Celebrate National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Windows 7 log time to log in over VPN

Posted on 2012-03-23
9
Medium Priority
?
616 Views
Last Modified: 2012-04-08
I have two Windows 7 boxes at a remote location that connect to a domain via a site-to-site vpn.  Both boxes take at least 1.5 minutes at boot up to CTRL+ALT+DEL screen.  Then takes about 2 minutes to login to the domain.  

None of the XP boxes at the same location have this issue.

I have tried:
Disabling Network Location Awareness, no help.
removing one of the computers from domain and joining again, no help.
manually setting the NIC speed, no help.
updating the NIC drivers, no help.
moving the computer out of the OU and blocking group policy inheritance, no help.
Disabling all service except the bare minimum, similar to safe mode but the are a few services (like Group Policy Client) that I cannot disable.
There are no GPO that is mapping of any printers, they are added manually. This is mapping of network drives in the user profile but I have also tried disabling that script but that was no help either.

If I boot the workstation in safe mode with networking then the logon time is quick, like 30 seconds .

Any suggestions?
0
Comment
Question by:jpgillivan
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
9 Comments
 
LVL 9

Expert Comment

by:TazDevil1674
ID: 37758024
I have seen this with WIndows 7 and VPN products.

Basically what we were told to do was rebuild the machine and block inheritance of Machine Group Policy and import the Machine policy as Local GPO.

Logon speeds where dramatically better...  It is important that they dont get Domain Machine GPO as this seems to do something strange and it still runs slow...
0
 
LVL 7

Expert Comment

by:Philonator
ID: 37758059
I was able to duplicate this only in reverse- windows xp slow and 7 fast.  The problem was there there was some buried group policies that treated windows xp machines differently than 7.  Once we found those, all was fast.  I would check your Group policies to see what it is checking for on 7 machines but not XP.  Could be some secuirty features turned on by default.

also
What level is your domain?
What type of VPN are your using-cisco anyconnet, SSH etc?
0
 

Author Comment

by:jpgillivan
ID: 37758989
Taz - not applying the Machine GPO ( or eliminating the capability ) sort of defeats the whole purpose for GPO.  If I had 200 machines with this issue, your suggestion would not be acceptable.  And even for now it is not.


Philonator- It is a single domain.  We are using a Watchguard firewall on each end to provide the VPN tunnel, this is not changable.  VPN is ipsec.

As for the GPO,  I put the machine in an OU that has no GP's and the log in times are the same.  Verified that the machine is not applying GP's by using RSOP.

Ping times average 10ms, sometimes they jump up for a few but settle back down.  Therefore I don't think that it is a "slow link" issue.  Besides, I read that Win7 uses a different method for determining slow links, unlike XP which uses ping times.
0
Simplifying Server Workload Migrations

This use case outlines the migration challenges that organizations face and how the Acronis AnyData Engine supports physical-to-physical (P2P), physical-to-virtual (P2V), virtual to physical (V2P), and cross-virtual (V2V) migration scenarios to address these challenges.

 
LVL 7

Expert Comment

by:Philonator
ID: 37759052
I have had a ton of issues with windows 7 and ipsec.  The short answer is to always upgrade to a anyconnect or simliar vpn.  Rather than do that:

Do you have any other locations/customers that you could VPN into that does not use ipsec?  If it is fast when you connect, then you know it is the ipsec.

Do you have any other locations connections that use ipsec, if it is fast on there then you know it is GP problem on your domain (or could be).

**I am not implying that ipsec is broken, it just doesn't work well with windows 7.  There is something in the core system of window 7 that interferes with the packets.  This cisco article highlights it well:
https://supportforums.cisco.com/docs/DOC-18721


here is the core of the solution
"Windows 7 introduced a new adapter type called WWAN. The traffic accepted by the NIC is controlled by an NDIS Miniport Driver. The WWAN type bypasses NDIS IM drivers (Network Driver Interface Specification Intermediate driver), so the Client NDIS IM driver fails to receive packets

that go in and out WWAN devices. The third party tool that acts as the NDIS IM driver is DNE by Citrix.

 
The current release of Citrix DNE is an NDIS intermediate driver that is based on NDIS 5.0. However, the native Windows 7 Mobile Broadband

driver(WWAN Card)is based on NDIS 6.2. Earlier intermediate drivers that are based on NDIS 4.x or on NDIS 5.x have a known compatibility issue with the native Windows 7 Mobile Broadband driver.  

 
The reason the USB WWAN card works is that it is used as a Modem (thereby bypassing the limitation of NDIS drivers) to connect to the

internet whereas the internal card is used as a NIC which the VPN Client is not able to recognize
"


Can you bypass the NDIS drivers somehow?  You basically did the same thing by testing it in safemode.
0
 
LVL 16

Expert Comment

by:Syed_M_Usman
ID: 37764805
can you try adding your dns server name and ip in your system host file and try,,,,,,,
0
 

Author Comment

by:jpgillivan
ID: 37766994
Update: I was incorrect, the remote offices are NOT connected via VPN.  They have an MPLS connected to the HQ.
0
 
LVL 7

Expert Comment

by:Philonator
ID: 37767482
If that is the case you may have more of a routing/firewall issue.  The right way to trouble shoot this is to see what those Watchguard firewalls are doing.  The only tests that I can think to try on the windows 7 client side:

1.  See if QOS is enabled on the network adaptor, disable and test
2.  Get a laptop with windows 7 and statically assign the public Ip address of your location to it.  Log out with the settings in place, disconnect your internet connection to the building and connect it to the laptop.  If the laptop logs in and is fast (and you can get to the internet) then you know the problem is 100% in the watchguard.  The internet will work in this test.
0
 

Accepted Solution

by:
jpgillivan earned 0 total points
ID: 37801594
The solution was to disable auto tuning:
netsh interface tcp set global autotuning=disabled
0
 

Author Closing Comment

by:jpgillivan
ID: 37820853
Solved the issue myself
0

Featured Post

Enroll in September's Course of the Month

This month’s featured course covers 16 hours of training in installation, management, and deployment of VMware vSphere virtualization environments. It's free for Premium Members, Team Accounts, and Qualified Experts!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

OfficeMate Freezes on login or does not load after login credentials are input.
By default the complete memory dump option is disabled in windows . If we want to enable the complete memory dump for a diagnostic purpose, we have a solution for it. here we are using the registry method to enable this.
This Micro Tutorial will give you basic overview of the control panel section on Windows 7. It will depth in Network and Internet, Hardware and Sound, etc. This will be demonstrated using Windows 7 operating system.
This Micro Tutorial will go in depth within Systems and Security in Windows 7 and will go into detail regarding Action Center, Windows Firewall, System, etc. This will be demonstrated using Windows 7 operating system.
Suggested Courses

730 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question