RE: VPN timeouts

Hello,

Thank you for your post.
My name is Gary Wang, and it is my pleasure to work with you on this issue!
Please allow me to confirm that my understandings are correct. As I
understand it, the issue is:

You remote clients VPN connection will timeout while trying to connect SBS
if the SBS network load is high.

If I have misunderstood your concerns please feel free to let me know.

Suggestion :
==============
Based on my experience, this problem is most likely due to the delay
between remote client and SBS server which caused by lack of network
bandwidth. Increase timeout may can do some help but not guarantee that can
resolve the issue. Based on my experience, I would suggest that you would
better increase your network bandwidth and do some network traffic shaping
work to make sure there are enough bandwidth available for remote clients.

We recommend that client to access VPN server by SBS connection manager.
Please connect to \\SBSserver\ClientApps on client, then install the
sbspackage.exe. After the installation finished, there will be a shortcut
of SBS connection manager generated on client's desktop. We can modify the
time-out at there by the following steps:

1. Open connection manager.
2. Click Properites.
3. Navigate to Option, adjust the "idle time before disconnecting" to
proper value.

Also, you can extend TcpMaxConnectRetransmissions to increase the timeout
for VPN connection. Please follow the below steps to extend it on client:

1. Click Start\Run, then type: regedit, press entry.
2. Navigate to HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters.
3. Right click on the right space, choose New then DWORD Value.
4. Test and modify the value to a proper value (by default it is 2)

Here is more information about the registry key:

TCP, acting as the transport for the application, sends a SYN segment to
the destination host specifying the initial sequence number in an attempt
to initialize the connection. If the destination host is unavailable or
expired, TCP will retransmit this original SYN packet the number of times
specified in the TcpMaxConnectRetransmissions registry parameter (the
default is three times). The retransmission time-out is doubled with each
successive retransmission in a given connection attempt. The initial
time-out value is three seconds.

After retransmitting the number of times specified in the registry key
mentioned above, the transport will notify the application of a time-out
error.

For example, if the TcpMaxConnectRetransmissions registry parameter is set
to 1, you should see the following correct behavior when the destination
host is down:

1. Client sends the first SYN segment
2. Three seconds later, the SYN packet is retransmitted
3. Six seconds later, TCP reports a timeout error to the application.

This time, the total time-out is approximately nine seconds, which is the
correct behavior with the default configuration settings. For additional
information, see the following article or articles in the Microsoft
Knowledge Base:

172983 (http://support.microsoft.com/kb/172983/EN-US/) Explanation of the
Three-Way Handshake via TCP/IP
120642 (http://support.microsoft.com/kb/120642/EN-US/) TCP/IP and NBT
Configuration Parameters for Windows 2000 or Windows NT

Another suggestion is that upgrade your external NIC's driver to newest
version. If possible, change another NIC as a test.

If we cannot resolve the issue after we perform the above steps, please
help me collect some information for further investigation:

Information Need
==============
1. If you are using RRAS, please gather the log under c:\program
files\Microsoft Windows Small Business Server\Support\rraslog.txt.
2. If you are using ISA, please help to gather the ISA ISA logs as below:

1) Schedule a down time.
2) Open ISA 2004 management console.
3) Expand the server node and highlight 'Monitoring'.
4) In the right pane, switch to the 'Logging' tab, make sure the 'Task
Pane' is showed there.
5) In the 'Task Pane', click 'Configure Firewall Logging' under 'Logging
Tasks', and then switch the 'log storage format' from 'MSDE database'
(default) to 'File'.
6) Switch to the 'Fields' tab, click 'Select All', and then click OK.
7) In the 'Task Pane', click 'Configure Web Proxy Logging' under 'Logging
Tasks', and then switch the 'log storage format' from 'MSDE database'
(default) to 'File'.
8) Switch to the 'Fields' tab, click 'Select All', and then click OK.
9) Click 'Apply' to save changes and update the configuration.
10) Temporarily disable the Firewall service. To do that, please click
Monitoring | Services tab, and then right click 'Microsoft Firewall' to
choose 'Stop'.
11) Clear the current existing W3C logs. To do that, go to the log saving
directory and clean any existing .W3C logs. By default, the logs will be
saved to 'C:\Program Files\Microsoft ISA Server\ISALogs'. (Some MDF may not
be able to deleted, that's normal.) You may backup them first and then
delete them.
12) Go back to the ISA 2004 management console, and then Start the stopped
'Microsoft Firewall' service.
13) Reproduce the problem, stop the service, and then gather the resulting
W3C files to me for analysis.
14) Please also let me know the IP address of the testing clients so that I
can filter the data.

3. On the connection manager's properties, check the check box of "Enable
Logging", while connection timeout, click "View Log" and save the log to
vpnclientlog.txt.

