Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Microsoft TMG: IPSec tunnels are sometimes dropping

Posted on 2010-08-16
10
Medium Priority
?
2,592 Views
Last Modified: 2012-05-10
I've been having this problem for quite a while now, maybe someone can shed some new light on this particulari issue.

I used to have ISA 2006 and moved to TMG 2010. The configuration was transferred. As expected, TMG operated like ISA did except for one significant detail; TMG has four IPSec tunnels to different endpoints / networks ( ISA 2004 / 2006 and Cisco ) which are operational and usable. However, one or two times a day, each tunnel becomes unavailable for a very short time at different intervals from each other.  This issue did not exist with ISA 2006, but the configuration is exactly the same.

I've already checked extensively on the matter of packet loss with my ISP, but the uplink quality is fine. This issue is just a small nuicance, since only monitoring is dropping and impact is low.

I'd appreciate it, if someone can present some sugestions on where to look for a possible cause.
0
Comment
Question by:BorgusGroup
  • 6
  • 4
10 Comments
 
LVL 35

Expert Comment

by:Bembi
ID: 33480469
TMG on Win 2008?
Is Remote Console used on this server?
0
 
LVL 1

Author Comment

by:BorgusGroup
ID: 33518949
TMG is on 2008, the console is used on the TMG server itself.
0
 
LVL 35

Expert Comment

by:Bembi
ID: 33525249
What I read somewhere is, that Win2008 vpn has some problems, especially if used together with remote console. In the beginning, I had regularly crashes (reboots) of the server, if I used VPN to connect to the server and connected to the server via Rc. The crashes are away but sometimes, my server kicks me just out for a while, means the vpn tunnel is closed....

The more trivial solution is to check, if there are some time / connection limits, so that the connection is closed in a expected way.  There are setting in the user properties as well as RRAS (or NAP if used). if there are connection limits set (i.e. to close an idle connection), Win2008 kills the session. You may have a look on both sides, as both sides may have such settings.
Inspect the RRAS / NAP settings on the server and the settings of the user accounts, which are used to connect to the remote side (and the same on the remote side).

To check, if this is an idle issue, you may try to send something like a keep alive packet regularly to the remote side and see, if the connection behavior changes.  
0
Ready for your healthcare security check-up?

In the past few years, healthcare organizations have become a prime target for advanced attacks. Does your organization have what it needs to defend itself? Schedule your healthcare security check-up today and download our free Healthcare Security Resource Kit today!

 
LVL 1

Author Comment

by:BorgusGroup
ID: 33529206
Bembi,

I appreciate your feedback, I will elaborate on my situation to make it a bit more comprehendable. You might be right about the server OS though, W2K8 has a different IPSec stack than W2K3 did which might be an issue.

NAP / NPS is propably not relevant. The policies for NPS are difined by TMG, overruling the default policies. RRAS / IPSec configuration is also defined / configured through TMG so no point in changing any settings there. User accounts are irrelevant, no accounts are used since all tunnels are purely IPSec. No LT2P is used at all.

Concerning disconnnections because of idle timeouts; continuous pings trough all tunnels do not result in keep alive of the tunnel and actually show the tunnel being down for a small time.

Could it be a renegotiation issue with the W2K8 stack? I know this is really difficult to trace, but there might be an issue there. Any other suggestions about what I might check are very much appreciated.
0
 
LVL 35

Expert Comment

by:Bembi
ID: 33529472
Hi,

was affect the W2K8 stack, what I read was, that there are known problems, but MS do not intend to fix it. It should be solved in W2K8 R2. Nevertheless there seems to be some changes made in the past by MS Update, as I can observe a bit improvement, but no final fix.

If I understand you right, ýou have define site-to-side VPN connection in TMG to your remote sides?
Or do you just tunnel IPSec through TMG?

Something I found:
http://social.technet.microsoft.com/Forums/en-US/ForefrontedgeIA/thread/cd0433e4-e15c-44e0-abe2-d90ae2375305#5919c85e-7bc6-4163-9f9d-a56d5bd240c0

Have you tested SP1 for TMG?
0
 
LVL 1

Author Comment

by:BorgusGroup
ID: 33529628
Hi Bembi,

The url you gave, does not seem relevant. RRAS isnt failing and no errors are written in the  event log. Besides, in that case all tunnels would fail simultaniously which they do not. However, known problems with IPSec in W2K8 R1 might be interesting. Could you provide me with any info on that?

Also, thanks for the heads up on SP1. I will start testing this weekend, it might be of help in this matter.

Cheers!
0
 
LVL 1

Author Comment

by:BorgusGroup
ID: 33574898
Ok, implemented SP1. Does not remove this particular issue.

Again, if you could provide me with pointers to bugs in the W2K8 R1 IPSec stack., I'd appreciate it.
0
 
LVL 35

Accepted Solution

by:
Bembi earned 750 total points
ID: 33617626
Difficult to analyse, as there maybe several issues, which can affect your problem. And I#m not quite clear about your environment (old and new).

Some articles I found again, but only relevant, if you use new hardware...

support.microsoft.com/kb/973554
support.microsoft.com/kb/950836
support.microsoft.com/kb/955427
support.microsoft.com/kb/958702
http://www.dslreports.com/forum/r23138224-SMB-2-protocol-over-Zywall-VPN
http://www.vistax64.com/virtual-server/188808-remote-desktop-acces-windows-2008-server-too-sluggish-drops-connection.html

Most what I have seen is are problems in connection with SMB2 and Settings on the Network Adapters, which interference with other devices.


0
 
LVL 1

Author Comment

by:BorgusGroup
ID: 33644168
Hi Bembi,

Your help is appreciated. My company has decided to move all hardware to our external datacenter, hence the problem will be irrelevant shortly. Thanks again for you assists.
0
 
LVL 1

Author Closing Comment

by:BorgusGroup
ID: 33644177
Problem will be irrelevant in the near future.
0

Featured Post

Lessons on Wi-Fi & Recommendations on KRACK

Simplicity and security can be a difficult  balance for any business to tackle. Join us on December 6th for a look at your company's biggest security gap. We will also address the most recent attack, "KRACK" and provide recommendations on how to secure your Wi-Fi network today!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In Africa (and potentially where you live…), reliability of ISPs is questionable.  With the increased reliance on e-mail as one of the primary forms of communication, the costs to business are significant based on interuption of ISP Connectivity.  T…
Microsoft's ISA Server has been its pre-eminent security product for about a decade and is still regarded amongst the well-informed as one of the best software firewalls and application gateways ever released, by any manufacturer. ISA Server has bee…
This video shows how to quickly and easily deploy an email signature for all users in Office 365 and prevent it from being added to replies and forwards. (the resulting signature is applied on the server level in Exchange Online) The email signat…
Want to learn how to record your desktop screen without having to use an outside camera. Click on this video and learn how to use the cool google extension called "Screencastify"! Step 1: Open a new google tab Step 2: Go to the left hand upper corn…

885 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question