Solved

Windows 7 log time to log in over VPN

Posted on 2012-03-23
9
610 Views
Last Modified: 2012-04-08
I have two Windows 7 boxes at a remote location that connect to a domain via a site-to-site vpn.  Both boxes take at least 1.5 minutes at boot up to CTRL+ALT+DEL screen.  Then takes about 2 minutes to login to the domain.  

None of the XP boxes at the same location have this issue.

I have tried:
Disabling Network Location Awareness, no help.
removing one of the computers from domain and joining again, no help.
manually setting the NIC speed, no help.
updating the NIC drivers, no help.
moving the computer out of the OU and blocking group policy inheritance, no help.
Disabling all service except the bare minimum, similar to safe mode but the are a few services (like Group Policy Client) that I cannot disable.
There are no GPO that is mapping of any printers, they are added manually. This is mapping of network drives in the user profile but I have also tried disabling that script but that was no help either.

If I boot the workstation in safe mode with networking then the logon time is quick, like 30 seconds .

Any suggestions?
0
Comment
Question by:jpgillivan
9 Comments
 
LVL 9

Expert Comment

by:TazDevil1674
ID: 37758024
I have seen this with WIndows 7 and VPN products.

Basically what we were told to do was rebuild the machine and block inheritance of Machine Group Policy and import the Machine policy as Local GPO.

Logon speeds where dramatically better...  It is important that they dont get Domain Machine GPO as this seems to do something strange and it still runs slow...
0
 
LVL 7

Expert Comment

by:Philonator
ID: 37758059
I was able to duplicate this only in reverse- windows xp slow and 7 fast.  The problem was there there was some buried group policies that treated windows xp machines differently than 7.  Once we found those, all was fast.  I would check your Group policies to see what it is checking for on 7 machines but not XP.  Could be some secuirty features turned on by default.

also
What level is your domain?
What type of VPN are your using-cisco anyconnet, SSH etc?
0
 

Author Comment

by:jpgillivan
ID: 37758989
Taz - not applying the Machine GPO ( or eliminating the capability ) sort of defeats the whole purpose for GPO.  If I had 200 machines with this issue, your suggestion would not be acceptable.  And even for now it is not.


Philonator- It is a single domain.  We are using a Watchguard firewall on each end to provide the VPN tunnel, this is not changable.  VPN is ipsec.

As for the GPO,  I put the machine in an OU that has no GP's and the log in times are the same.  Verified that the machine is not applying GP's by using RSOP.

Ping times average 10ms, sometimes they jump up for a few but settle back down.  Therefore I don't think that it is a "slow link" issue.  Besides, I read that Win7 uses a different method for determining slow links, unlike XP which uses ping times.
0
 
LVL 7

Expert Comment

by:Philonator
ID: 37759052
I have had a ton of issues with windows 7 and ipsec.  The short answer is to always upgrade to a anyconnect or simliar vpn.  Rather than do that:

Do you have any other locations/customers that you could VPN into that does not use ipsec?  If it is fast when you connect, then you know it is the ipsec.

Do you have any other locations connections that use ipsec, if it is fast on there then you know it is GP problem on your domain (or could be).

**I am not implying that ipsec is broken, it just doesn't work well with windows 7.  There is something in the core system of window 7 that interferes with the packets.  This cisco article highlights it well:
https://supportforums.cisco.com/docs/DOC-18721


here is the core of the solution
"Windows 7 introduced a new adapter type called WWAN. The traffic accepted by the NIC is controlled by an NDIS Miniport Driver. The WWAN type bypasses NDIS IM drivers (Network Driver Interface Specification Intermediate driver), so the Client NDIS IM driver fails to receive packets

that go in and out WWAN devices. The third party tool that acts as the NDIS IM driver is DNE by Citrix.

 
The current release of Citrix DNE is an NDIS intermediate driver that is based on NDIS 5.0. However, the native Windows 7 Mobile Broadband

driver(WWAN Card)is based on NDIS 6.2. Earlier intermediate drivers that are based on NDIS 4.x or on NDIS 5.x have a known compatibility issue with the native Windows 7 Mobile Broadband driver.  

 
The reason the USB WWAN card works is that it is used as a Modem (thereby bypassing the limitation of NDIS drivers) to connect to the

internet whereas the internal card is used as a NIC which the VPN Client is not able to recognize
"


Can you bypass the NDIS drivers somehow?  You basically did the same thing by testing it in safemode.
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 16

Expert Comment

by:Syed_M_Usman
ID: 37764805
can you try adding your dns server name and ip in your system host file and try,,,,,,,
0
 

Author Comment

by:jpgillivan
ID: 37766994
Update: I was incorrect, the remote offices are NOT connected via VPN.  They have an MPLS connected to the HQ.
0
 
LVL 7

Expert Comment

by:Philonator
ID: 37767482
If that is the case you may have more of a routing/firewall issue.  The right way to trouble shoot this is to see what those Watchguard firewalls are doing.  The only tests that I can think to try on the windows 7 client side:

1.  See if QOS is enabled on the network adaptor, disable and test
2.  Get a laptop with windows 7 and statically assign the public Ip address of your location to it.  Log out with the settings in place, disconnect your internet connection to the building and connect it to the laptop.  If the laptop logs in and is fast (and you can get to the internet) then you know the problem is 100% in the watchguard.  The internet will work in this test.
0
 

Accepted Solution

by:
jpgillivan earned 0 total points
ID: 37801594
The solution was to disable auto tuning:
netsh interface tcp set global autotuning=disabled
0
 

Author Closing Comment

by:jpgillivan
ID: 37820853
Solved the issue myself
0

Featured Post

[Webinar] Disaster Recovery and Cloud Management

Learn from Unigma and CloudBerry industry veterans which providers are best for certain use cases and how to lower cloud costs, how to grow your Managed Services practice in IaaS clouds, and how to utilize public cloud for Disaster Recovery

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
How to configure AT&T Netgate with Sonicwall Firewall 24 43
factory reset 9 64
DIal UP Interface 3 30
Python 3.5.2 32 virtualenv problems 3 13
Today, still in the boom of Apple, PC's and products, nearly 50% of the computer users use Windows as graphical operating systems. If you are among those users who love windows, but are grappling to keep the system's hard drive optimized, then you s…
A quick guide on how to use Group Policy to create a custom power plan and set it active on Windows 7.
This Micro Tutorial will give you a basic overview of Windows Live Photo Gallery and show you various editing filters and touches to photos you can apply. This will be demonstrated using Windows Live Photo Gallery on Windows 7 operating system.
The Task Scheduler is a powerful tool that is built into Windows. It allows you to schedule tasks (actions) on a recurring basis, such as hourly, daily, weekly, monthly, at log on, at startup, on idle, etc. This video Micro Tutorial is a brief intro…

895 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now