Link to home
Create AccountLog in
Avatar of emgee11
emgee11Flag for Canada

asked on

VPN connection drops, router likely culprit

Hi,

We have a Sonicwall TZ-170 router for the office and I use the Global VPN client to connect to the office. At home I have the D-Link DGL-4500 Xtreme N Gaming router. I have no issues making the VPN connection, however, the connection drops frequently. The time before dropping out varies. I have tried from both Windows XP Pro and Windows 7 Ultimate clients; same problem.

I'm fairly certain it is not the TZ-170 as I've VPN'd in from other locations and have uniterrupted VPN sessions. I also used to use a USR 8200 router at home and had no issue with VPN connections.

The DGL-4500 does state it supports VPN passthru, but I assume there must be some other settings or changes I need to make to the router???

Thank you!
Avatar of digitap
digitap
Flag of United States of America image

did you enable vpn passthrough on your dgl?  most times, at least in my experience, it's not enabled by default.  i agree with your assessment that it's your home router causing issues...based on the information you provided above.
Avatar of emgee11

ASKER

Hi digitap,

I verified that my router has all the passthrough enabled (IPSec (VPN) in particular).
is your internet cable or dsl?  perhaps consider checking the mtu of your home router.  i have an article for calculating it for a sonicwall but it would work for your router as well.  search the articles for mtu and digitap.  also, consider changing the duplex and speed of the wan interface on your home router.  it's probably auto but may need to be set to something specific.
Avatar of emgee11

ASKER

HI digitap,

My internet is DSL, I'll check what I have my MTU set to on the router and I'll look for your article.

I know the router is set to auto on the WAN interface. I'll look into that as well.

Thank you so far.
here's the article:

https://www.experts-exchange.com/viewArticle.jsp?articleID=3110

another thought, have you updated the firmware on the appliance yet?
additionally, do you have the same results whether wireless or wired on the DGL?
Avatar of emgee11

ASKER

Hi digitap,

I read your MTU article and ajusted the MTU on our Sonicwall TZ-170. I'll do the same at home this evening and test.

I have the latest firmware on both the DGL-4500 and TZ170.

I haven't tried from a wireless connection, but I'll try it out using WiFi and see if I get the same result.
Avatar of emgee11

ASKER

Hi digitap,

Ok, I adjusted the MTU on the Sonicwall, my DGL-4500 was set properly. Still no luck, the connection drops.

I tried it over wireless and it drops as well.

I was watching the log in the GlobalVPNClient and when I lose the connection, I see the following in the log:

2010/11/17 22:20:45:746      Warning          <<sonicwall ip>>      Received an unencrypted packet but encryption keys have already been established.
2010/11/17 22:20:45:746      Error            <<sonicwall ip>>      Failed to decrypt buffer.
2010/11/17 22:20:45:746      Information      <local host>          An incoming ISAKMP packet from <<sonicwall ip>> was ignored.

I'll see several of these, then messages indicating that it is dropping the connection and reestablishing it. However, at this point whatever I was trying to do over VPN (e-mail, file transfer, etc.) gets borked.

So, perhaps, it's not my DGL-4500 at home then.
I've not seen this before, but this KB article explains what's going on.  It's a sonicwall firmware issue and has a client configuration setting that can be made to resolve it.  That information is in the article as well.

http://www.sonicwall.com/downloads/Failed_to_Decrypt_Buffer%281%29.pdf
Avatar of emgee11

ASKER

Hi,

I made the change recommended to my TZ170 and no success. I then tried the workaround for the Global VPN Client but my version (latest) does not have those same options any more.

Odd thing, the firmware I have for my TZ170 is from 2009 which is later than the article, which said the issue would be resolved in a later firmware release.
what's the version of firmware.  it's possible you have the pre-release.  i'll review the article again when i get a moment.  sorry nothing has worked so far.
Avatar of emgee11

ASKER

Hi digitap,

The version I have installed is: SonicOS Standard 3.1.6.3-4s

Thank you for your help!
ASKER CERTIFIED SOLUTION
Avatar of digitap
digitap
Flag of United States of America image

Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
See answer
Avatar of emgee11

ASKER

I'll try out the older version in the next day or two. The previous version does not explicitly say Windows 7, so I'll try it on my XP machine.

Yeah, I think (unfortunately) I'll need to get a newer model sonicwall.
you are right...it may not be compatible with windows 7.  if xp works with the older version, then you've got your answer.
Avatar of emgee11

ASKER

Well, I finally got a moment to try it on a Windows XP machine. I reverted to the version of Global VPN Client that had those DPD settings and still no luck. I also tried the alternate fix they recommend by changing the setting on the head-end (my TZ170) and still no luck.

I'll try swapping out my DGL-4500 with my other router and see if it works ok with it. Just to eliminate the DGL-4500 from the picture.

Any other suggestions are welcome, thanks for your help to date.
i'm really out of ideas unless your DGL is the cause...i just can't imagine what's left.
Avatar of emgee11

ASKER

No luck with the other router; I'll test another router later. In the meantime I'll close this off and assign the points. Thanks for your help digitap!
Avatar of emgee11

ASKER

Only problem is it really isn't a solution as it seems to be an issue with the Sonicwall product/software. I'm rewarding the time and effort that digitap put into it, thank you!
thanks for the points!  you really didn't have to do that and sorry we didn't come to a solution for you.
Avatar of emgee11

ASKER

I just wanted to follow-up on my question. I got a chance to try another router (Netgear WNDR3700-100PAS) and the VPN connection is stable! I tested transferring large files (30MB, 50MB), e-mail, as well as accessing shares, etc. and no dropouts. Watching the VPN log I saw none of those previous error messages I saw with the DGL-4500.
Avatar of emgee11

ASKER

I forgot to mention I left all the changes I made to the TZ-170 as outlined in the whitepaper digitap pointed me towards.
excellent!  glad it's stable for you!
Avatar of emgee11

ASKER

Me too! Although I don't mind buying new gear, the Netgear router for my house is a lot more cost effective than a new Sonicwall (or other) appliance for the office. Thanks again.