BorgusGroup
asked on
Microsoft TMG: IPSec tunnels are sometimes dropping
I've been having this problem for quite a while now, maybe someone can shed some new light on this particulari issue.
I used to have ISA 2006 and moved to TMG 2010. The configuration was transferred. As expected, TMG operated like ISA did except for one significant detail; TMG has four IPSec tunnels to different endpoints / networks ( ISA 2004 / 2006 and Cisco ) which are operational and usable. However, one or two times a day, each tunnel becomes unavailable for a very short time at different intervals from each other. This issue did not exist with ISA 2006, but the configuration is exactly the same.
I've already checked extensively on the matter of packet loss with my ISP, but the uplink quality is fine. This issue is just a small nuicance, since only monitoring is dropping and impact is low.
I'd appreciate it, if someone can present some sugestions on where to look for a possible cause.
I used to have ISA 2006 and moved to TMG 2010. The configuration was transferred. As expected, TMG operated like ISA did except for one significant detail; TMG has four IPSec tunnels to different endpoints / networks ( ISA 2004 / 2006 and Cisco ) which are operational and usable. However, one or two times a day, each tunnel becomes unavailable for a very short time at different intervals from each other. This issue did not exist with ISA 2006, but the configuration is exactly the same.
I've already checked extensively on the matter of packet loss with my ISP, but the uplink quality is fine. This issue is just a small nuicance, since only monitoring is dropping and impact is low.
I'd appreciate it, if someone can present some sugestions on where to look for a possible cause.
ASKER
TMG is on 2008, the console is used on the TMG server itself.
What I read somewhere is, that Win2008 vpn has some problems, especially if used together with remote console. In the beginning, I had regularly crashes (reboots) of the server, if I used VPN to connect to the server and connected to the server via Rc. The crashes are away but sometimes, my server kicks me just out for a while, means the vpn tunnel is closed....
The more trivial solution is to check, if there are some time / connection limits, so that the connection is closed in a expected way. There are setting in the user properties as well as RRAS (or NAP if used). if there are connection limits set (i.e. to close an idle connection), Win2008 kills the session. You may have a look on both sides, as both sides may have such settings.
Inspect the RRAS / NAP settings on the server and the settings of the user accounts, which are used to connect to the remote side (and the same on the remote side).
To check, if this is an idle issue, you may try to send something like a keep alive packet regularly to the remote side and see, if the connection behavior changes.
The more trivial solution is to check, if there are some time / connection limits, so that the connection is closed in a expected way. There are setting in the user properties as well as RRAS (or NAP if used). if there are connection limits set (i.e. to close an idle connection), Win2008 kills the session. You may have a look on both sides, as both sides may have such settings.
Inspect the RRAS / NAP settings on the server and the settings of the user accounts, which are used to connect to the remote side (and the same on the remote side).
To check, if this is an idle issue, you may try to send something like a keep alive packet regularly to the remote side and see, if the connection behavior changes.
ASKER
Bembi,
I appreciate your feedback, I will elaborate on my situation to make it a bit more comprehendable. You might be right about the server OS though, W2K8 has a different IPSec stack than W2K3 did which might be an issue.
NAP / NPS is propably not relevant. The policies for NPS are difined by TMG, overruling the default policies. RRAS / IPSec configuration is also defined / configured through TMG so no point in changing any settings there. User accounts are irrelevant, no accounts are used since all tunnels are purely IPSec. No LT2P is used at all.
Concerning disconnnections because of idle timeouts; continuous pings trough all tunnels do not result in keep alive of the tunnel and actually show the tunnel being down for a small time.
Could it be a renegotiation issue with the W2K8 stack? I know this is really difficult to trace, but there might be an issue there. Any other suggestions about what I might check are very much appreciated.
I appreciate your feedback, I will elaborate on my situation to make it a bit more comprehendable. You might be right about the server OS though, W2K8 has a different IPSec stack than W2K3 did which might be an issue.
NAP / NPS is propably not relevant. The policies for NPS are difined by TMG, overruling the default policies. RRAS / IPSec configuration is also defined / configured through TMG so no point in changing any settings there. User accounts are irrelevant, no accounts are used since all tunnels are purely IPSec. No LT2P is used at all.
Concerning disconnnections because of idle timeouts; continuous pings trough all tunnels do not result in keep alive of the tunnel and actually show the tunnel being down for a small time.
Could it be a renegotiation issue with the W2K8 stack? I know this is really difficult to trace, but there might be an issue there. Any other suggestions about what I might check are very much appreciated.
Hi,
was affect the W2K8 stack, what I read was, that there are known problems, but MS do not intend to fix it. It should be solved in W2K8 R2. Nevertheless there seems to be some changes made in the past by MS Update, as I can observe a bit improvement, but no final fix.
If I understand you right, ýou have define site-to-side VPN connection in TMG to your remote sides?
Or do you just tunnel IPSec through TMG?
Something I found:
http://social.technet.microsoft.com/Forums/en-US/ForefrontedgeIA/thread/cd0433e4-e15c-44e0-abe2-d90ae2375305#5919c85e-7bc6-4163-9f9d-a56d5bd240c0
Have you tested SP1 for TMG?
was affect the W2K8 stack, what I read was, that there are known problems, but MS do not intend to fix it. It should be solved in W2K8 R2. Nevertheless there seems to be some changes made in the past by MS Update, as I can observe a bit improvement, but no final fix.
If I understand you right, ýou have define site-to-side VPN connection in TMG to your remote sides?
Or do you just tunnel IPSec through TMG?
Something I found:
http://social.technet.microsoft.com/Forums/en-US/ForefrontedgeIA/thread/cd0433e4-e15c-44e0-abe2-d90ae2375305#5919c85e-7bc6-4163-9f9d-a56d5bd240c0
Have you tested SP1 for TMG?
ASKER
Hi Bembi,
The url you gave, does not seem relevant. RRAS isnt failing and no errors are written in the event log. Besides, in that case all tunnels would fail simultaniously which they do not. However, known problems with IPSec in W2K8 R1 might be interesting. Could you provide me with any info on that?
Also, thanks for the heads up on SP1. I will start testing this weekend, it might be of help in this matter.
Cheers!
The url you gave, does not seem relevant. RRAS isnt failing and no errors are written in the event log. Besides, in that case all tunnels would fail simultaniously which they do not. However, known problems with IPSec in W2K8 R1 might be interesting. Could you provide me with any info on that?
Also, thanks for the heads up on SP1. I will start testing this weekend, it might be of help in this matter.
Cheers!
ASKER
Ok, implemented SP1. Does not remove this particular issue.
Again, if you could provide me with pointers to bugs in the W2K8 R1 IPSec stack., I'd appreciate it.
Again, if you could provide me with pointers to bugs in the W2K8 R1 IPSec stack., I'd appreciate it.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Hi Bembi,
Your help is appreciated. My company has decided to move all hardware to our external datacenter, hence the problem will be irrelevant shortly. Thanks again for you assists.
Your help is appreciated. My company has decided to move all hardware to our external datacenter, hence the problem will be irrelevant shortly. Thanks again for you assists.
ASKER
Problem will be irrelevant in the near future.
Is Remote Console used on this server?