Solved

Windows 7 log time to log in over VPN

Posted on 2012-03-23
9
607 Views
Last Modified: 2012-04-08
I have two Windows 7 boxes at a remote location that connect to a domain via a site-to-site vpn.  Both boxes take at least 1.5 minutes at boot up to CTRL+ALT+DEL screen.  Then takes about 2 minutes to login to the domain.  

None of the XP boxes at the same location have this issue.

I have tried:
Disabling Network Location Awareness, no help.
removing one of the computers from domain and joining again, no help.
manually setting the NIC speed, no help.
updating the NIC drivers, no help.
moving the computer out of the OU and blocking group policy inheritance, no help.
Disabling all service except the bare minimum, similar to safe mode but the are a few services (like Group Policy Client) that I cannot disable.
There are no GPO that is mapping of any printers, they are added manually. This is mapping of network drives in the user profile but I have also tried disabling that script but that was no help either.

If I boot the workstation in safe mode with networking then the logon time is quick, like 30 seconds .

Any suggestions?
0
Comment
Question by:jpgillivan
9 Comments
 
LVL 9

Expert Comment

by:TazDevil1674
Comment Utility
I have seen this with WIndows 7 and VPN products.

Basically what we were told to do was rebuild the machine and block inheritance of Machine Group Policy and import the Machine policy as Local GPO.

Logon speeds where dramatically better...  It is important that they dont get Domain Machine GPO as this seems to do something strange and it still runs slow...
0
 
LVL 7

Expert Comment

by:Philonator
Comment Utility
I was able to duplicate this only in reverse- windows xp slow and 7 fast.  The problem was there there was some buried group policies that treated windows xp machines differently than 7.  Once we found those, all was fast.  I would check your Group policies to see what it is checking for on 7 machines but not XP.  Could be some secuirty features turned on by default.

also
What level is your domain?
What type of VPN are your using-cisco anyconnet, SSH etc?
0
 

Author Comment

by:jpgillivan
Comment Utility
Taz - not applying the Machine GPO ( or eliminating the capability ) sort of defeats the whole purpose for GPO.  If I had 200 machines with this issue, your suggestion would not be acceptable.  And even for now it is not.


Philonator- It is a single domain.  We are using a Watchguard firewall on each end to provide the VPN tunnel, this is not changable.  VPN is ipsec.

As for the GPO,  I put the machine in an OU that has no GP's and the log in times are the same.  Verified that the machine is not applying GP's by using RSOP.

Ping times average 10ms, sometimes they jump up for a few but settle back down.  Therefore I don't think that it is a "slow link" issue.  Besides, I read that Win7 uses a different method for determining slow links, unlike XP which uses ping times.
0
 
LVL 7

Expert Comment

by:Philonator
Comment Utility
I have had a ton of issues with windows 7 and ipsec.  The short answer is to always upgrade to a anyconnect or simliar vpn.  Rather than do that:

Do you have any other locations/customers that you could VPN into that does not use ipsec?  If it is fast when you connect, then you know it is the ipsec.

Do you have any other locations connections that use ipsec, if it is fast on there then you know it is GP problem on your domain (or could be).

**I am not implying that ipsec is broken, it just doesn't work well with windows 7.  There is something in the core system of window 7 that interferes with the packets.  This cisco article highlights it well:
https://supportforums.cisco.com/docs/DOC-18721


here is the core of the solution
"Windows 7 introduced a new adapter type called WWAN. The traffic accepted by the NIC is controlled by an NDIS Miniport Driver. The WWAN type bypasses NDIS IM drivers (Network Driver Interface Specification Intermediate driver), so the Client NDIS IM driver fails to receive packets

that go in and out WWAN devices. The third party tool that acts as the NDIS IM driver is DNE by Citrix.

 
The current release of Citrix DNE is an NDIS intermediate driver that is based on NDIS 5.0. However, the native Windows 7 Mobile Broadband

driver(WWAN Card)is based on NDIS 6.2. Earlier intermediate drivers that are based on NDIS 4.x or on NDIS 5.x have a known compatibility issue with the native Windows 7 Mobile Broadband driver.  

 
The reason the USB WWAN card works is that it is used as a Modem (thereby bypassing the limitation of NDIS drivers) to connect to the

internet whereas the internal card is used as a NIC which the VPN Client is not able to recognize
"


Can you bypass the NDIS drivers somehow?  You basically did the same thing by testing it in safemode.
0
Comprehensive Backup Solutions for Microsoft

Acronis protects the complete Microsoft technology stack: Windows Server, Windows PC, laptop and Surface data; Microsoft business applications; Microsoft Hyper-V; Azure VMs; Microsoft Windows Server 2016; Microsoft Exchange 2016 and SQL Server 2016.

 
LVL 16

Expert Comment

by:Syed_M_Usman
Comment Utility
can you try adding your dns server name and ip in your system host file and try,,,,,,,
0
 

Author Comment

by:jpgillivan
Comment Utility
Update: I was incorrect, the remote offices are NOT connected via VPN.  They have an MPLS connected to the HQ.
0
 
LVL 7

Expert Comment

by:Philonator
Comment Utility
If that is the case you may have more of a routing/firewall issue.  The right way to trouble shoot this is to see what those Watchguard firewalls are doing.  The only tests that I can think to try on the windows 7 client side:

1.  See if QOS is enabled on the network adaptor, disable and test
2.  Get a laptop with windows 7 and statically assign the public Ip address of your location to it.  Log out with the settings in place, disconnect your internet connection to the building and connect it to the laptop.  If the laptop logs in and is fast (and you can get to the internet) then you know the problem is 100% in the watchguard.  The internet will work in this test.
0
 

Accepted Solution

by:
jpgillivan earned 0 total points
Comment Utility
The solution was to disable auto tuning:
netsh interface tcp set global autotuning=disabled
0
 

Author Closing Comment

by:jpgillivan
Comment Utility
Solved the issue myself
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

On July 14th 2015, Windows Server 2003 will become End of Support, leaving hundreds of thousands of servers around the world that still run this 12 year old operating system vulnerable and potentially out of compliance in many organisations around t…
When you start your Windows 10 PC and got an "Operating system not found" error or just saw  "Auto repair for startup". After a while, you have entered a loop for Auto repair which does not fix anything and you will be in a  panic as all your work w…
This Micro Tutorial will give you basic overview of the control panel section on Windows 7. It will depth in Network and Internet, Hardware and Sound, etc. This will be demonstrated using Windows 7 operating system.
This Micro Tutorial will give you a basic overview of Windows Live Photo Gallery and show you various editing filters and touches to photos you can apply. This will be demonstrated using Windows Live Photo Gallery on Windows 7 operating system.

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

8 Experts available now in Live!

Get 1:1 Help Now