Solved

VPN connection drops, router likely culprit

Posted on 2010-11-16
24
1,392 Views
Last Modified: 2012-05-10
Hi,

We have a Sonicwall TZ-170 router for the office and I use the Global VPN client to connect to the office. At home I have the D-Link DGL-4500 Xtreme N Gaming router. I have no issues making the VPN connection, however, the connection drops frequently. The time before dropping out varies. I have tried from both Windows XP Pro and Windows 7 Ultimate clients; same problem.

I'm fairly certain it is not the TZ-170 as I've VPN'd in from other locations and have uniterrupted VPN sessions. I also used to use a USR 8200 router at home and had no issue with VPN connections.

The DGL-4500 does state it supports VPN passthru, but I assume there must be some other settings or changes I need to make to the router???

Thank you!
0
Comment
Question by:emgee11
  • 13
  • 11
24 Comments
 
LVL 33

Expert Comment

by:digitap
ID: 34147364
did you enable vpn passthrough on your dgl?  most times, at least in my experience, it's not enabled by default.  i agree with your assessment that it's your home router causing issues...based on the information you provided above.
0
 

Author Comment

by:emgee11
ID: 34152008
Hi digitap,

I verified that my router has all the passthrough enabled (IPSec (VPN) in particular).
0
 
LVL 33

Expert Comment

by:digitap
ID: 34152520
is your internet cable or dsl?  perhaps consider checking the mtu of your home router.  i have an article for calculating it for a sonicwall but it would work for your router as well.  search the articles for mtu and digitap.  also, consider changing the duplex and speed of the wan interface on your home router.  it's probably auto but may need to be set to something specific.
0
 

Author Comment

by:emgee11
ID: 34155100
HI digitap,

My internet is DSL, I'll check what I have my MTU set to on the router and I'll look for your article.

I know the router is set to auto on the WAN interface. I'll look into that as well.

Thank you so far.
0
 
LVL 33

Expert Comment

by:digitap
ID: 34155736
here's the article:

http://www.experts-exchange.com/viewArticle.jsp?articleID=3110

another thought, have you updated the firmware on the appliance yet?
0
 
LVL 33

Expert Comment

by:digitap
ID: 34155745
additionally, do you have the same results whether wireless or wired on the DGL?
0
 

Author Comment

by:emgee11
ID: 34156087
Hi digitap,

I read your MTU article and ajusted the MTU on our Sonicwall TZ-170. I'll do the same at home this evening and test.

I have the latest firmware on both the DGL-4500 and TZ170.

I haven't tried from a wireless connection, but I'll try it out using WiFi and see if I get the same result.
0
 

Author Comment

by:emgee11
ID: 34167181
Hi digitap,

Ok, I adjusted the MTU on the Sonicwall, my DGL-4500 was set properly. Still no luck, the connection drops.

I tried it over wireless and it drops as well.

I was watching the log in the GlobalVPNClient and when I lose the connection, I see the following in the log:

2010/11/17 22:20:45:746      Warning          <<sonicwall ip>>      Received an unencrypted packet but encryption keys have already been established.
2010/11/17 22:20:45:746      Error            <<sonicwall ip>>      Failed to decrypt buffer.
2010/11/17 22:20:45:746      Information      <local host>          An incoming ISAKMP packet from <<sonicwall ip>> was ignored.

I'll see several of these, then messages indicating that it is dropping the connection and reestablishing it. However, at this point whatever I was trying to do over VPN (e-mail, file transfer, etc.) gets borked.

So, perhaps, it's not my DGL-4500 at home then.
0
 
LVL 33

Expert Comment

by:digitap
ID: 34167568
I've not seen this before, but this KB article explains what's going on.  It's a sonicwall firmware issue and has a client configuration setting that can be made to resolve it.  That information is in the article as well.

http://www.sonicwall.com/downloads/Failed_to_Decrypt_Buffer%281%29.pdf
0
 

Author Comment

by:emgee11
ID: 34181185
Hi,

I made the change recommended to my TZ170 and no success. I then tried the workaround for the Global VPN Client but my version (latest) does not have those same options any more.

