Announcement

Collapse
No announcement yet.

Strange RRAS Demand-Dial VPN Issue

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Strange RRAS Demand-Dial VPN Issue

    One of our client's has a RRAS VPN out to one of their clients. The status of the VPN shows as connected, yet no traffic will cross the tunnel. If I attempt to ping resources on the other end it doesn't work.

    If I manually cycle (disconnect/connect) the VPN it works.

    So, RRAS is reporting a false positive on the connection status. Anyone else seen this? If so, any suggestions on how to smack it into shape?

    thanks,
    Andrew
    Last edited by ahinson; 4th August 2009, 20:50.
    Andrew

    ** Remember to give credit where credit is due and leave reputation points sigpic where appropriate **

  • #2
    Re: Strange RRAS Demand-Dial VPN Issue

    What OS/SP on the RRaS server, and on the client?

    Check the load on the RRaS server. We had this problem on a server which was under quite heavy load (I inherited this server from the previous admin who was happy to put Exchange on a DC at the edge, and install the company's financial app on there...). Adding a second CPU and doubling the memory seemed to fix the VPN issue (possibly by coincidence) and stopped the 5 second lag before the cursor would move

    Also when you ping over the VPN connection, remember to try by hostname, hostname.domainname and IP address. And check the subnet at each end of the tunnel - can cause issues if they're the same.
    Gareth Howells

    BSc (Hons), MBCS, MCP, MCDST, ICCE

    Any advice is given in good faith and without warranty.

    Please give reputation points if somebody has helped you.

    "For by now I could have stretched out my hand and struck you and your people with a plague that would have wiped you off the Earth." (Exodus 9:15) - I could kill you with my thumb.

    "Everything that lives and moves will be food for you." (Genesis 9:3) - For every animal you don't eat, I'm going to eat three.

    Comment


    • #3
      Re: Strange RRAS Demand-Dial VPN Issue

      Darn it, I thought I responded to this thread but my browser must have borked out on me.

      Anyhoo, Check to see if there is an idle timeout feature on the firewalls between the two VPN endpoints. Most firewalls have an idle timeout setting that kills a TCP session that has had no data traversing it for some period of time. Since the VPN connection has no keepalive that I'm aware of (other than the underlying TCP keepalive) this might be the problem. Run netstat on both ends and see what state the connection is in. If netstat reports that the session is in an Established state on both ends then I would suspect something in the middle (firewall) is killing the connection. If either end shows the netstat output as anything other than Established than one of the endpoints is probably the problem. You can determine the TCP state of each endpoint by using netstat with some help here:

      http://support.microsoft.com/kb/137984
      Last edited by joeqwerty; 4th August 2009, 22:09.

      Comment


      • #4
        Re: Strange RRAS Demand-Dial VPN Issue

        Originally posted by gforceindustries View Post
        What OS/SP on the RRaS server, and on the client?

        Check the load on the RRaS server. We had this problem on a server which was under quite heavy load (I inherited this server from the previous admin who was happy to put Exchange on a DC at the edge, and install the company's financial app on there...). Adding a second CPU and doubling the memory seemed to fix the VPN issue (possibly by coincidence) and stopped the 5 second lag before the cursor would move

        Also when you ping over the VPN connection, remember to try by hostname, hostname.domainname and IP address. And check the subnet at each end of the tunnel - can cause issues if they're the same.
        I've only tried pinging the IP address. There's no need to attempt the other options since we aren't using host or fqdn and they require IP resolution to work. Everything is using the static IP address.
        Its primarily a webserver, hosting a low volume (25-30 users) outreach application and light weight SQL DB, the VPN is used for TCP data transfer to an IP address hosting HL7 demographics, orders, and results interfaces. Load is definately not an issue here.

        I'm unsure of the foreign system because I have no control over that system and have been working with their admin to resolve the issue. He claims that they have multiple VPN clients other than us which work fine.

