locked
I think we've tracked down the root issue for our one problem DA user. Have others seen this? RRS feed

  • General discussion

  • Hi all,

    It seems that the one user we have who's routinely been having problems with DirectAccess has a home connection that's flaky... but just a little flaky.  We knew a 3rd-party (Cisco) IPSEC VPN was working for him, but he was having problems with DA, saying it was flaky.  DCA logs he'd send in would indicate pings to some probes would time out, and often after name resolution worked.  It always showed Teredo in a connected state, and IP-HTTPS as disconnected with an error state of 0x0 (so it wasn't trying to fall back).

    He'd describe situations where the connection would work, and then flake out for a while, then work again.  System startup was very slow remotely, and would sometimes take nearly an hour. He's an AT&T DSL user, and it turns out they've had some known problems in his neighborhood, which were supposedly fixed a while back, although again my suspicion is things remain flaky.

    After doing some testing, we found that if we disable Teredo for him to force the use of IP-HTTPS, things actually work well.  So an IPSEC VPN and DA IP-HTTPS work pretty well, but funcationality goes on and off with Teredo.  I need to have him do some line quality tests yet, but it line quality sure looks/feels like the problem, especially since his machine works great with DA at other coffee shops/restaurants where he's tested it.

    My immediate inclination is to make a special group policy for users in this rare situation that disables Teredo and forces the use of IP-HTTPS, because I suspect that his problem might be that Teredo could be more affected by things like intermittent high latency or packet loss.  And since we're about to scale this to many thousands of users, I imagine we will run into this again.  Anyone else ever see this, or does seem totally implausible?

    Thanks,

    Ross

    • Edited by RossJG Wednesday, February 22, 2012 3:32 PM
    • Changed type RossJG Wednesday, February 22, 2012 8:24 PM Not really a technical Q, just asking if others have seen the same thing
    Wednesday, February 22, 2012 3:31 PM

All replies

  • Note that the Cisco VPN Client will change the default MTU on your entire computer from 1500 to 1300.  For one of our users, this killed their VPN reliability; perhaps this is happening here.

    There is a  utility called Set MTU that is typically installed with the Cisco VPN client; you can try setting the values back to 1500 on each of the adapters and rebooting to see if his experience changes. 

    Thursday, February 23, 2012 4:12 PM