ProSafe FVG318 Only Allowing One Client-Side VPN Connection at a Time

Posted on 2008-10-28
Last Modified: 2012-05-05
Hello all,

One of our clients recently opened an out-of-state branch office with three workstations. We set up a Netgear ProSafe FVG318 VPN Firewall and shipped it to them (we're *not* using the built-in VPN functionality on the router). Walking them through set up was uneventful, and internet works fine through the router. One person at the new branch uses a built-in Windows VPN connection back to a server running 2003 with RAS at the home office. Lots of this client's employees are using a Windows VPN with no problem, but the user at this new branch said she is intermittently disconnected from the VPN 5-6 times throughout the day.

Additionally, last week a couple of the execs visited the branch and wanted to connect to the VPN but they discovered only one person could be connected from that location at a time. I've tested this and verified that's the case. Using different user names on different computers, only one can connect at a time.

When the second person attempts to connect, they stay at "Verifying username and password..." for about 25 seconds and then receive Error 721: "Disconnected" (see attached). In the server Event Log, event ID 20209 shows up (see attached):

A connection between the VPN server and the VPN client XXX.XXX.XXX.XX has been established, but the VPN connection cannot be completed. The most common cause for this is that a firewall or router between the VPN server and the VPN client is not configured to allow Generic Routing Encapsulation (GRE) packets (protocol 47). Verify that the firewalls and routers between your VPN server and the Internet allow GRE packets. Make sure the firewalls and routers on the user's network are also configured to allow GRE packets. If the problem persists, have the user contact the Internet service provider (ISP) to determine whether the ISP might be blocking GRE packets.

i have gone through all the FVG318 settings and everything checks out from what I can tell. The MTU size is at the default of 1500, the inbound and outbound rules are set to allow all possible VPN traffic, all the VPN pass-through boxes are checked. I also did the most recent firmware update to the firewall but the symptoms I described don't change.

I've been unable to find any documtation related to being able to establish only one VPN connection at a time behind a given firewall. Any help is greatly appreciated.

Question by:egmtech
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
LVL 15

Expert Comment

ID: 22853288
IPSec is an IP to IP relationship when you are behind a router using PAT (port address translation) you only have one IP address so only one user can connect at a time.
What I have had to do is setup a LAN to LAN tunnel. This works fine.

Author Comment

ID: 22854425
Hey bkepford,

Sorry, this is PPTP the Windows clients are using, and we have another branch behind a router with multiple clients connected to the VPN all the time. I did look into using the FVG318's ability to connect to the VPN itself, but I'm lost with all the available settings and would rather not pursue that route anyway.

Thanks for the suggestion!

LVL 15

Expert Comment

ID: 22867425
If your having a lot of disconnects you may look at your MTU size on your clients. They should all be set to around 1300.
If your using DSL I would make sure the router MTU is 1492 or below.
This shouldn't cause the one user a time issue except for the congestion problems.
Flexible connectivity for any environment

The KE6900 series can extend and deploy computers with high definition displays across multiple stations in a variety of applications that suit any environment. Expand computer use to stations across multiple rooms with dynamic access.


Author Comment

ID: 22870723
I tried earlier setting it to 1400, but I ended up having to walk one of the employees through reverting back to the detault over the phone because internet died along with my remote connection. I'm not that familiar with MTU sizes; would 1300 be that much different, and any idea why it died?

If it were just disconnects going on, I would think changing the MTU size might help but since there's also a strict limitation of one VPN connection at a time, MTU seems less likely to me.

I ended up public-facing the Terminal Server and securing it as best as I can. If you or anyone has any other ideas, it would still be nice to get VPN working. But for now, we've bypassed it for Remote Desktop usage.

Thanks again.

Accepted Solution

egmtech earned 0 total points
ID: 22870758
Incidentally, I do believe I've answered my own question of why anyone buys the much more expensive Cisco or Enterasys routers. :)
LVL 15

Expert Comment

ID: 22877902
The MTU size shouldn't have hurt but lets not go that route. IPSEC headers add usually 80k of overhead added to the orginal packet. Thats why you change the MTU so the packet is created as a 1400 packet and when you add the IPSec overhead you never get over the 1500 mtu size. The reason you go even lower is that any kind of overhead added to the packet after IPSec can cause problems.
Good luck with the TS server if it works for you it works for me.

Featured Post

Retailers - Is your network secure?

With the prevalence of social media & networking tools, for retailers, reputation is critical. Have you considered the impact your network security could have in your customer's experience? Learn more in our Retail Security Resource Kit Today!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Some of you may have heard that SonicWALL has finally released an app for iOS devices giving us long awaited connectivity for our iPhone's, iPod's, and iPad's. This guide is just a quick rundown on how to get up and running quickly using the app. …
Imagine you have a shopping list of items you need to get at the grocery store. You have two options: A. Take one trip to the grocery store and get everything you need for the week, or B. Take multiple trips, buying an item at a time, to achieve t…
After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…

729 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question