Solved

Peculiar IBM Lotus Notes / Cisco VPN Issue

Posted on 2013-06-28
21
867 Views
Last Modified: 2014-10-21
Dear all experts,

I am lost in this issue that recently happened on my company:

The staffs in my company are using Notes client, we are connected to our Domino server locally and we access few database that are located in 2 remote servers sitting side-by-side (GCM02 and GCM03).

Since yesterday, we cannot access only GCM02, Notes just freeze and hang after we choose any databases in GCM02.

I am able to ping the GCM02 via cmd prompt, trace GCM02 via Notes client Trace function and telnet GCM02.

After some exhaustive observation and diagnosis, we managed to fix this issue by installing a third party software, 'Cisco Systems VPN Client 5.0.07.0410', without any configuration after installation [1].

I conlude the following:
1) Laptop can only access GCM02 server after reinstall the VPN client
2) Laptop can still access other Domino servers in the network (in particularly GCM03)
3) Laptop cannot access GCM02 regardless of the version of Lotus Notes being used
4) Using different IDs to access GCM02 after installation [1] had no issues accessing
5) Reinstalling Lotus Notes will not solve this issue

On problematic laptop (before installing VPN), Wireshark showed that client received ACK packets twice, but such reading doesn't show on non issue laptop:
PackTracing of issue / non-issue laptop
Please let me know if you need these as I can't attach them here:
> Both PSR recordings on before and after installing VPN client.
> Both registry files that I exported before and after installing VPN client.
> Cisco VPN installer that I used as workaround


I hope to hear good news from fellow experts here, thanks and have a nice day.
-Stephen
0
Comment
Question by:Jiannystein
  • 5
  • 5
  • 4
  • +2
21 Comments
 
LVL 46

Expert Comment

by:Sjef Bosman
Comment Utility
Obvious questions: what happened yesterday, was anything changed in the configuration, and how many people are concerned?

I assume that, since the connection problems are so wide-spread, it has nothing to do with Lotus Notes itself, unless you somehow blocked port 1352 (the Notes port). But you say that you can trace the 02 server from a Notes client? If the Trace works (using File/Preferences..., Notes Ports, Trace), what happens when you try to open the server, using File/Open/Lotus Notes Application (or Ctrl-O) on the 02 server?

I assume it's a network configuration problem, e.g. there is an IP address conflict or so. Can people from other company locations still access the 02 server?

Did you try to access the 02 server using the Domino Admin client?

Did you try to increase the Port TCP/IP delay settings, in the Preferences?
0
 

Author Comment

by:Jiannystein
Comment Utility
Hi sjef_bosman,

Checked, there was a symantec endpoint update on the night before so I tried installing Notes on a fresh installed Windows 7, Notes freezes even using Ctrl+O or accesing 02 db via Workspace.

I believe there's no issue on network side, as we are able to ping the server as I mentioned earlier.

In Domino Admin Client, I can only see my local server and its cluster within my domain. Using File Open on Domino Admin Client was the same, freezes and hang - manually created the nsd log for this as attached nsd-W32I-USER-PC-2013-06-28-16-5.log

Not sure if this helps..

Update:
Manage to reproduce the problem by uninstalling and reinstalling the network drivers
I have to uninstall and reinstall the VPN client (w/ system restart) in order for Notes to open GCM02 again.

Weird, no issues on GCM03, it can be accessed with or without VPN.
0
 
LVL 10

Expert Comment

by:larsberntrop
Comment Utility
This smells like admins playing with policies and firewall settings
0
 
LVL 46

Expert Comment

by:Sjef Bosman
Comment Utility
Can you upgrade to R8.5.3, at least one client ? R8.5.1 is rather buggy.
0
 
LVL 15

Expert Comment

by:akhafaf
Comment Utility
Hi there ,,,

Firstly I would like to ask you  to access one of the databases of the GCM02 using Inotes Web access and check if it  wil work or not ...
Secondly,  Could you create a " Server Connection Document" on lotus notes client of one of the troubling laptops
http://publib.boulder.ibm.com/infocenter/domhelp/v8r0/index.jsp?topic=%2Fcom.ibm.notes85.help.doc%2Flocacc_create_edit_conn_t.html

Then try to access any database of GCM02

Best Wishes
0
 
LVL 10

Expert Comment

by:larsberntrop
Comment Utility
From the nsd you attached, ALL network adapters showed either Status: Disconnected or Unreacheable.  => If you have no network connection, you cannot reach the Domino server...

What would also give answers if the VPN client is correctly connecting is opening a copmmand prompt and do a 'route print'. Perform that on both a working laptop and a faulty one, and compare. The faulty one is probably missing the routes to the network containing the GCM02...
0
 

Author Comment

by:Jiannystein
Comment Utility
Hi larsberntrop,

On my side, nothing was done on the firewall and GCM side verbally claimed that they didn't do anything to their side as well while me and my team are cracking our heads on this.

Hi sjef_bosman,

I have only tried up to 8.5.2 FP4 and face similar problem. I have requested my vendor for the 8.5.3 installer, to see if all these are caused by a bug.

