2 Replies Latest reply on Jan 2, 2014 1:42 PM by sunshine

    User VPN to MS RAS drops in 1 min after crossing NetVanta1335

    sunshine New Member

      Hi Community,

      I have users in a remote branch that are having an issue maintaining a VPN connection back to HQ.  The client (both XP and Windows 7,) establish a VPN connection back to our Microsoft Remote Access Server; GRE and PPTP. (Old school, I know. We're in the process of upgrading.) These branches connect to the internet, not an MPLS or private network.

       

      As long as the users are actively sending data across the VPN link, the VPN works fine.  However, as soon as they stop actively using it, within 60-120 seconds of inactivity something strange happens; The VPN status shows up and connected on both the client system as well as the RAS server, but no traffic will pass. Ping, DNS lookups, nothing works, bi-directionally.  The client and server show that the VPN is established, but no traffic can reach the other side.

      Our temporary workout is to have users start a ping that runs for the duration of their VPN session. As long as that ping is running, the connection passes traffic.  If they stop it, within 60-120 seconds of inactivity, all traffic stops flowing. Obviously this isn't a final solution.

       

      If the same user and the same computer connect over a MiFi on the cellular network or connect from home, the issue does not occur. It only seems to occur when the user is NATted behind our 1335.

       

      The 1335 is running AOS 18.02.01.00.E.

       

      The trick to this is, I can't tell exactly *where* the traffic is being stopped. Is it inside the tunnel? Is it on the RAS server? If so, why isn't it consistent across the board in our other locations? TraceRoute doesn't reveal anything because the first hop is the RAS server and the rest is internal - any traceroute to an internal resource should only have 2 hops.

       

      So, Community, what tools or commands are available on the AdTran to allow me to watch the traffic between a host and a destination over the internet in real time? I need to see if the GRE traffic stops altogether or if the issue is inside the tunnel. Because of the location of this user, I cannot do the packet capture I would normally do.

       

      Any other insights would be appreciated as well.

      Thanks Community.

        • Re: User VPN to MS RAS drops in 1 min after crossing NetVanta1335
          petersjncv Visitor

          Check your default GRE timeout in the NetVanta.  I believe it is 60 seconds.

           

          ip policy-timeout gre 60

           

          You can see the default setting through a "sh run verbose" in the CLI.  You likely need to increase that.  Does the VPN client have a keep alive timer?  The goal would be to set it just slightly longer than any keep alive timer on the VPN connection (for example, if the connection sends a keep alive packet every 5 minutes, consider setting the timeout value for GRE to 6 minutes, or change the VPN keep alive to under 60 seconds).

           

          You should be able to see the outbound connection in the policy table of the NetVanta using the CLI.  You can't keep the table loaded in "real time" exactly, but you get the real time output of open connections when you run the command.

           

          # sh ip policy-sessions

           

          Look for the destination IP and the internal source address in the table and check the ports that are in use.