• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1062
  • Last Modified:

ProSafe FVG318 Only Allowing One Client-Side VPN Connection at a Time

Hello all,

One of our clients recently opened an out-of-state branch office with three workstations. We set up a Netgear ProSafe FVG318 VPN Firewall and shipped it to them (we're *not* using the built-in VPN functionality on the router). Walking them through set up was uneventful, and internet works fine through the router. One person at the new branch uses a built-in Windows VPN connection back to a server running 2003 with RAS at the home office. Lots of this client's employees are using a Windows VPN with no problem, but the user at this new branch said she is intermittently disconnected from the VPN 5-6 times throughout the day.

Additionally, last week a couple of the execs visited the branch and wanted to connect to the VPN but they discovered only one person could be connected from that location at a time. I've tested this and verified that's the case. Using different user names on different computers, only one can connect at a time.

When the second person attempts to connect, they stay at "Verifying username and password..." for about 25 seconds and then receive Error 721: "Disconnected" (see attached). In the server Event Log, event ID 20209 shows up (see attached):

A connection between the VPN server and the VPN client XXX.XXX.XXX.XX has been established, but the VPN connection cannot be completed. The most common cause for this is that a firewall or router between the VPN server and the VPN client is not configured to allow Generic Routing Encapsulation (GRE) packets (protocol 47). Verify that the firewalls and routers between your VPN server and the Internet allow GRE packets. Make sure the firewalls and routers on the user's network are also configured to allow GRE packets. If the problem persists, have the user contact the Internet service provider (ISP) to determine whether the ISP might be blocking GRE packets.

i have gone through all the FVG318 settings and everything checks out from what I can tell. The MTU size is at the default of 1500, the inbound and outbound rules are set to allow all possible VPN traffic, all the VPN pass-through boxes are checked. I also did the most recent firmware update to the firewall but the symptoms I described don't change.

I've been unable to find any documtation related to being able to establish only one VPN connection at a time behind a given firewall. Any help is greatly appreciated.

-Gus
Error-721.JPG
Event-ID-20209.JPG
0
egmtech
Asked:
egmtech
  • 3
  • 3
1 Solution
 
bkepfordCommented:
IPSec is an IP to IP relationship when you are behind a router using PAT (port address translation) you only have one IP address so only one user can connect at a time.
What I have had to do is setup a LAN to LAN tunnel. This works fine.
0
 
egmtechAuthor Commented:
Hey bkepford,

Sorry, this is PPTP the Windows clients are using, and we have another branch behind a router with multiple clients connected to the VPN all the time. I did look into using the FVG318's ability to connect to the VPN itself, but I'm lost with all the available settings and would rather not pursue that route anyway.

Thanks for the suggestion!

-Gus
0
 
bkepfordCommented:
If your having a lot of disconnects you may look at your MTU size on your clients. They should all be set to around 1300.
If your using DSL I would make sure the router MTU is 1492 or below.
This shouldn't cause the one user a time issue except for the congestion problems.
0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 
egmtechAuthor Commented:
I tried earlier setting it to 1400, but I ended up having to walk one of the employees through reverting back to the detault over the phone because internet died along with my remote connection. I'm not that familiar with MTU sizes; would 1300 be that much different, and any idea why it died?

If it were just disconnects going on, I would think changing the MTU size might help but since there's also a strict limitation of one VPN connection at a time, MTU seems less likely to me.

I ended up public-facing the Terminal Server and securing it as best as I can. If you or anyone has any other ideas, it would still be nice to get VPN working. But for now, we've bypassed it for Remote Desktop usage.

Thanks again.
0
 
egmtechAuthor Commented:
Incidentally, I do believe I've answered my own question of why anyone buys the much more expensive Cisco or Enterasys routers. :)
0
 
bkepfordCommented:
The MTU size shouldn't have hurt but lets not go that route. IPSEC headers add usually 80k of overhead added to the orginal packet. Thats why you change the MTU so the packet is created as a 1400 packet and when you add the IPSec overhead you never get over the 1500 mtu size. The reason you go even lower is that any kind of overhead added to the packet after IPSec can cause problems.
Good luck with the TS server if it works for you it works for me.
 
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

  • 3
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now