        See system stats below:
        Originally posted by SystemInfo

        OS Name Microsoft(R) Windows(R) Server 2003, Standard Edition
        Version 5.2.3790 Service Pack 2 Build 3790
        Other OS Description R2
        OS Manufacturer Microsoft Corporation
        System Name SRV_0003
        System Manufacturer DELL
        System Model AWRDACPI
        System Type X86-based PC
        Processor x86 Family 15 Model 6 Stepping 4 GenuineIntel ~3416 Mhz
        Processor x86 Family 15 Model 6 Stepping 4 GenuineIntel ~3416 Mhz
        BIOS Version/Date Award Software International, Inc. F2, 8/4/2006
        SMBIOS Version 2.3
        Windows Directory C:\WINDOWS
        System Directory C:\WINDOWS\system32
        Boot Device \Device\HarddiskVolume1
        Locale United States
        Hardware Abstraction Layer Version = "5.2.3790.3959 (srv03_sp2_rtm.070216-1710)"
        User Name SRV_0003\Executor-Remote-Admin
        Time Zone Eastern Daylight Time
        Total Physical Memory 2,047.44 MB
        Available Physical Memory 1.43 GB
        Total Virtual Memory 3.85 GB
        Available Virtual Memory 3.38 GB
        Page File Space 2.00 GB
        Page File C:\pagefile.sys
        Last edited by ahinson; 5th August 2009, 03:30.
        Andrew

        ** Remember to give credit where credit is due and leave reputation points sigpic where appropriate **

        Comment


        • #5
          Re: Strange RRAS Demand-Dial VPN Issue

          Originally posted by joeqwerty View Post
          Darn it, I thought I responded to this thread but my browser must have borked out on me.

          Anyhoo, Check to see if there is an idle timeout feature on the firewalls between the two VPN endpoints. Most firewalls have an idle timeout setting that kills a TCP session that has had no data traversing it for some period of time. Since the VPN connection has no keepalive that I'm aware of (other than the underlying TCP keepalive) this might be the problem. Run netstat on both ends and see what state the connection is in. If netstat reports that the session is in an Established state on both ends then I would suspect something in the middle (firewall) is killing the connection. If either end shows the netstat output as anything other than Established than one of the endpoints is probably the problem. You can determine the TCP state of each endpoint by using netstat with some help here:

          http://support.microsoft.com/kb/137984
          Netstat shows nothing. The issue here is that it's not connected yet the demand-dial router is reporting that it is, and therefore doesn't attempt to connect when a connection is initiated.

          Both firewalls have exceptions for the VPN otherwise it would fail to connect.
          The connection is sporatic, at times staying connected for days then randomly entering this state of reporting that it's connected yet isn't.
          Andrew

          ** Remember to give credit where credit is due and leave reputation points sigpic where appropriate **

          Comment


          • #6
            Re: Strange RRAS Demand-Dial VPN Issue

            Originally posted by ahinson View Post
            Both firewalls have exceptions for the VPN otherwise it would fail to connect.
            The connection is sporatic, at times staying connected for days then randomly entering this state of reporting that it's connected yet isn't.
            I was referring to the routers idle timeout setting, not the rule-set. Most if not all firewalls have an idle timeout function that kills idle sessions/connections after some period of time. The reason for this is that the firewall has to maintain each session/connection in it's session state table, thus consuming entries and resources that could be used for new sessions/connections. Since the firewall has a limit to how many sessions/connections it can maintain (check your firewall documentation to determine what it's limit is), it kills sessions/connections that have been idle for some predetermined period of time to free up those resources for new sessions/connections.

            I've seen this type of problem happen with HTTP and FTP sessions and thought that it might be causing the problem here. It doesn't sound like it, but I wouldn't rule it out completely. As a test would you be willing to set up a scheduled batch file on one of the servers that pings the other server every 10 minutes or so? If you do and the problem goes away then Id' say there's an idle timeout occurring somewhere that's causing the problem. If not, you've lost nothing by trying.

            I know, long-winded but that's how I get sometimes.

