Microsoft TMG: IPSec tunnels are sometimes dropping

I've been having this problem for quite a while now, maybe someone can shed some new light on this particulari issue.

I used to have ISA 2006 and moved to TMG 2010. The configuration was transferred. As expected, TMG operated like ISA did except for one significant detail; TMG has four IPSec tunnels to different endpoints / networks ( ISA 2004 / 2006 and Cisco ) which are operational and usable. However, one or two times a day, each tunnel becomes unavailable for a very short time at different intervals from each other.  This issue did not exist with ISA 2006, but the configuration is exactly the same.

I've already checked extensively on the matter of packet loss with my ISP, but the uplink quality is fine. This issue is just a small nuicance, since only monitoring is dropping and impact is low.

I'd appreciate it, if someone can present some sugestions on where to look for a possible cause.
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

TMG on Win 2008?
Is Remote Console used on this server?
BorgusGroupAuthor Commented:
TMG is on 2008, the console is used on the TMG server itself.
What I read somewhere is, that Win2008 vpn has some problems, especially if used together with remote console. In the beginning, I had regularly crashes (reboots) of the server, if I used VPN to connect to the server and connected to the server via Rc. The crashes are away but sometimes, my server kicks me just out for a while, means the vpn tunnel is closed....

The more trivial solution is to check, if there are some time / connection limits, so that the connection is closed in a expected way.  There are setting in the user properties as well as RRAS (or NAP if used). if there are connection limits set (i.e. to close an idle connection), Win2008 kills the session. You may have a look on both sides, as both sides may have such settings.
Inspect the RRAS / NAP settings on the server and the settings of the user accounts, which are used to connect to the remote side (and the same on the remote side).

To check, if this is an idle issue, you may try to send something like a keep alive packet regularly to the remote side and see, if the connection behavior changes.  
Big Business Goals? Which KPIs Will Help You

The most successful MSPs rely on metrics – known as key performance indicators (KPIs) – for making informed decisions that help their businesses thrive, rather than just survive. This eBook provides an overview of the most important KPIs used by top MSPs.

BorgusGroupAuthor Commented:

I appreciate your feedback, I will elaborate on my situation to make it a bit more comprehendable. You might be right about the server OS though, W2K8 has a different IPSec stack than W2K3 did which might be an issue.

NAP / NPS is propably not relevant. The policies for NPS are difined by TMG, overruling the default policies. RRAS / IPSec configuration is also defined / configured through TMG so no point in changing any settings there. User accounts are irrelevant, no accounts are used since all tunnels are purely IPSec. No LT2P is used at all.

Concerning disconnnections because of idle timeouts; continuous pings trough all tunnels do not result in keep alive of the tunnel and actually show the tunnel being down for a small time.

Could it be a renegotiation issue with the W2K8 stack? I know this is really difficult to trace, but there might be an issue there. Any other suggestions about what I might check are very much appreciated.

was affect the W2K8 stack, what I read was, that there are known problems, but MS do not intend to fix it. It should be solved in W2K8 R2. Nevertheless there seems to be some changes made in the past by MS Update, as I can observe a bit improvement, but no final fix.

If I understand you right, ýou have define site-to-side VPN connection in TMG to your remote sides?
Or do you just tunnel IPSec through TMG?

Something I found:

Have you tested SP1 for TMG?
BorgusGroupAuthor Commented:
Hi Bembi,

The url you gave, does not seem relevant. RRAS isnt failing and no errors are written in the  event log. Besides, in that case all tunnels would fail simultaniously which they do not. However, known problems with IPSec in W2K8 R1 might be interesting. Could you provide me with any info on that?

Also, thanks for the heads up on SP1. I will start testing this weekend, it might be of help in this matter.

BorgusGroupAuthor Commented:
Ok, implemented SP1. Does not remove this particular issue.

Again, if you could provide me with pointers to bugs in the W2K8 R1 IPSec stack., I'd appreciate it.
Difficult to analyse, as there maybe several issues, which can affect your problem. And I#m not quite clear about your environment (old and new).

Some articles I found again, but only relevant, if you use new hardware...

Most what I have seen is are problems in connection with SMB2 and Settings on the Network Adapters, which interference with other devices.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
BorgusGroupAuthor Commented:
Hi Bembi,

Your help is appreciated. My company has decided to move all hardware to our external datacenter, hence the problem will be irrelevant shortly. Thanks again for you assists.
BorgusGroupAuthor Commented:
Problem will be irrelevant in the near future.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Internet Protocol Security

From novice to tech pro — start learning today.