VPN disconnects after few minutes

Hi experts,

I am back again with my VPN problem.

I have Windows Server 2008 behind D-link DFL 1700 firewall. Server is setup as simple RRAS with VPN server.
Sometimes it works great, no problems, but most of the time VPN connects sucessfully, but after few minutes VPN begins with problems:

1.) first, after few minutes, all data transfer is lost, RDP disconnects and cannot connect back, file transfers are dropped, BUT pinging the VPN server still works!
2.) after another minute or so, also PING to VPN server drops, but on client side VPN tunnel still shows "Connected" state
3.) if I try to reconnect IMIDIATELLY, VPN dialing timeouts on "Verifying username and password" and drops with Error 806
4.) I need to WAIT at least 3-5 minutes for next sucessfull VPN dialup
5.) GOTO (1)

I am SURE that there is no problem on Client side, because I have 3 computers on client side, Windows 2003, 2008 and Vista and all have same problems. Also, all 3 client computers can connect to ANY other VPN server and I have lots of them all arround the world for remote management.

So, the problem is DEFINITELLY on server-side (Windows 2003 Server R2 with SP2):
- either some weird DFL-1700 function, which begins blocking VPN after some time
- either some Windows Server 2003 VPN defect
- either something AD related (VPN server is NOT DC, but is a member of domain; VPN clients are domain users)

Any idea?
LVL 18
Andrej PirmanAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Andrej PirmanAuthor Commented:
Maybe for consideration:
- Althrough VPN is set to allow 128 ports (128 connections, right?), it seems to behave problematic only if there are more than 1 single connection. I was connected today after work hours without problem.
- Might it be that NIC adapter is causing trouble? NIC is configured with Broadcom BACS to make a TEAM of 2 x GigaBit NIC adapters.
You can easily determine whether the Teaming is causing this by dissolving the team and disabling the NIC that isn't at the top of the binding order.  You can determine what NIC is on top by using the Advanced>Advanced Settings menu entry in the Network Connections applet.

If you maintain a strong connection, then it's how the Teaming was setup.  The switch MUST support the IEEE 802.3ad Link Aggregation Control Protocol (LACP) or Automatic Teaming won't work properly.

You can use Switch Assisted Load Balancing if you are able to put both switch ports into a port group.  The switch must support port aggregation for this to work.

If all this isn't an option, then you'll have to use a single NIC.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Andrej PirmanAuthor Commented:
Hi Netman66, thanx for reply.

Yes, my Gigabit switch supports IEEE 802.3ad, but I did not create Link Aggregation, neither did use any Switch-side configuration. I have 8 servers, all configured with simple NIC Teaming for Load Balancing/Failover (Active-Active) and for LAN all seem to work fine past year or two.

Servers are all connected with both NIC Teamed addapters to 1 switch.

Do you think I should reconfigure Switch?


Another thing regarding VPN:

It's DEFINITE that when somebody is the only VPN user connected, VPN tunell will stay up and be functional for hours without problems. But as soon as another user connects, VPN begins playing its dirty game, described in my initial post.
Active Protection takes the fight to cryptojacking

While there were several headline-grabbing ransomware attacks during in 2017, another big threat started appearing at the same time that didn’t get the same coverage – illicit cryptomining.

If your switch supports LACP then you should be good with that.  This one server though, I would disable a NIC to see if your issue goes away - you have to illiminate the Teaming/Dual-homed part of the equation.

Andrej PirmanAuthor Commented:
I'll give it a try.
Andrej PirmanAuthor Commented:
I did as suggested, but there is no difference after removing TEAMED NIC's. As soon as 2nd VPN user kicks-in, he is disconnected as described in my initial post. It must be related to RRAS config, or something in Group Policy, or some other restriction...or even some cache, temporary something...but I doubt very much it could be related to networking outside VPN server.

Any other suggestion?
Andrej PirmanAuthor Commented:
My further investigation brought me to conclusion, that there is definitelly something wrong with VPN RRAS server settings.
As of now, my focus is pointing to RRAS policy settings, where Multilink settings define line to drop to single port when 50% of line capacity is in use for more than 2 minutes. This all falls into behavious I described above: when there are 2 VPN users, 2nd user gets disconnected after approx. 2 minutes.

Now, the question is:
If you look at attached screenshot, I am wondering, what CAPACITY is there in play? What parameters does this setting look at when determining 50% of capacity for BAP?
You don't need to use those settings unless you are aggregating modems.

If your server has 2 NICs using teaming then this setting should not be used - set this to Do not use.

Andrej PirmanAuthor Commented:
Hi Netman,

thanx for hint. I removed Multilink (actually, I selected "Do not allow multilink connections") and VPN server now works as before.

Unfortunatelly, my problem is still present - as soon as there are 2 or more VPN users connected, all aditional VPN connections loose connectivity after a minute or two, only 1st VPN user is still functional. VPN does actually NOT drpo, but just looses all conectivity with server, no ping, no any other traffic anymore.

Still looking for sollution or advice.

Do you have License Manager installed?  Is there an indication that there is a license problem if it is?

Sometimes SBS (not saying you are using this) does some weird stuff when the licensing module isn't correctly setup.

As for how the firewall is routing traffic, can this device manage more than one VPN passthrough properly?

Andrej PirmanAuthor Commented:
Thanx for ideas... :)

No, I am not using SBS, but full-featured AD environemnt on Enterprise versions and with more than enough licences. there are 100 CALs and not more than 50 users at any time.

RRAS/VPN server is one of 5 servers, which are members of domain, and there are additional 2 DCs. Each of 5 servers has on average only 1 dedicated role, one is SQL, 2nd is Exchange, then Application etc.

Ok, lets draw the route:

INTERNET --> Optical2Ethernet conversion --> Cisco CATALYST switch --> Cisco 1800 firewall & router --> D-link DFL-1700 firewall & NAT --> D-link DGS GigaBit switch --> SERVERS

Now, it is interesting what you say about device capability to handle more than 1 VPN passthru.
VPN passthru is configured on both firewalls, Cisco 1800 & D-link DFL.

Cisco is just SPI firewall,
but D-link is also firewall nad is doing NAT also.
Both devices has VPN port 1723 forwarded, Cisco to D-link's WAN port, and D-link to VPN Server's LAN port.

Maybe it would be a good idea to get rid of (old) D-link DFL and configure Cisco to do NAT instead. But this involves lots of work afterhours, and also there is nothing else wrong with current setup, so it is not just-like-that decission to come to work one saturdayt evening.
I would like to find the "guilty" device before taking any drastical steps.
I think that might be where the problem lies.  You're double-natting and also double forwarding.

You should be able to forward VPN directly to the server from the Cisco firewall and just allow passthrough on the d-link - this will avoid a double forwarded port and likely why the routes are being dropped.

Andrej PirmanAuthor Commented:
Althrough I did not solve the problem, it helped me to read some more and get more familliar with VPN on windows. thanx anyway.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.