            Comment


            • #7
              Re: Strange RRAS Demand-Dial VPN Issue

              Originally posted by joeqwerty View Post
              I was referring to the routers idle timeout setting, not the rule-set. Most if not all firewalls have an idle timeout function that kills idle sessions/connections after some period of time. The reason for this is that the firewall has to maintain each session/connection in it's session state table, thus consuming entries and resources that could be used for new sessions/connections. Since the firewall has a limit to how many sessions/connections it can maintain (check your firewall documentation to determine what it's limit is), it kills sessions/connections that have been idle for some predetermined period of time to free up those resources for new sessions/connections.

              I've seen this type of problem happen with HTTP and FTP sessions and thought that it might be causing the problem here. It doesn't sound like it, but I wouldn't rule it out completely. As a test would you be willing to set up a scheduled batch file on one of the servers that pings the other server every 10 minutes or so? If you do and the problem goes away then Id' say there's an idle timeout occurring somewhere that's causing the problem. If not, you've lost nothing by trying.

              I know, long-winded but that's how I get sometimes.
              The router they're using doesn't have an option for session timeout. (It's a netgear soho router)
              It's worth a try so I'll give that a shot.

              Edit... I ended up writing this script for keep-alive. It will also cycle the VPN if the ping fails. I've scheduled it to run every 10 min. We'll see if it helps.

              Code:
              option explicit
              'On Error Resume Next
              
              Const mstrRemote = "192.168.0.2"
              
              If VPNIsPingable Then 'Ping succeeded
                Wscript.Quit
              Else 'Ping failed
                CycleVPN
                Wscript.Quit
              End If
              
              
              Private Function VPNIsPingable
              dim objPing, objReturnStatus
              set objPing = GetObject("winmgmts:{impersonationLevel=impersonate}").ExecQuery _
                          ("select * from Win32_PingStatus where address = '" & mstrRemote & "'")
              
              for each objReturnStatus in objPing
                if IsNull(objReturnStatus.StatusCode) or objReturnStatus.StatusCode<>0 then
                  VPNIsPingable = False
                  'WScript.Echo "Status code is " & objReturnStatus.StatusCode
                else
                  VPNIsPingable = True
                  'Wscript.Echo "Bytes = " & objReturnStatus.BufferSize & vbNewLine & _
                              '"Time (ms) = " & objReturnStatus.ResponseTime & vbNewLine & _
                              '"TTL (s) = " & objReturnStatus.ResponseTimeToLive
                end if
              next
              End Function
              
              Private sub CycleVPN
              dim objShell
              set objShell = WScript.CreateObject("WScript.Shell")
                
              objShell.Run "netsh interface set interface name=KOZ connect=DISCONNECT",0,true
              wscript.Sleep(2000) 'Sleep for 2 seconds
              objShell.Run "netsh interface set interface name=KOZ connect=CONNECT",0,true
              
              set objShell = nothing
              End sub
              Last edited by ahinson; 5th August 2009, 21:00.
              Andrew

              ** Remember to give credit where credit is due and leave reputation points sigpic where appropriate **

              Comment


              • #8
                Re: Strange RRAS Demand-Dial VPN Issue

                It's been 5 days and no problems yet. Either the script is doing its job or the VPN hasn't gone down. We'll see what happens over time but it's so far so good.
                Andrew

                ** Remember to give credit where credit is due and leave reputation points sigpic where appropriate **

                Comment


                • #9
                  Re: Strange RRAS Demand-Dial VPN Issue

                  Glad to hear it. I wonder what would happen if you stopped the script for a day?

                  Comment


                  • #10
                    Re: Strange RRAS Demand-Dial VPN Issue

                    Everything is working great so the script is a winner.
                    Andrew

                    ** Remember to give credit where credit is due and leave reputation points sigpic where appropriate **

                    Comment


                    • #11
                      Re: Strange RRAS Demand-Dial VPN Issue

                      Fantastic.

                      Comment

                      Working...
                      X