none
VPN stops working - disconnect/connect and it works... for a while.

    Question

  • The VPN connection connects quickly and works for a while. It will quietly fail after a random amount of time. Disconnecting and connecting makes it work again for a while. When it is not working, I cannot ping address on the internal network (therefore this is not a DNS issue). Both ends (RRAS and the client) show that the connection is connected. The client has no problem getting to internet sites (I have unchecked the "use default gateway on remote network") while the VPN is dead. The VPN does not recognize it is dead and therefore does not auto redial (it will redial properly if I unplug/plug the cord). Other computers in the same office (therefore using the same internet connection) work properly before, during, and after the other computer goes dead.  On some days it might be hours before the connection fails, and other days it might fail almost immediately after connecting.

    I have 2 different setups that exhibit the same behavior. Neither setup is related to the other. Both are Win 2k8 R2 servers running RRAS to provide the VPN server. One is the DC (so this is a multi homed DC), the other is not. I did not change VPN settings from the defaults.

    A win 7 client has had this problem, and so has a win XP client. We use the built in windows VPN. The bad behavior has happened from 2 different locations.


    Thursday, June 06, 2013 12:37 AM

All replies

  • Hi John,


    Thanks for the post and sorry for the delay.


    Firstly, would you please let us know more details about the configurations. Do you see any error on client side or VPN server side?


    More information:


    Common VPN Problems

    http://technet.microsoft.com/en-us/library/cc958057.aspx


    VPN Troubleshooting Tools

    http://technet.microsoft.com/en-us/library/cc754825(v=ws.10).aspx


    Hope this helps.


    Jeremy Wu
    TechNet Community Support

    Monday, June 10, 2013 7:40 AM
  • There is nothing in either the client or server application or system event logs that appear after the user said it was working fine and before she said it had died. I see one entry on the client side where the time server is complaining it cannot get the latest time update, but that entry is right when she called me to say it was dead, so that entry seems to be just another victim of the problem.

    The common VPN problems link that you provided does not help. My connections work properly except they quietly stop working, but disconnecting/connecting fixes it.

    The second link you provide might have a good suggestion for turning on additional logging, but it was not obvious what I should turn on and what I should look at when it fails. I have some logging turned on on the server side, but that seems to produce a file in {windows}\system32\logfiles that has the connects/disconnects but no raw information about the connections that might be helpful for debugging.

    • Edited by John Taves Monday, June 10, 2013 11:37 PM better formatting
    Monday, June 10, 2013 11:36 PM
  • I noticed that at startup the server has the following in the system event log at startup time for the computer. I concluded that this would only prevent a certain type of VPN connection, but would not cause a good connection to quietly stop working at random times.

    Failed to apply IP Security on port VPN2-45 because of error: A certificate could not be found.  Connections that use the L2TP protocol over IPSec require the installation of a machine certificate, also known as a computer certificate..  No calls will be accepted to this port.


    Thursday, June 13, 2013 2:56 PM
  • Jus to point out, other than if it's an SBS server, multihoming a DC is not advised or recommended due to AD authentication issues it can cause with AD-client communications. RRAS/VPN is recommended on a non-DC.

    As for the dropping out, what sort of ISP line do you have? Is it an ADSL/PPPoE line, SDSL, digital, cable, or FIOS?

    What type of firewall/router is handling internet access?

    If you are using PPTP, you can ignore the L2TP message.


    Ace Fekay
    MVP, MCT, MCITP/EA, MCTS Windows 2008/R2 & Exchange 2007, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Technical Blogs & Videos: http://www.delawarecountycomputerconsulting.com/

    This post is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    Friday, June 14, 2013 4:31 AM
  • I understand the multihoming DC recommendation. That is why I state that I have two setups, where one does not have a multihomed DC and the RRAS/VPN is not on the DC, and both fail the same way. I turned off "client for microsoft networks" on the internet adapter on that server. I have no problems using that server. Nobody in the customer office that is directly connected to the multihomed DC server complains about authentication, or anything really. From my home to that VPN, I have had no failures, but I don't use it as much as the customer uses it. So, I have concluded that I am not suffering any multihoming problems.

    Both setups are using windows firewall.

    I am using whatever defaults RRAS/VPN uses.

    comcast business (my customer) to comcast business (my customer's main office) is the one that has the server with DC and RRAS/VPN has the failure.

    My comcast home to a datacenter, where I rent a rack, has the failure.

    My comcast home to the comcast business has been fine, but I don't use it nearly as much as the customer. 

    The longer story is that the customer setup that I am most concerned about, used to have a sonic wall and the client side had a wireless router daisy chained off of the comcast business router. They needed another VPN connection and had complaints about the VPN failing to connect in the morning. The customer is not a great witness, but she indicated that it would fail at random times, then work. Instead of buying another $50 license to use 2 VPNs via the sonic wall, I removed the sonic wall and used RRAS. I also eliminated the wireless router, and instead had the 3 devices in that office plug directly into the comcast business router.

    The summary is that I have changed the VPN server and client from sonic wall to RRAS and windows client, and the symptoms still exist.

