Windows 7 log time to log in over VPN

I have two Windows 7 boxes at a remote location that connect to a domain via a site-to-site vpn.  Both boxes take at least 1.5 minutes at boot up to CTRL+ALT+DEL screen.  Then takes about 2 minutes to login to the domain.  

None of the XP boxes at the same location have this issue.

I have tried:
Disabling Network Location Awareness, no help.
removing one of the computers from domain and joining again, no help.
manually setting the NIC speed, no help.
updating the NIC drivers, no help.
moving the computer out of the OU and blocking group policy inheritance, no help.
Disabling all service except the bare minimum, similar to safe mode but the are a few services (like Group Policy Client) that I cannot disable.
There are no GPO that is mapping of any printers, they are added manually. This is mapping of network drives in the user profile but I have also tried disabling that script but that was no help either.

If I boot the workstation in safe mode with networking then the logon time is quick, like 30 seconds .

Any suggestions?
jpgillivanConsultantAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

TazDevil1674Commented:
I have seen this with WIndows 7 and VPN products.

Basically what we were told to do was rebuild the machine and block inheritance of Machine Group Policy and import the Machine policy as Local GPO.

Logon speeds where dramatically better...  It is important that they dont get Domain Machine GPO as this seems to do something strange and it still runs slow...
PhilonatorownerCommented:
I was able to duplicate this only in reverse- windows xp slow and 7 fast.  The problem was there there was some buried group policies that treated windows xp machines differently than 7.  Once we found those, all was fast.  I would check your Group policies to see what it is checking for on 7 machines but not XP.  Could be some secuirty features turned on by default.

also
What level is your domain?
What type of VPN are your using-cisco anyconnet, SSH etc?
jpgillivanConsultantAuthor Commented:
Taz - not applying the Machine GPO ( or eliminating the capability ) sort of defeats the whole purpose for GPO.  If I had 200 machines with this issue, your suggestion would not be acceptable.  And even for now it is not.


Philonator- It is a single domain.  We are using a Watchguard firewall on each end to provide the VPN tunnel, this is not changable.  VPN is ipsec.

As for the GPO,  I put the machine in an OU that has no GP's and the log in times are the same.  Verified that the machine is not applying GP's by using RSOP.

Ping times average 10ms, sometimes they jump up for a few but settle back down.  Therefore I don't think that it is a "slow link" issue.  Besides, I read that Win7 uses a different method for determining slow links, unlike XP which uses ping times.
Discover the Answer to Productive IT

Discover app within WatchGuard's Wi-Fi Cloud helps you optimize W-Fi user experience with the most complete set of visibility, troubleshooting, and network health features. Quickly pinpointing network problems will lead to more happy users and most importantly, productive IT.

PhilonatorownerCommented:
I have had a ton of issues with windows 7 and ipsec.  The short answer is to always upgrade to a anyconnect or simliar vpn.  Rather than do that:

Do you have any other locations/customers that you could VPN into that does not use ipsec?  If it is fast when you connect, then you know it is the ipsec.

Do you have any other locations connections that use ipsec, if it is fast on there then you know it is GP problem on your domain (or could be).

**I am not implying that ipsec is broken, it just doesn't work well with windows 7.  There is something in the core system of window 7 that interferes with the packets.  This cisco article highlights it well:
https://supportforums.cisco.com/docs/DOC-18721


here is the core of the solution
"Windows 7 introduced a new adapter type called WWAN. The traffic accepted by the NIC is controlled by an NDIS Miniport Driver. The WWAN type bypasses NDIS IM drivers (Network Driver Interface Specification Intermediate driver), so the Client NDIS IM driver fails to receive packets

that go in and out WWAN devices. The third party tool that acts as the NDIS IM driver is DNE by Citrix.

 
The current release of Citrix DNE is an NDIS intermediate driver that is based on NDIS 5.0. However, the native Windows 7 Mobile Broadband

driver(WWAN Card)is based on NDIS 6.2. Earlier intermediate drivers that are based on NDIS 4.x or on NDIS 5.x have a known compatibility issue with the native Windows 7 Mobile Broadband driver.  

 
The reason the USB WWAN card works is that it is used as a Modem (thereby bypassing the limitation of NDIS drivers) to connect to the

internet whereas the internal card is used as a NIC which the VPN Client is not able to recognize
"


Can you bypass the NDIS drivers somehow?  You basically did the same thing by testing it in safemode.
Syed_M_UsmanSystem AdministratorCommented:
can you try adding your dns server name and ip in your system host file and try,,,,,,,
jpgillivanConsultantAuthor Commented:
Update: I was incorrect, the remote offices are NOT connected via VPN.  They have an MPLS connected to the HQ.
PhilonatorownerCommented:
If that is the case you may have more of a routing/firewall issue.  The right way to trouble shoot this is to see what those Watchguard firewalls are doing.  The only tests that I can think to try on the windows 7 client side:

1.  See if QOS is enabled on the network adaptor, disable and test
2.  Get a laptop with windows 7 and statically assign the public Ip address of your location to it.  Log out with the settings in place, disconnect your internet connection to the building and connect it to the laptop.  If the laptop logs in and is fast (and you can get to the internet) then you know the problem is 100% in the watchguard.  The internet will work in this test.
jpgillivanConsultantAuthor Commented:
The solution was to disable auto tuning:
netsh interface tcp set global autotuning=disabled

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
jpgillivanConsultantAuthor Commented:
Solved the issue myself
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows 7

From novice to tech pro — start learning today.