Solved

ProSafe FVG318 Only Allowing One Client-Side VPN Connection at a Time

Posted on 2008-10-28
7
1,044 Views
Last Modified: 2012-05-05
Hello all,

One of our clients recently opened an out-of-state branch office with three workstations. We set up a Netgear ProSafe FVG318 VPN Firewall and shipped it to them (we're *not* using the built-in VPN functionality on the router). Walking them through set up was uneventful, and internet works fine through the router. One person at the new branch uses a built-in Windows VPN connection back to a server running 2003 with RAS at the home office. Lots of this client's employees are using a Windows VPN with no problem, but the user at this new branch said she is intermittently disconnected from the VPN 5-6 times throughout the day.

Additionally, last week a couple of the execs visited the branch and wanted to connect to the VPN but they discovered only one person could be connected from that location at a time. I've tested this and verified that's the case. Using different user names on different computers, only one can connect at a time.

When the second person attempts to connect, they stay at "Verifying username and password..." for about 25 seconds and then receive Error 721: "Disconnected" (see attached). In the server Event Log, event ID 20209 shows up (see attached):

A connection between the VPN server and the VPN client XXX.XXX.XXX.XX has been established, but the VPN connection cannot be completed. The most common cause for this is that a firewall or router between the VPN server and the VPN client is not configured to allow Generic Routing Encapsulation (GRE) packets (protocol 47). Verify that the firewalls and routers between your VPN server and the Internet allow GRE packets. Make sure the firewalls and routers on the user's network are also configured to allow GRE packets. If the problem persists, have the user contact the Internet service provider (ISP) to determine whether the ISP might be blocking GRE packets.

i have gone through all the FVG318 settings and everything checks out from what I can tell. The MTU size is at the default of 1500, the inbound and outbound rules are set to allow all possible VPN traffic, all the VPN pass-through boxes are checked. I also did the most recent firmware update to the firewall but the symptoms I described don't change.

I've been unable to find any documtation related to being able to establish only one VPN connection at a time behind a given firewall. Any help is greatly appreciated.

-Gus
Error-721.JPG
Event-ID-20209.JPG
0
Comment
Question by:egmtech
  • 3
  • 3
7 Comments
 
LVL 15

Expert Comment

by:bkepford
ID: 22853288
IPSec is an IP to IP relationship when you are behind a router using PAT (port address translation) you only have one IP address so only one user can connect at a time.
What I have had to do is setup a LAN to LAN tunnel. This works fine.
0
 

Author Comment

by:egmtech
ID: 22854425
Hey bkepford,

Sorry, this is PPTP the Windows clients are using, and we have another branch behind a router with multiple clients connected to the VPN all the time. I did look into using the FVG318's ability to connect to the VPN itself, but I'm lost with all the available settings and would rather not pursue that route anyway.

Thanks for the suggestion!

-Gus
0
 
LVL 15

Expert Comment

by:bkepford
ID: 22867425
If your having a lot of disconnects you may look at your MTU size on your clients. They should all be set to around 1300.
If your using DSL I would make sure the router MTU is 1492 or below.
This shouldn't cause the one user a time issue except for the congestion problems.
0
How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

 

Author Comment

by:egmtech
ID: 22870723
I tried earlier setting it to 1400, but I ended up having to walk one of the employees through reverting back to the detault over the phone because internet died along with my remote connection. I'm not that familiar with MTU sizes; would 1300 be that much different, and any idea why it died?

If it were just disconnects going on, I would think changing the MTU size might help but since there's also a strict limitation of one VPN connection at a time, MTU seems less likely to me.

I ended up public-facing the Terminal Server and securing it as best as I can. If you or anyone has any other ideas, it would still be nice to get VPN working. But for now, we've bypassed it for Remote Desktop usage.

Thanks again.
0
 

Accepted Solution

by:
egmtech earned 0 total points
ID: 22870758
Incidentally, I do believe I've answered my own question of why anyone buys the much more expensive Cisco or Enterasys routers. :)
0
 
LVL 15

Expert Comment

by:bkepford
ID: 22877902
The MTU size shouldn't have hurt but lets not go that route. IPSEC headers add usually 80k of overhead added to the orginal packet. Thats why you change the MTU so the packet is created as a 1400 packet and when you add the IPSec overhead you never get over the 1500 mtu size. The reason you go even lower is that any kind of overhead added to the packet after IPSec can cause problems.
Good luck with the TS server if it works for you it works for me.
 
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Like many others, when I created a Windows 2008 RRAS VPN server, I connected via PPTP, and still do, but there are problems that can arise from solely using PPTP.  One particular problem was that the CFO of the company used a Virgin Broadband Wirele…
Hi All,  Recently I have installed and configured a Sonicwall NS220 in the network as a firewall and Internet access gateway. All was working fine until users started reporting that they cannot use the Cisco VPN client to connect to the customer'…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now