Odd thing, the firmware I have for my TZ170 is from 2009 which is later than the article, which said the issue would be resolved in a later firmware release.
0
 
LVL 33

Expert Comment

by:digitap
ID: 34181288
what's the version of firmware.  it's possible you have the pre-release.  i'll review the article again when i get a moment.  sorry nothing has worked so far.
0
 

Author Comment

by:emgee11
ID: 34184518
Hi digitap,

The version I have installed is: SonicOS Standard 3.1.6.3-4s

Thank you for your help!
0
Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

 
LVL 33

Accepted Solution

by:
digitap earned 125 total points
ID: 34202280
i reviewed the article and looked back at my installed version of GVC.  i'm running the latest version and can see that it doesn't have the check boxes referenced in the article.  i looked at mysonicwall.com and see there was a release in 2009 as a hot-fix release.  there was the general release in 2007.  i think it's ok to keep your sonicwall at the hot-fix release.

regarding the GVC work around, i believe you need to download the version of GVC from 2008.  if you login to your mysonicwall account, you can gain access to the free downloads.  from there, select the GVC from the drop down.  there is a link at the bottom for additional software versions.  this will take you to where you can access the 2008 version.  i believe installing that will give you access to the version with the options needed for the workaround.

i'm only in favor of rolling back the version due to the version of sonicwall appliance you have.  i believe later versions of the sonicwall fixed this issue.  since you have an older sonicwall, you need the older GVC to handle the "bug" fixed in a later firmware release.  i think it's worth a try.

alternatively, you could purchase a new sonicwall.
0
 

Author Comment

by:emgee11
ID: 34222093
I'll try out the older version in the next day or two. The previous version does not explicitly say Windows 7, so I'll try it on my XP machine.

Yeah, I think (unfortunately) I'll need to get a newer model sonicwall.
0
 
LVL 33

Expert Comment

by:digitap
ID: 34222157
you are right...it may not be compatible with windows 7.  if xp works with the older version, then you've got your answer.
0
 

Author Comment

by:emgee11
ID: 34257760
Well, I finally got a moment to try it on a Windows XP machine. I reverted to the version of Global VPN Client that had those DPD settings and still no luck. I also tried the alternate fix they recommend by changing the setting on the head-end (my TZ170) and still no luck.

I'll try swapping out my DGL-4500 with my other router and see if it works ok with it. Just to eliminate the DGL-4500 from the picture.

Any other suggestions are welcome, thanks for your help to date.
0
 
LVL 33

Expert Comment

by:digitap
ID: 34258169
i'm really out of ideas unless your DGL is the cause...i just can't imagine what's left.
0
 

Author Comment

by:emgee11
ID: 34385552
No luck with the other router; I'll test another router later. In the meantime I'll close this off and assign the points. Thanks for your help digitap!
0
 

Author Closing Comment

by:emgee11
ID: 34385560
Only problem is it really isn't a solution as it seems to be an issue with the Sonicwall product/software. I'm rewarding the time and effort that digitap put into it, thank you!
0
 
LVL 33

Expert Comment

by:digitap
ID: 34385714
thanks for the points!  you really didn't have to do that and sorry we didn't come to a solution for you.
0
 

Author Comment

by:emgee11
ID: 34491178
I just wanted to follow-up on my question. I got a chance to try another router (Netgear WNDR3700-100PAS) and the VPN connection is stable! I tested transferring large files (30MB, 50MB), e-mail, as well as accessing shares, etc. and no dropouts. Watching the VPN log I saw none of those previous error messages I saw with the DGL-4500.
0
 

Author Comment

by:emgee11
ID: 34491183
I forgot to mention I left all the changes I made to the TZ-170 as outlined in the whitepaper digitap pointed me towards.
0
 
LVL 33

Expert Comment

by:digitap
ID: 34491304
excellent!  glad it's stable for you!
0
 

Author Comment

by:emgee11
ID: 34492101
Me too! Although I don't mind buying new gear, the Netgear router for my house is a lot more cost effective than a new Sonicwall (or other) appliance for the office. Thanks again.
0

Featured Post

Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

Join & Write a Comment

Suggested Solutions

Creating an OSPF network that automatically (dynamically) reroutes network traffic over other connections to prevent network downtime.
Getting hacked is no longer a matter or "if you get hacked" — the 2016 cyber threat landscape is now titled "when you get hacked." When it happens — will you be proactive, or reactive?
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now