Connection to Cisco VPN intermittent

Posted on 2009-03-30
Last Modified: 2013-12-14

We have a Cisco VPN in our central office that's been working great for several years.  We've never had a problem with any of our remote clients being able to establish a connection to the VPN.  This includes home-based clients with slower connections like  DSL.

Recently we moved our office (and switched to a different ISP).  Since then, some (but not all) clients have been unable to connect to the VPN (the handshake never gets to the point of prompting for a userid/password).

Since certain clients are able to connect, I think we can assume that the VPN is working properly on the router side.  The clients that are having problems are the home-based ones with slower, DSL connections which makes me suspect this is some sort of latency issue.

Any suggestions or advice on what we might do?

Question by:icarus1806
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3

Author Comment

ID: 24028387

A few more things I tried that didn't work:
- reduced MTU size (from 1300 to 576) on the client side
- disabled transparent tunneling on the client
- increased peer response timeout (from 90 to 480) on the client

Comments, advice, suggestions greatly appreciated!


Author Comment

ID: 24085336
Hi again,

Hmmm..I guess I've really stumped the experts on this one since no one responded to my question :-).

Out of desparation, I decided to roll up my sleeves, don my Experts hat and dive in to see if I could figure this one out.

First, I ruled out some obvious causes by disconnecting all other devices on our LAN as I thought maybe some device was spewing packets wantonly, clogging up the network.

That did not fix the problem so as a next step I enabled Netflow in the router so I could capture and analyze incoming packets and I also set up Wireshark on the client end of the connection so I could watch packets going out (a great program by the way :-)).

I should also mention that my original theory that only slow (i.e. DSL-based) clients were the only problem was not correct as further testing showed that those clients would sometimes work intermittently.

Anyway, after spending quite a lot of time watching packets flow over the wire, I concluded that the problem is on the router side, not with the client as I could see packets flowing over the wire during the initial handshake to establish the connection, but never arriving at the router.

These packets are UDP, so yes, there is no guarantee of safe delivery but what I was seeing was 100% packet loss; no packets were making it to the router, even after a number of retries.

Since the problem was intermittent, I concluded that it was either a) flakey hardware or b) related to bandwidth saturation suggesting that the pipe that we get from our ISP must be near capacity (it's a T1 but I believe shared with other users).  Strangely, we had a similar arrangement with a shared T1 in our old office but we never had any problems with packet loss, however, we switched to a new ISP when we changed offices).

As a further check, I ran traceroutes from different clients to the router and also traced the route from a client to our old ISP.  The results of these tests show that the common leg is through the ISP or possibly 1 or 2 hops upstream.  However, those upstream hops are all major Internet switches so it's unlikely that they are the problem :-).

We are now working with our ISP to see if we can resolve the problem.  Worst case, we may need to switch to a different ISP if they cannot provide us with a reliable connection.  It's still not clear whether it's flakey hardware or a bandwidth problem, but in any case it's the ISP's to solve.

I'm leaving this question open until we have the problem fully resolved but that is the current update.  Perhaps this information will be useful to others.


Accepted Solution

icarus1806 earned 0 total points
ID: 24203036
Hi again,

Well we finally figured this one out.  The problem turned out to be a flakey router on our end that was intermittently dropping the incoming UDP packets from the clients.   Although Netflow was reporting that those packets were being dropped, a key insight was that Netflow was being provided by the router itself and therefore its results turned out to be suspect.  We arrived at this conclusion through a process of elimination after looking at the ISP's intake from the upstream provider and observing that the packets were indeed arriving safely.

The conclusion is, don't always trust Netflow to diagnose network problems.  If your router is flakey, Netflow results can also be just as flakey.

Anyway, we replaced the router and everything is back up and running now :-)

Featured Post

Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

When you connect to your workplace's VPN, you may not notice that you are using your workplace's servers to serve up webpages.  This might be undesirable since the workplace can log all the places you've been.  It also might be very slow to load pag…
How to set-up an On Demand, IPSec, Site to SIte, VPN from a Draytek Vigor Router to a Cyberoam UTM Appliance. A concise guide to the settings required on both devices
After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…

749 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question