Advertisement

There's no such thing as a stupid question, but they're the easiest to answer.
Login
Search

Advertisement

Networking Networking
Search Search
Search for:
Tech Support Guy > > >

VPN keeps dropping


(!)

tauese's Avatar
tauese tauese is offline
Computer Specs
Junior Member with 5 posts.
THREAD STARTER
 
Join Date: Jul 2006
Experience: Intermediate
11-Jul-2006, 11:15 PM #1
VPN keeps dropping
I have two identical D-link VPN routers at two different locations using the same ISP...
I set up a VPN tunnel between the two sites... but every now and then we lose connection over the VPN and have to reboot one of the routers to get it going again... at first i thought it was the IPSEC and IKE LIFE TIME setting but i've tried both extending it and setting it to zero which seemed to make it worste... attached are pictures of the VPN settings.(Minus our Global IP address of course) ... hopefully someone can help.. we have one sonic wall router which isn't being used right now and we're contemplaiting getting another and making it a Sonic wall VPN instead of a D-link one.. but i'd rather just save the 2 grand and fix the problem with what we've got now...
Attached Thumbnails
VPN keeps dropping-ike-proposal-settings.jpg   VPN keeps dropping-ipsec-proposal-settings.jpg   VPN keeps dropping-tunnel-settings.jpg  
tauese's Avatar
tauese tauese is offline
Computer Specs
Junior Member with 5 posts.
THREAD STARTER
 
Join Date: Jul 2006
Experience: Intermediate
14-Jul-2006, 03:39 PM #2
No takers yet, that's aight, this has stumped me for a while... anyways i updated the firmware on both sides of the VPN thinking that the auto-reconnect feature in the 1.43 version would save me from having to reboot the routers but sure enough this morning i had to do just that... i actually had to physically reboot one of them as i couldn't even ping it from my computer.... then, to get the VPN going we had to reboot the other sites router but it worked through the routers GUI...
tauese's Avatar
tauese tauese is offline
Computer Specs
Junior Member with 5 posts.
THREAD STARTER
 
Join Date: Jul 2006
Experience: Intermediate
18-Jul-2006, 05:14 PM #3
OK.. it's still giving me hassles and i'm runnig out of options... I'm thinking that it's a problem with my ISP but they of course don't... either that, or D-Link makes the worste VPN routers in the world.... one thing though is upgrading the Firmware has seemed to reduce the down time a little as it seems to have stayed up over the long weekend (local holiday yesturday), but this morning as people actually tried to use it disconnected several times... could it be some malware on one of the client machines ???
O111111O's Avatar
O111111O O111111O is offline
Computer Specs
Senior Member with 894 posts.
 
Join Date: Aug 2005
Location: Right here.
Experience: 31337
21-Jul-2006, 11:07 PM #4
Makes IKE timeout longer than IPSEC. Keep IPSEC timeout short. IPSEC SA on one side may be expiring on one side because of no interesting traffic. Keep IPSEC timeout short to make it renegotiate sooner.

IKE timer is quite often 24 hours or more, but many time I keep IPSEC timer short - around 2 hours if possible. Timers should be identical on both routers.

-------------

Also, not sure about the Dlink & it's setup. But general IPSEC rules prohibit you from encapsulating any overlap. I.E. - 192.168.1.0 can't encrypt to 192.168.1.0. IPSEC SA rules should be different subnets with IDENTICAL netmasks and no overlap.

example.

site 1. 192.168.1.0 255.255.255.0
site 2 192.168.2.0 255.255.255.0

Site 1 encrypts traffic from 192.168.1.0 /24 to 192.168.2.0 /24
site 2 encrypts traffic from 192.168.2.0 /24 to 192.168.1.0 /24
Memnoch322's Avatar
Memnoch322 Memnoch322 is offline Memnoch322 has a Profile Picture
Senior Member with 880 posts.
 
Join Date: May 2005
Location: San Diego
Experience: Advanced
21-Jul-2006, 11:20 PM #5
Quote:
Originally Posted by O111111O

Also, not sure about the Dlink & it's setup. But general IPSEC rules prohibit you from encapsulating any overlap. I.E. - 192.168.1.0 can't encrypt to 192.168.1.0. IPSEC SA rules should be different subnets with IDENTICAL netmasks and no overlap.

example.

site 1. 192.168.1.0 255.255.255.0
site 2 192.168.2.0 255.255.255.0

Site 1 encrypts traffic from 192.168.1.0 /24 to 192.168.2.0 /24
site 2 encrypts traffic from 192.168.2.0 /24 to 192.168.1.0 /24

DLINK is the same.
tauese's Avatar
tauese tauese is offline
Computer Specs
Junior Member with 5 posts.
THREAD STARTER
 
Join Date: Jul 2006
Experience: Intermediate
27-Jul-2006, 05:04 PM #6
Thanks for the reply...

The subnets were always different with the same netmask and i set the IPSEC life time to 2 hours after reading your post and The IKE lifetime to about 3 days .. yet i still have the same problem ... though now it seems as if our Router (on one side) needs to be physically rebooted almost every morning in order for the internet to work, let alone the VPN... as the router can't be pinged sometimes... also other times it seems as if the VPN is up but we cannot get internet traffic , then after a software boot of the router the VPN is dropped and the Internet is back on...


I'm also having trouble now with our server .. it only seems to accept Terminal Service connections over our LAN and not over the VPN anymore even when it's working and all the adresses can ping each other.. i've reset the licenses but the error log on the server keeps returning that it can't issue a license to that machine.. not sure if it is related
O111111O's Avatar
O111111O O111111O is offline
Computer Specs
Senior Member with 894 posts.
 
Join Date: Aug 2005
Location: Right here.
Experience: 31337
28-Jul-2006, 12:45 AM #7
Sounds like state table timeout.

Is there any way to show the connection table in the firewall?
tauese's Avatar
tauese tauese is offline
Computer Specs
Junior Member with 5 posts.
THREAD STARTER
 
Join Date: Jul 2006
Experience: Intermediate
28-Jul-2006, 02:58 PM #8
thanks again for the reply... i had a look at our connection logs and found one PC was using up all the bandwidth on P2P so i blocked that IP from accessing the WAN.. which made things run smoother and the VPN seemed to stay stable...but the Terminal Server still wouldn't connect and when we deleted the licence key on the clients side it would show a black screen on there side then disconnect after a while..

I tried using REALVNC to access a machine on the other side of the VPN but upon connection i would just get a black screen as well... so i figured it wasn't the server...

I was looking over the router settings and checking other forums for simmilar issues when i saw a post mentioning MTU's and i remembered lowering the MTU's on our router a week ago to see if it improved throughput any cause our connection is only a 512K line... anyway i reset it to the default 1500 and viola the Terminal Service and the VNC worked fine....

I'll see how the VPN holds up over the next week but i have a feeling it'll be alright i just have to put more restrictions on our network to keep my co-workers from bringing down the VPN...

Thanks for your help
As Seen On

BBC, Reader's Digest, PC Magazine, Today Show, Money Magazine
WELCOME TO TECH SUPPORT GUY!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.


(clock)
THIS THREAD HAS EXPIRED.
Are you having the same problem? We have volunteers ready to answer your question, but first you'll have to join for free. Need help getting started? Check out our Welcome Guide.

Search Tech Support Guy

Find the solution to your
computer problem!




Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools


WELCOME
You Are Using: Server ID
Trusted Website Back to the Top ↑