Solved

ProSafe FVG318 Only Allowing One Client-Side VPN Connection at a Time

Posted on 2008-10-28
7
1,049 Views
Last Modified: 2012-05-05
Hello all,

One of our clients recently opened an out-of-state branch office with three workstations. We set up a Netgear ProSafe FVG318 VPN Firewall and shipped it to them (we're *not* using the built-in VPN functionality on the router). Walking them through set up was uneventful, and internet works fine through the router. One person at the new branch uses a built-in Windows VPN connection back to a server running 2003 with RAS at the home office. Lots of this client's employees are using a Windows VPN with no problem, but the user at this new branch said she is intermittently disconnected from the VPN 5-6 times throughout the day.

Additionally, last week a couple of the execs visited the branch and wanted to connect to the VPN but they discovered only one person could be connected from that location at a time. I've tested this and verified that's the case. Using different user names on different computers, only one can connect at a time.

When the second person attempts to connect, they stay at "Verifying username and password..." for about 25 seconds and then receive Error 721: "Disconnected" (see attached). In the server Event Log, event ID 20209 shows up (see attached):

A connection between the VPN server and the VPN client XXX.XXX.XXX.XX has been established, but the VPN connection cannot be completed. The most common cause for this is that a firewall or router between the VPN server and the VPN client is not configured to allow Generic Routing Encapsulation (GRE) packets (protocol 47). Verify that the firewalls and routers between your VPN server and the Internet allow GRE packets. Make sure the firewalls and routers on the user's network are also configured to allow GRE packets. If the problem persists, have the user contact the Internet service provider (ISP) to determine whether the ISP might be blocking GRE packets.

i have gone through all the FVG318 settings and everything checks out from what I can tell. The MTU size is at the default of 1500, the inbound and outbound rules are set to allow all possible VPN traffic, all the VPN pass-through boxes are checked. I also did the most recent firmware update to the firewall but the symptoms I described don't change.

I've been unable to find any documtation related to being able to establish only one VPN connection at a time behind a given firewall. Any help is greatly appreciated.

-Gus
Error-721.JPG
Event-ID-20209.JPG
0
Comment
Question by:egmtech
  • 3
  • 3
7 Comments
 
LVL 15

Expert Comment

by:bkepford
ID: 22853288
IPSec is an IP to IP relationship when you are behind a router using PAT (port address translation) you only have one IP address so only one user can connect at a time.
What I have had to do is setup a LAN to LAN tunnel. This works fine.
0
 

Author Comment

by:egmtech
ID: 22854425
Hey bkepford,

Sorry, this is PPTP the Windows clients are using, and we have another branch behind a router with multiple clients connected to the VPN all the time. I did look into using the FVG318's ability to connect to the VPN itself, but I'm lost with all the available settings and would rather not pursue that route anyway.

Thanks for the suggestion!

-Gus
0
 
LVL 15

Expert Comment

by:bkepford
ID: 22867425
If your having a lot of disconnects you may look at your MTU size on your clients. They should all be set to around 1300.
If your using DSL I would make sure the router MTU is 1492 or below.
This shouldn't cause the one user a time issue except for the congestion problems.
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 

Author Comment

by:egmtech
ID: 22870723
I tried earlier setting it to 1400, but I ended up having to walk one of the employees through reverting back to the detault over the phone because internet died along with my remote connection. I'm not that familiar with MTU sizes; would 1300 be that much different, and any idea why it died?

If it were just disconnects going on, I would think changing the MTU size might help but since there's also a strict limitation of one VPN connection at a time, MTU seems less likely to me.

I ended up public-facing the Terminal Server and securing it as best as I can. If you or anyone has any other ideas, it would still be nice to get VPN working. But for now, we've bypassed it for Remote Desktop usage.

Thanks again.
0
 

Accepted Solution

by:
egmtech earned 0 total points
ID: 22870758
Incidentally, I do believe I've answered my own question of why anyone buys the much more expensive Cisco or Enterasys routers. :)
0
 
LVL 15

Expert Comment

by:bkepford
ID: 22877902
The MTU size shouldn't have hurt but lets not go that route. IPSEC headers add usually 80k of overhead added to the orginal packet. Thats why you change the MTU so the packet is created as a 1400 packet and when you add the IPSec overhead you never get over the 1500 mtu size. The reason you go even lower is that any kind of overhead added to the packet after IPSec can cause problems.
Good luck with the TS server if it works for you it works for me.
 
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

I found an issue or “bug” in the SonicOS platform (the firmware controlling SonicWALL security appliances) that has to do with renaming Default Service Objects, which then causes a portion of the system to become uncontrollable and unstable. BACK…
If you use NetMotion Mobility on your PC and plan to upgrade to Windows 10, it may not work unless you take these steps.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question