    How do the VPN protocols work? Is there some state information that if lost via the internet, it will fail until disconnect/reconnect? (how pathetic if that is true). Is PPTP better or worse the L2TP in that regard? Is there some preferred VPN method I should choose?

    jt

    Friday, June 14, 2013 2:49 PM
  • We always warn about multihoming, whether it's "working" for someone or not. It's just a warning.

    There is no PPTP, L2TP, SSTP, etc, VPN state data that will intermittently fail or not across the internet. You can keep a VPN connected almost forever as long as there are no blips in the connection.

    So I'm thinking there is a connectivity issue. That's the best I can say. Have you discussed this with the datacenter colo techs? I suggest to open a ticket or dialogue and get them involved.


    Ace Fekay
    MVP, MCT, MCITP/EA, MCTS Windows 2008/R2 & Exchange 2007, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Technical Blogs & Videos: http://www.delawarecountycomputerconsulting.com/

    This post is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    Friday, June 14, 2013 4:24 PM
  • Why wouldn't there be a blip in the internet connection? I mean TCP resends packets to handle the losses.  If VPN can stay connected and working properly forever, then it certainly has the ability to handle dropped packets. Whether that is at the TCP level, or at a higher VPN protocol level is beyond my knowledge. In addition, why is the stupid thing unable to detect that it has no connection? It is blatantly obvious to us humans that it isn't working, yet it stays "connected". Why will it properly auto reconnect if I yank the cord and put it back in, but it cannot detect that nothing is working in this situation?

    But notice, again, I have this problem on 2 different servers. So, yes I could attempt to discuss this with both the colo techs (my server), and the comcast techs (my customer's server), but while this failure is happening, gobs of traffic will be flawlessly sent to/from the colo and to/from the customer's office. I can just imagine the discussion with the colo and comcast tech's. Um, so you're saying the internet connection looks perfect, and you have a problem with your VPN? Um, why don't you contact the people that supply the VPN?

    As stated in the opening remarks, the internet connection before during and after the failure seems fine. And I had a VPN connection to the same server working properly before, during, and after the failure, where both client computers (working and non) were connected to the same comcast business router.

    Friday, June 14, 2013 7:56 PM
  • I understand your frustrations. I believe to troubleshoot the issue requires some hands on access. My suggestion at this point to resolve this for you and your customer, is to contact Microsoft Support to get them involved to at least see if the issue is on the Windows side before contacting the colo and Comcast.

    Ace Fekay
    MVP, MCT, MCITP/EA, MCTS Windows 2008/R2 & Exchange 2007, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Technical Blogs & Videos: http://www.delawarecountycomputerconsulting.com/

    This post is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBookTwitterLinkedIn


    Friday, June 14, 2013 9:31 PM
  • Hi John,


    I would like to check if you need further assistance.


    Thanks.


    Jeremy Wu
    TechNet Community Support

    Monday, June 17, 2013 4:45 AM
  • I do need help. Nothing has changed since I first posted this.


    Monday, June 17, 2013 6:52 PM
  • Have you contacted Microsoft support?

    Ace Fekay
    MVP, MCT, MCITP/EA, MCTS Windows 2008/R2 & Exchange 2007, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Technical Blogs & Videos: http://www.delawarecountycomputerconsulting.com/

    This post is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    Monday, June 17, 2013 8:48 PM
  • I am reluctant to spend $259 on a support ticket with microsoft when I have no clue what this actually buys me. Does this simply force my customer to spend more hours on me running a bunch of experiments with microsoft support to prove that I am not lying about the symptoms, and then more hours wasted changing random things to see if that makes the symptoms go away?

    I do not find others with similar symptoms so I am baffled. Maybe nobody uses microsoft's VPN. That seems ridiculous. Maybe nobody has it configured like I do? That seems ridiculous because it took me all of 15 minutes to set up RRAS with the wizard/defaults. Maybe some strange combination of RRAS and AD and some microsoft bug, and this hardware is causing the trouble, which will take forever to sort out.

    I am thinking I should set up a Linux box dedicated to doing the VPN.


    Wednesday, June 19, 2013 6:04 PM
  • Again, I understand your frustration. I don't know the source of the problem. I have Windows VPN running at four different customer sites with no problems. If you feel going to a third party will take care of the problem, that is totally understandable. I just provided you an option to resolve it and have something armed in hand to present to your ISP or firewall vendor, if (only if) that is the cause.

    And I assume the problem does not occur internally, meaning as a test, you can connect 4 or 5 internal computers to the internal VPN server IP address. If the problem doesn't occur, it's a red flag that it's a perimeter firewall/router causing it.


    Ace Fekay
    MVP, MCT, MCITP/EA, MCTS Windows 2008/R2 & Exchange 2007, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Technical Blogs & Videos: http://www.delawarecountycomputerconsulting.com/

    This post is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    Wednesday, June 19, 2013 9:04 PM
  • Hi John,


    I would like to check if you need further assistance.


    Thanks.


    Jeremy Wu
    TechNet Community Support

    Friday, June 21, 2013 2:56 AM
  • Nothing has changed.

    jt

    Monday, June 24, 2013 2:30 PM