Solved

Microsoft TMG: IPSec tunnels are sometimes dropping

Posted on 2010-08-16
10
2,476 Views
Last Modified: 2012-05-10
I've been having this problem for quite a while now, maybe someone can shed some new light on this particulari issue.

I used to have ISA 2006 and moved to TMG 2010. The configuration was transferred. As expected, TMG operated like ISA did except for one significant detail; TMG has four IPSec tunnels to different endpoints / networks ( ISA 2004 / 2006 and Cisco ) which are operational and usable. However, one or two times a day, each tunnel becomes unavailable for a very short time at different intervals from each other.  This issue did not exist with ISA 2006, but the configuration is exactly the same.

I've already checked extensively on the matter of packet loss with my ISP, but the uplink quality is fine. This issue is just a small nuicance, since only monitoring is dropping and impact is low.

I'd appreciate it, if someone can present some sugestions on where to look for a possible cause.
0
Comment
Question by:BorgusGroup
  • 6
  • 4
10 Comments
 
LVL 35

Expert Comment

by:Bembi
ID: 33480469
TMG on Win 2008?
Is Remote Console used on this server?
0
 
LVL 1

Author Comment

by:BorgusGroup
ID: 33518949
TMG is on 2008, the console is used on the TMG server itself.
0
 
LVL 35

Expert Comment

by:Bembi
ID: 33525249
What I read somewhere is, that Win2008 vpn has some problems, especially if used together with remote console. In the beginning, I had regularly crashes (reboots) of the server, if I used VPN to connect to the server and connected to the server via Rc. The crashes are away but sometimes, my server kicks me just out for a while, means the vpn tunnel is closed....

The more trivial solution is to check, if there are some time / connection limits, so that the connection is closed in a expected way.  There are setting in the user properties as well as RRAS (or NAP if used). if there are connection limits set (i.e. to close an idle connection), Win2008 kills the session. You may have a look on both sides, as both sides may have such settings.
Inspect the RRAS / NAP settings on the server and the settings of the user accounts, which are used to connect to the remote side (and the same on the remote side).

To check, if this is an idle issue, you may try to send something like a keep alive packet regularly to the remote side and see, if the connection behavior changes.  
0
Announcing the Most Valuable Experts of 2016

MVEs are more concerned with the satisfaction of those they help than with the considerable points they can earn. They are the types of people you feel privileged to call colleagues. Join us in honoring this amazing group of Experts.

 
LVL 1

Author Comment

by:BorgusGroup
ID: 33529206
Bembi,

I appreciate your feedback, I will elaborate on my situation to make it a bit more comprehendable. You might be right about the server OS though, W2K8 has a different IPSec stack than W2K3 did which might be an issue.

NAP / NPS is propably not relevant. The policies for NPS are difined by TMG, overruling the default policies. RRAS / IPSec configuration is also defined / configured through TMG so no point in changing any settings there. User accounts are irrelevant, no accounts are used since all tunnels are purely IPSec. No LT2P is used at all.

Concerning disconnnections because of idle timeouts; continuous pings trough all tunnels do not result in keep alive of the tunnel and actually show the tunnel being down for a small time.

Could it be a renegotiation issue with the W2K8 stack? I know this is really difficult to trace, but there might be an issue there. Any other suggestions about what I might check are very much appreciated.
0
 
LVL 35

Expert Comment

by:Bembi
ID: 33529472
Hi,

was affect the W2K8 stack, what I read was, that there are known problems, but MS do not intend to fix it. It should be solved in W2K8 R2. Nevertheless there seems to be some changes made in the past by MS Update, as I can observe a bit improvement, but no final fix.

If I understand you right, ýou have define site-to-side VPN connection in TMG to your remote sides?
Or do you just tunnel IPSec through TMG?

Something I found:
http://social.technet.microsoft.com/Forums/en-US/ForefrontedgeIA/thread/cd0433e4-e15c-44e0-abe2-d90ae2375305#5919c85e-7bc6-4163-9f9d-a56d5bd240c0

Have you tested SP1 for TMG?
0
 
LVL 1

Author Comment

by:BorgusGroup
ID: 33529628
Hi Bembi,

The url you gave, does not seem relevant. RRAS isnt failing and no errors are written in the  event log. Besides, in that case all tunnels would fail simultaniously which they do not. However, known problems with IPSec in W2K8 R1 might be interesting. Could you provide me with any info on that?

Also, thanks for the heads up on SP1. I will start testing this weekend, it might be of help in this matter.

Cheers!
0
 
LVL 1

Author Comment

by:BorgusGroup
ID: 33574898
Ok, implemented SP1. Does not remove this particular issue.

Again, if you could provide me with pointers to bugs in the W2K8 R1 IPSec stack., I'd appreciate it.
0
 
LVL 35

Accepted Solution

by:
Bembi earned 250 total points
ID: 33617626
Difficult to analyse, as there maybe several issues, which can affect your problem. And I#m not quite clear about your environment (old and new).

Some articles I found again, but only relevant, if you use new hardware...

support.microsoft.com/kb/973554
support.microsoft.com/kb/950836
support.microsoft.com/kb/955427
support.microsoft.com/kb/958702
http://www.dslreports.com/forum/r23138224-SMB-2-protocol-over-Zywall-VPN
http://www.vistax64.com/virtual-server/188808-remote-desktop-acces-windows-2008-server-too-sluggish-drops-connection.html

Most what I have seen is are problems in connection with SMB2 and Settings on the Network Adapters, which interference with other devices.


0
 
LVL 1

Author Comment

by:BorgusGroup
ID: 33644168
Hi Bembi,

Your help is appreciated. My company has decided to move all hardware to our external datacenter, hence the problem will be irrelevant shortly. Thanks again for you assists.
0
 
LVL 1

Author Closing Comment

by:BorgusGroup
ID: 33644177
Problem will be irrelevant in the near future.
0

Featured Post

Gigs: Get Your Project Delivered by an Expert

Select from freelancers specializing in everything from database administration to programming, who have proven themselves as experts in their field. Hire the best, collaborate easily, pay securely and get projects done right.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
ISA Replacement 8 117
Dynamic CRM config with outlook 4 107
IPSEC SITE TO SITE VPN TUNNELS - Through Put 11 91
VPN - Draytek Router 2860 6 86
In Africa (and potentially where you live…), reliability of ISPs is questionable.  With the increased reliance on e-mail as one of the primary forms of communication, the costs to business are significant based on interuption of ISP Connectivity.  T…
Envision that you are chipping away at another e-business site with a team of pundit developers and designers. Everything seems, by all accounts, to be going easily.
This Micro Tutorial demonstrates using Microsoft Excel pivot tables, how to reverse engineer competitors' marketing strategies through backlinks.
In a recent question (https://www.experts-exchange.com/questions/28997919/Pagination-in-Adobe-Acrobat.html) here at Experts Exchange, a member asked how to add page numbers to a PDF file using Adobe Acrobat XI Pro. This short video Micro Tutorial sh…

816 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now