Solved

Microsoft TMG: IPSec tunnels are sometimes dropping

Posted on 2010-08-16
10
2,455 Views
Last Modified: 2012-05-10
I've been having this problem for quite a while now, maybe someone can shed some new light on this particulari issue.

I used to have ISA 2006 and moved to TMG 2010. The configuration was transferred. As expected, TMG operated like ISA did except for one significant detail; TMG has four IPSec tunnels to different endpoints / networks ( ISA 2004 / 2006 and Cisco ) which are operational and usable. However, one or two times a day, each tunnel becomes unavailable for a very short time at different intervals from each other.  This issue did not exist with ISA 2006, but the configuration is exactly the same.

I've already checked extensively on the matter of packet loss with my ISP, but the uplink quality is fine. This issue is just a small nuicance, since only monitoring is dropping and impact is low.

I'd appreciate it, if someone can present some sugestions on where to look for a possible cause.
0
Comment
Question by:BorgusGroup
  • 6
  • 4
10 Comments
 
LVL 35

Expert Comment

by:Bembi
ID: 33480469
TMG on Win 2008?
Is Remote Console used on this server?
0
 
LVL 1

Author Comment

by:BorgusGroup
ID: 33518949
TMG is on 2008, the console is used on the TMG server itself.
0
 
LVL 35

Expert Comment

by:Bembi
ID: 33525249
What I read somewhere is, that Win2008 vpn has some problems, especially if used together with remote console. In the beginning, I had regularly crashes (reboots) of the server, if I used VPN to connect to the server and connected to the server via Rc. The crashes are away but sometimes, my server kicks me just out for a while, means the vpn tunnel is closed....

The more trivial solution is to check, if there are some time / connection limits, so that the connection is closed in a expected way.  There are setting in the user properties as well as RRAS (or NAP if used). if there are connection limits set (i.e. to close an idle connection), Win2008 kills the session. You may have a look on both sides, as both sides may have such settings.
Inspect the RRAS / NAP settings on the server and the settings of the user accounts, which are used to connect to the remote side (and the same on the remote side).

To check, if this is an idle issue, you may try to send something like a keep alive packet regularly to the remote side and see, if the connection behavior changes.  
0
 
LVL 1

Author Comment

by:BorgusGroup
ID: 33529206
Bembi,

I appreciate your feedback, I will elaborate on my situation to make it a bit more comprehendable. You might be right about the server OS though, W2K8 has a different IPSec stack than W2K3 did which might be an issue.

NAP / NPS is propably not relevant. The policies for NPS are difined by TMG, overruling the default policies. RRAS / IPSec configuration is also defined / configured through TMG so no point in changing any settings there. User accounts are irrelevant, no accounts are used since all tunnels are purely IPSec. No LT2P is used at all.

Concerning disconnnections because of idle timeouts; continuous pings trough all tunnels do not result in keep alive of the tunnel and actually show the tunnel being down for a small time.

Could it be a renegotiation issue with the W2K8 stack? I know this is really difficult to trace, but there might be an issue there. Any other suggestions about what I might check are very much appreciated.
0
 
LVL 35

Expert Comment

by:Bembi
ID: 33529472
Hi,

was affect the W2K8 stack, what I read was, that there are known problems, but MS do not intend to fix it. It should be solved in W2K8 R2. Nevertheless there seems to be some changes made in the past by MS Update, as I can observe a bit improvement, but no final fix.

If I understand you right, ýou have define site-to-side VPN connection in TMG to your remote sides?
Or do you just tunnel IPSec through TMG?

Something I found:
http://social.technet.microsoft.com/Forums/en-US/ForefrontedgeIA/thread/cd0433e4-e15c-44e0-abe2-d90ae2375305#5919c85e-7bc6-4163-9f9d-a56d5bd240c0

Have you tested SP1 for TMG?
0
How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

 
LVL 1

Author Comment

by:BorgusGroup
ID: 33529628
Hi Bembi,

The url you gave, does not seem relevant. RRAS isnt failing and no errors are written in the  event log. Besides, in that case all tunnels would fail simultaniously which they do not. However, known problems with IPSec in W2K8 R1 might be interesting. Could you provide me with any info on that?

Also, thanks for the heads up on SP1. I will start testing this weekend, it might be of help in this matter.

Cheers!
0
 
LVL 1

Author Comment

by:BorgusGroup
ID: 33574898
Ok, implemented SP1. Does not remove this particular issue.

Again, if you could provide me with pointers to bugs in the W2K8 R1 IPSec stack., I'd appreciate it.
0
 
LVL 35

Accepted Solution

by:
Bembi earned 250 total points
ID: 33617626
Difficult to analyse, as there maybe several issues, which can affect your problem. And I#m not quite clear about your environment (old and new).

Some articles I found again, but only relevant, if you use new hardware...

support.microsoft.com/kb/973554
support.microsoft.com/kb/950836
support.microsoft.com/kb/955427
support.microsoft.com/kb/958702
http://www.dslreports.com/forum/r23138224-SMB-2-protocol-over-Zywall-VPN
http://www.vistax64.com/virtual-server/188808-remote-desktop-acces-windows-2008-server-too-sluggish-drops-connection.html

Most what I have seen is are problems in connection with SMB2 and Settings on the Network Adapters, which interference with other devices.


0
 
LVL 1

Author Comment

by:BorgusGroup
ID: 33644168
Hi Bembi,

Your help is appreciated. My company has decided to move all hardware to our external datacenter, hence the problem will be irrelevant shortly. Thanks again for you assists.
0
 
LVL 1

Author Closing Comment

by:BorgusGroup
ID: 33644177
Problem will be irrelevant in the near future.
0

Featured Post

Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

Join & Write a Comment

ISA Server detected routes through the network adapter LAN that do not correlate with the network to which this network adapter belongs What does this mean and how can one go about correcting it? In simple terms, this error message indicates t…
There are several problems reported according slow link speeds or poor performance in TMG 2010, UAG 2010 or ISA 2006. I want to collect here some of the common issues together to give a brief overview what can be the reason. Nevertheless, not all of…
It is a freely distributed piece of software for such tasks as photo retouching, image composition and image authoring. It works on many operating systems, in many languages.
This video shows how to remove a single email address from the Outlook 2010 Auto Suggestion memory. NOTE: For Outlook 2016 and 2013 perform the exact same steps. Open a new email: Click the New email button in Outlook. Start typing the address: …

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now