VPN disconnects after 2 minutes

[SomeFred]

Hi,

I'm using an isa-server as vpn server. From some locations the connection drops after two minutes. First on te server, several seconds later on the client. The client can be a XP or 2000, both are the same.
The clients where the connection drops, are located behind a firewal where nat is used.
Now (on the server side) the isa-server is located behind another firewall (Astaro), and port-forwarding is used for the vpn incomming connections.
If I configure the astaro as vpn-server, all works fine.
Now you probably will ask if I checked if the isa-server works without the astaro? I wouldn't know, it't a running system now, and I can't check that anymore.

Little sceme:

Server side Client side
(LAN)- ISA - Astarto --/--(WAN)--/-- FW -(LAN)- Client

There is noting in the event viewer of the isa server. It just drops.

This I have on my client:

Event Type: Information
Event Source: RemoteAccess
Event Category: None
Event ID: 20159
Date: 20-2-2004
Time: 16:49:23
User: N/A
Computer: CLIENTNAME
Description:
The connection to Connectionname made by user username using device VPN3-1 was disconnected.


But that isn't much of a help.

I already installed a hotfix of Microsoft for connection drops after 60 seconds, but it didn't help.

http://support.microsoft.com/?id=831531

Has anyone got an idea?
Please help me.
Thanks!
Fred.

 

[deeno]

I’m not familiar with the Astro device you speak of, but it seems that it is having issue with forwarding or your client doesn't support NAT-T. But it’s interesting that this works for some locations as you mention. Hmmm.

You implied that the connection is working at some locations. At these working locations, are the clients connecting through a NAT router? I’m guessing no.

Are you using IPSec? If you are using IPSec, are the clients able to do anything for that 2-minute period where they appear to be connected? I’m just looking for some clarification since I suspect that maybe they are successfully negotiating Phase 1 of the IPSec connection but the Phase 2 is being dropped (because of the NAT). This would make it so they would not be able to do anything while connected.

Make sure that the VPN client that you are running supports NAT-T, and be sure that option is enabled. Your client must support this to connect from behind a NAT router.

I’m not sure about ISA server since I’ve never run it (we’re looking into it though), but be sure that it is configured to accept NAT-T connections (I have to believe it can support this).

If all of that checks out, I'd suspect some sort of pass through problem on the Astro, but try the above first. Be sure to let us know! I'd like to see what you come up with.

deeno

 

[SomeFred]

Hi,

I use PPTP VPN. I don't realy know wat NAT-T is, so I tried to find it out. It seems to me that it's related to L2TP, so if I understand this well, this is not an issue, I think. (not sure)
I give you an example to exclude some questions:
My portable works fine at home, but once in the lan of my company (client side on the sceme above), I have the problem. At home I use a simple NAT router.
Within those two minutes of connection, I can do everyting I want. (ping, telnet,...)
If I look in RAS on the ISA server, I see that the connection is dropped after exactly 2 minutes.

Now I'm going to make it complicated. Situation number two: We change the direction of the VPN's. At my company, we also have a vpn server (also ISA server). There is also another firewall in between, bot not an astaro. Very weird, but from home I can connect perfectly, but from within te lan of the other company (server side of the sceme above) I'm being disconnected!?
Conclusion: the two sites can't connect to each other, but they can connect to other places (via VPN) and other places can connect to both sites.
There is on my great little sceme above a firewall missing on the client side. I did that not to make it more complicated than needed. But for the situation discribed here, it might be necessary to add it.

Site1 Site2 (my company)
(LAN)- ISA - Astarto --/--(WAN)--/-- FW -- ISA -(LAN)- Client

I hope that it gives you a more clear overview of the situation, nevertheless I'm afraid that it's probably the other way around.

Hopefully waiting for your reply,
Fred.

More information of Astaro you can find at

http://www.astaro.com.

This is an easy to install and configure linux based firewall.

 

[deeno]

Well, Fred, I'm stumped on this one for now. That's a real interesting problem. I'll post back if something comes to mind. Hopefully in the meantime someone will have some ideas for you to try.

Keep us posted. I'll be interested to see the solution for this one...

deeno

 

[jcneil1]

It sounds like the astaro may be the problem... Maybe some test can be run where you connect to the VPN from inside the LAN to bypass the astaro..??

This may be a dumb question, but have you checked the RAS Policy on the ISA server restricting the max session time and idle timeout?

 

[Claudek]

If you are also using ISA as a firewall, the problem you describe has been around for a while, ie the 2 minutes disconnection when using ISA in firewall mode.
I only managed today to get around this by bypassing the firewall whenever I wanted to VPN to remote clients. You may want to have a look at:

http://groups.google.com.au/groups?...+disconnect+isa&sa=N&tab=wg&meta=

for more discussion on this topic.

Hope that helps some.

Claudius (What certifications??)

http://www.iteq.com.au

 

[Baz007]

I came across this problem when I had a network installed at home using internet connection sharing and tried to VPN in to work, XP will not allow this to happen and is by design from Microsoft. When I contacted Microsoft they said they were aware of the problem and it would be sorted in the next SP release , That would make it SP2 for XP, the issue is that XP will automaticaly designate a static IP of 192.168.0...... in the private address range when using connection sharing,,,, Just another flaw in Microsoft shitware. So if you are wanting to VPN into the work environment I suggest you switch off internet connection sharing. Worked for me :0)

Chars

 

[gacollier]

Fred,

I'm wondering if LCP requests are being blocked somewhere, and aren't being responded to from the VPN client, causing a disconnect after 2 minuutes. The VPN connection might get established, but drop out after a number of failed requests. Let me think about how you might test this and I'll get back later.

 

[gacollier]

Fred,

Try disabling LCP Extensions on the client that's having disconnect issues.

 

[mromagno]

Hi, I just spent two weeks struggling with a VPN that disconnected after 2 minutes.

The problem was finally fixed by upgrading the firmware in the NetGear ProSafe Firewall (FRP114P).

In my situation, I had Earthlink DSL modem, NetGear Router and Windows 2000 laptop which connected fine. When the Windows 2000 laptop was replaced with new Windows XP laptop, the VPN would disconnect every 2.36 minutes like clockwork, very annoying.

To diagnose the problem, I removed the router from the equation and connected the new laptop right to the DSL modem and the VPN was fine. So I deduced my choices were find/fix Win XP PPTP or fix router. Luckily the firmware upgrade (available from netgear.com) did the trick. I had never done a router firmware upgrade but it wasn't too bad, I just followed the intructions.

Hope this helps you or someone else out there searching in google for "vpn disconnects after 2 minutes".