Windows 7 log time to log in over VPN
I have two Windows 7 boxes at a remote location that connect to a domain via a site-to-site vpn. Both boxes take at least 1.5 minutes at boot up to CTRL+ALT+DEL screen. Then takes about 2 minutes to login to the domain.
None of the XP boxes at the same location have this issue.
I have tried:
Disabling Network Location Awareness, no help.
removing one of the computers from domain and joining again, no help.
manually setting the NIC speed, no help.
updating the NIC drivers, no help.
moving the computer out of the OU and blocking group policy inheritance, no help.
Disabling all service except the bare minimum, similar to safe mode but the are a few services (like Group Policy Client) that I cannot disable.
There are no GPO that is mapping of any printers, they are added manually. This is mapping of network drives in the user profile but I have also tried disabling that script but that was no help either.
If I boot the workstation in safe mode with networking then the logon time is quick, like 30 seconds .
Any suggestions?
None of the XP boxes at the same location have this issue.
I have tried:
Disabling Network Location Awareness, no help.
removing one of the computers from domain and joining again, no help.
manually setting the NIC speed, no help.
updating the NIC drivers, no help.
moving the computer out of the OU and blocking group policy inheritance, no help.
Disabling all service except the bare minimum, similar to safe mode but the are a few services (like Group Policy Client) that I cannot disable.
There are no GPO that is mapping of any printers, they are added manually. This is mapping of network drives in the user profile but I have also tried disabling that script but that was no help either.
If I boot the workstation in safe mode with networking then the logon time is quick, like 30 seconds .
Any suggestions?
I was able to duplicate this only in reverse- windows xp slow and 7 fast. The problem was there there was some buried group policies that treated windows xp machines differently than 7. Once we found those, all was fast. I would check your Group policies to see what it is checking for on 7 machines but not XP. Could be some secuirty features turned on by default.
also
What level is your domain?
What type of VPN are your using-cisco anyconnet, SSH etc?
also
What level is your domain?
What type of VPN are your using-cisco anyconnet, SSH etc?
ASKER
Taz - not applying the Machine GPO ( or eliminating the capability ) sort of defeats the whole purpose for GPO. If I had 200 machines with this issue, your suggestion would not be acceptable. And even for now it is not.
Philonator- It is a single domain. We are using a Watchguard firewall on each end to provide the VPN tunnel, this is not changable. VPN is ipsec.
As for the GPO, I put the machine in an OU that has no GP's and the log in times are the same. Verified that the machine is not applying GP's by using RSOP.
Ping times average 10ms, sometimes they jump up for a few but settle back down. Therefore I don't think that it is a "slow link" issue. Besides, I read that Win7 uses a different method for determining slow links, unlike XP which uses ping times.
Philonator- It is a single domain. We are using a Watchguard firewall on each end to provide the VPN tunnel, this is not changable. VPN is ipsec.
As for the GPO, I put the machine in an OU that has no GP's and the log in times are the same. Verified that the machine is not applying GP's by using RSOP.
Ping times average 10ms, sometimes they jump up for a few but settle back down. Therefore I don't think that it is a "slow link" issue. Besides, I read that Win7 uses a different method for determining slow links, unlike XP which uses ping times.
I have had a ton of issues with windows 7 and ipsec. The short answer is to always upgrade to a anyconnect or simliar vpn. Rather than do that:
Do you have any other locations/customers that you could VPN into that does not use ipsec? If it is fast when you connect, then you know it is the ipsec.
Do you have any other locations connections that use ipsec, if it is fast on there then you know it is GP problem on your domain (or could be).
**I am not implying that ipsec is broken, it just doesn't work well with windows 7. There is something in the core system of window 7 that interferes with the packets. This cisco article highlights it well:
https://supportforums.cisco.com/docs/DOC-18721
here is the core of the solution
"Windows 7 introduced a new adapter type called WWAN. The traffic accepted by the NIC is controlled by an NDIS Miniport Driver. The WWAN type bypasses NDIS IM drivers (Network Driver Interface Specification Intermediate driver), so the Client NDIS IM driver fails to receive packets
that go in and out WWAN devices. The third party tool that acts as the NDIS IM driver is DNE by Citrix.
The current release of Citrix DNE is an NDIS intermediate driver that is based on NDIS 5.0. However, the native Windows 7 Mobile Broadband
driver(WWAN Card)is based on NDIS 6.2. Earlier intermediate drivers that are based on NDIS 4.x or on NDIS 5.x have a known compatibility issue with the native Windows 7 Mobile Broadband driver.
The reason the USB WWAN card works is that it is used as a Modem (thereby bypassing the limitation of NDIS drivers) to connect to the
internet whereas the internal card is used as a NIC which the VPN Client is not able to recognize
"
Can you bypass the NDIS drivers somehow? You basically did the same thing by testing it in safemode.
Do you have any other locations/customers that you could VPN into that does not use ipsec? If it is fast when you connect, then you know it is the ipsec.
Do you have any other locations connections that use ipsec, if it is fast on there then you know it is GP problem on your domain (or could be).
**I am not implying that ipsec is broken, it just doesn't work well with windows 7. There is something in the core system of window 7 that interferes with the packets. This cisco article highlights it well:
https://supportforums.cisco.com/docs/DOC-18721
here is the core of the solution
"Windows 7 introduced a new adapter type called WWAN. The traffic accepted by the NIC is controlled by an NDIS Miniport Driver. The WWAN type bypasses NDIS IM drivers (Network Driver Interface Specification Intermediate driver), so the Client NDIS IM driver fails to receive packets
that go in and out WWAN devices. The third party tool that acts as the NDIS IM driver is DNE by Citrix.
The current release of Citrix DNE is an NDIS intermediate driver that is based on NDIS 5.0. However, the native Windows 7 Mobile Broadband
driver(WWAN Card)is based on NDIS 6.2. Earlier intermediate drivers that are based on NDIS 4.x or on NDIS 5.x have a known compatibility issue with the native Windows 7 Mobile Broadband driver.
The reason the USB WWAN card works is that it is used as a Modem (thereby bypassing the limitation of NDIS drivers) to connect to the
internet whereas the internal card is used as a NIC which the VPN Client is not able to recognize
"
Can you bypass the NDIS drivers somehow? You basically did the same thing by testing it in safemode.
can you try adding your dns server name and ip in your system host file and try,,,,,,,
ASKER
Update: I was incorrect, the remote offices are NOT connected via VPN. They have an MPLS connected to the HQ.
If that is the case you may have more of a routing/firewall issue. The right way to trouble shoot this is to see what those Watchguard firewalls are doing. The only tests that I can think to try on the windows 7 client side:
1. See if QOS is enabled on the network adaptor, disable and test
2. Get a laptop with windows 7 and statically assign the public Ip address of your location to it. Log out with the settings in place, disconnect your internet connection to the building and connect it to the laptop. If the laptop logs in and is fast (and you can get to the internet) then you know the problem is 100% in the watchguard. The internet will work in this test.
1. See if QOS is enabled on the network adaptor, disable and test
2. Get a laptop with windows 7 and statically assign the public Ip address of your location to it. Log out with the settings in place, disconnect your internet connection to the building and connect it to the laptop. If the laptop logs in and is fast (and you can get to the internet) then you know the problem is 100% in the watchguard. The internet will work in this test.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Solved the issue myself
Basically what we were told to do was rebuild the machine and block inheritance of Machine Group Policy and import the Machine policy as Local GPO.
Logon speeds where dramatically better... It is important that they dont get Domain Machine GPO as this seems to do something strange and it still runs slow...