Please zip the logs and send to me at v-gzwang@xxxxxxxxxxxxx

I look forward to your reply. Also, if you have any questions or concerns,
please do not hesitate to let me know. I am happy to help. :-)

Thank you for your time and cooperation!

Best regards,

Gary Wang(MSFT)

Microsoft CSS Online Newsgroup Support

Get Secure! - www.microsoft.com/security

=====================================================
This newsgroup only focuses on SBS technical issues. If you have issues
regarding other Microsoft products, you'd better post in the corresponding
newsgroups so that they can be resolved in an efficient and timely manner.
You can locate the newsgroup here:
http://www.microsoft.com/communities/newsgroups/en-us/default.aspx

When opening a new thread via the web interface, we recommend you check the
"Notify me of replies" box to receive e-mail notifications when there are
any updates in your thread. When responding to posts via your newsreader,
please "Reply to Group" so that others may learn and benefit from your
issue.

Microsoft engineers can only focus on one issue per thread. Although we
provide other information for your reference, we recommend you post
different incidents in different threads to keep the thread clean. In doing
so, it will ensure your issues are resolved in a timely manner.

For urgent issues, you may want to contact Microsoft CSS directly. Please
check http://support.microsoft.com for regional support phone numbers.

Any input or comments in this thread are highly appreciated.
=====================================================

This posting is provided "AS IS" with no warranties, and confers no rights.

--------------------
| Thread-Topic: VPN timeouts
| thread-index: Aci6TAMxysacw1gURRWpQwTTsCfNUQ==
| X-WBNR-Posting-Host: 207.46.192.207
| From: =?Utf-8?B?U2NvdHQ=?= <Scott@xxxxxxxxxxxxxxxxxxxxxxxxx>
| Subject: VPN timeouts
| Date: Tue, 20 May 2008 00:35:01 -0700
| Lines: 7
| Message-ID: <635123BC-57EB-4EBA-86DF-8658A4A12233@xxxxxxxxxxxxx>
| MIME-Version: 1.0
| Content-Type: text/plain;
| charset="Utf-8"
| Content-Transfer-Encoding: 7bit
| X-Newsreader: Microsoft CDO for Windows 2000
| Content-Class: urn:content-classes:message
| Importance: normal
| Priority: normal
| X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.2992
| Newsgroups: microsoft.public.windows.server.sbs
| Path: TK2MSFTNGHUB02.phx.gbl
| Xref: TK2MSFTNGHUB02.phx.gbl microsoft.public.windows.server.sbs:108462
| NNTP-Posting-Host: tk2msftibfm01.phx.gbl 10.40.244.149
| X-Tomcat-NG: microsoft.public.windows.server.sbs
|
| Hi all.
| Does anyone know how to extend the time out period that SBS2003r2 waits
for
| authentication of a VPN connection?
| VPN works fine when the Internet is quiet (after hours). Once the staff
| arrive on site & begin sending mail etc the remote users have connection
| issues. The timeout seems to be about 1 minute but I cannot see hoe to
alter
| this.
|

.

Relevant Pages

  • Re: web serivce: client side timeout?
    ... client side but only from the server side. ... System.Net.Sockets.SocketException: A connection attempt failed ... asyncResult, Int32 timeout, Exception& exception) ... John Saunders | MVP - Windows Server System - Connected System ...
    (microsoft.public.dotnet.framework.webservices)
  • RE: VPN fail to connect
    ... How do you configure the VPN connection? ... Please logon to an internal client computer, ... Microsoft CSS Online Newsgroup Support ...
    (microsoft.public.windows.server.sbs)
  • Re: detecting the (brute) disconnection of a client
    ... crashed, and if an exception occurs, then the client is deconnected. ... You can either use the timeout itself as an indication of connection failure, or you can attempt to send data after the timeout. ... The server has no way to know if the connection has failed due to a client-side crash, or simply due to a temporary problem with the network. ... IMHO, it would be better to simply let the server continue to assume that the connection is valid unless there is some explicit, non-arbitrary verification that it's not. ...
    (microsoft.public.dotnet.languages.csharp)
  • Re: RWW Misbehaving
    ... through click Start and Accessories and Communications and Remote Desktop ... 828053 ISA Server prevents connection to a remote desktop when you connect ... Can you connect to the computer on SBS and other client computer via ... Microsoft CSS Online Newsgroup Support ...
    (microsoft.public.windows.server.sbs)
  • Re: Timout control with RPC/HTTP
    ... specifies the minimum connection timeout used by the ... client and RPC Proxy, in seconds. ... Microsoft CSS Online Newsgroup Support ...
    (microsoft.public.exchange.admin)
Loading