one user can connect at a time.
What I have had to do is setup a LAN to LAN tunnel. This works fine.

Author Comment

ID: 22854425
Hey bkepford,

Sorry, this is PPTP the Windows clients are using, and we have another branch behind a router with multiple clients connected to the VPN all the time. I did look into using the FVG318's ability to connect to the VPN itself, but I'm lost with all the available settings and would rather not pursue that route anyway.

Thanks for the suggestion!

LVL 15

Expert Comment

ID: 22867425
If your having a lot of disconnects you may look at your MTU size on your clients. They should all be set to around 1300.
If your using DSL I would make sure the router MTU is 1492 or below.
This shouldn't cause the one user a time issue except for the congestion problems.
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!


Author Comment

ID: 22870723
I tried earlier setting it to 1400, but I ended up having to walk one of the employees through reverting back to the detault over the phone because internet died along with my remote connection. I'm not that familiar with MTU sizes; would 1300 be that much different, and any idea why it died?

If it were just disconnects going on, I would think changing the MTU size might help but since there's also a strict limitation of one VPN connection at a time, MTU seems less likely to me.

I ended up public-facing the Terminal Server and securing it as best as I can. If you or anyone has any other ideas, it would still be nice to get VPN working. But for now, we've bypassed it for Remote Desktop usage.

Thanks again.

Accepted Solution

egmtech earned 0 total points
ID: 22870758
Incidentally, I do believe I've answered my own question of why anyone buys the much more expensive Cisco or Enterasys routers. :)
LVL 15

Expert Comment

ID: 22877902
The MTU size shouldn't have hurt but lets not go that route. IPSEC headers add usually 80k of overhead added to the orginal packet. Thats why you change the MTU so the packet is created as a 1400 packet and when you add the IPSec overhead you never get over the 1500 mtu size. The reason you go even lower is that any kind of overhead added to the packet after IPSec can cause problems.
Good luck with the TS server if it works for you it works for me.

Featured Post

On Demand Webinar - Networking for the Cloud Era

This webinar discusses:
-Common barriers companies experience when moving to the cloud
-How SD-WAN changes the way we look at networks
-Best practices customers should employ moving forward with cloud migration
-What happens behind the scenes of SteelConnect’s one-click button

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Some of you may have heard that SonicWALL has finally released an app for iOS devices giving us long awaited connectivity for our iPhone's, iPod's, and iPad's. This guide is just a quick rundown on how to get up and running quickly using the app. …
If you use NetMotion Mobility on your PC and plan to upgrade to Windows 10, it may not work unless you take these steps.
After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

737 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question