Btw, is there any where I can get it online? Couldn't find it on Passport advantage site.

Hi akhafaf,
I have iNotes but I am not sure how to access GCM02 databases with it.
I have created the server document in problematic client but the problem persists.

Hi larsberntrop,
Thanks for your response. Did a 'tracert' and noticed that the latency of problematic laptop is double or more (avg 450ms) than the non issue one (avg 198ms) but they both worked.
0
 
LVL 15

Expert Comment

by:akhafaf
Comment Utility
Ok ,,, on the problematic client lap top could you ,,, telnet GCM02 1352

In order to access Inotes just access the Internet Explorer and type GCM02 in the address then you will be redirected to access it

"If you are able to access GCM02 on the IBM Administrator just check if there is a "redirecting database" on it or if you can create it .
http://publib.boulder.ibm.com/infocenter/domhelp/v8r0/index.jsp?topic=%2Fcom.ibm.help.domino.admin.doc%2FDOC%2FH_CREATING_A_DATABASE_REDIRECT_FILE_STEPS.html "

I hope This Helps
0
 

Author Comment

by:Jiannystein
Comment Utility
Hi akhafaf,

Yes I'm able to telnet into GCM02 and trace it via Notes.
However, upon Ctrl+O or double clicking any its database, the Notes Client just hang.

There's not much to see in the conf as GCM02 is managed by the admin there and we are connected to both GCM02 and GCM03 via point-to-point VPN.
0
Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

 
LVL 15

Expert Comment

by:akhafaf
Comment Utility
Ok ,, As I understood from what you mentioned above is that some laptops connect and some dont ... However,, did you check if there is any common thing between all these laptops ?

e.g. NICs , IPaddresses Subnets , or could be a common Networking router or Switch , RAM CPU.


I hope this helps .
0
 

Author Comment

by:Jiannystein
Comment Utility
Those that are able to connect, have that Cisco VPN client installed; and those problematic one, either I uninstalled their network drivers or VPN is not installed/reinstalled after network drivers being reinstalled.

My company environment is wireless based and the APs are standardized.
The only common thing I can think of is the VPN Client.
0
 
LVL 46

Expert Comment

by:Sjef Bosman
Comment Utility
Statement: Notes itself does not hang. Never. It may crash, it may show errors, but it does not hang.

Hence my hypothesis: it's the network somehow, and a faulty driver is part of the communication (network).

There is a debug parameter in notes.ini that you can set, to analyse the NRPC network traffic. See http://gcc.uni-paderborn.de/WWW/WI/WI2/wi2_lit.nsf/KPoolThemes/52D563F0AE630424C1256A630026FA27?OpenDocument

Did you check if there are upgrades available on the VPN client?
0
 
LVL 15

Expert Comment

by:akhafaf
Comment Utility
@sjef_bosman ,,, this is what I was up to in my last two comments there is no issue with Lotus Domino it is either a network issue or could be a certain issue with these laptops ...
0
 
LVL 10

Expert Comment

by:larsberntrop
Comment Utility
have you compared a 'route print' from both a defective laptop and a working one?

what are the differences?
0
 
LVL 10

Expert Comment

by:doninja
Comment Utility
Looking at the log you posted it says you do not have a cross certificate to server 02 !!

Port trace only checks for port connectivity not authentication.

Is it possible the I'd on server has expired or got changed for some reason.
From the server that is working other side of router, go to console and do a trace to server name and then try repl to server as it may show additional error info.

Also check cross certificate if servers are in different domain to your user Id
0
 

Accepted Solution

by:
Jiannystein earned 0 total points
Comment Utility
Fellow experts,

My team found out that MTU setting on laptop is changed (from 1500 to 1300) everytime we install the client into the PC.

Strange but MTU settings above 1342 will not be able to connect to the server mentioned.

My server and the remote servers are connected via P2P VPN, could this be my ISP side's issue?
0
 
LVL 46

Expert Comment

by:Sjef Bosman
Comment Utility
0
 
LVL 15

Expert Comment

by:akhafaf
Comment Utility
0
 
LVL 10

Expert Comment

by:larsberntrop
Comment Utility
the strange thing about some VPN solutions is that the vpn stuff is hacked onto the packet, and the MTU size needs to be adhjusted so th packets plus VPN overhead fit into the MTU further downstream.

So yes, I've seen it before.

Also like you, I scratch my head at the oddity that you need to manage MTU by hand to get a working connection.  My suggestion: try to switch to another VPN solution not implemented by monkeys.
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Problem "Can you help me recover my changes?  I double-clicked the attachment, made changes, and then hit Save before closing it.  But when I try to re-open it, my changes are missing!"    Solution This solution opens the Outlook Secure Temp Fold…
Lack of Storage capacity is a common problem that exists in every field of life. Here we are taking the case of Lotus Notes Emails, as we all know that we are totally depend on e-communication i.e. Emails. This article is fully dedicated to resolvin…
Windows 8 comes with a dramatically different user interface known as Metro. Notably missing from the new interface is a Start button and Start Menu. Many users do not like it, much preferring the interface of earlier versions — Windows 7, Windows X…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now