RE: VPN timeouts
- From: Scott <Scott@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Thu, 22 May 2008 20:21:05 -0700
Thankyou Gary,
I use the VPN client that comes with XP & the only option availble is an
"idle time before hanging up".
I do not use ISA & was wondering if there is a configurable option on the
server side that we could look at.
Scott
"Guozhen Wang[MSFT]" wrote:
Hello,.
Thank you for your post.
My name is Gary Wang, and it is my pleasure to work with you on this issue!
Please allow me to confirm that my understandings are correct. As I
understand it, the issue is:
You remote clients VPN connection will timeout while trying to connect SBS
if the SBS network load is high.
If I have misunderstood your concerns please feel free to let me know.
Suggestion :
==============
Based on my experience, this problem is most likely due to the delay
between remote client and SBS server which caused by lack of network
bandwidth. Increase timeout may can do some help but not guarantee that can
resolve the issue. Based on my experience, I would suggest that you would
better increase your network bandwidth and do some network traffic shaping
work to make sure there are enough bandwidth available for remote clients.
We recommend that client to access VPN server by SBS connection manager.
Please connect to \\SBSserver\ClientApps on client, then install the
sbspackage.exe. After the installation finished, there will be a shortcut
of SBS connection manager generated on client's desktop. We can modify the
time-out at there by the following steps:
1. Open connection manager.
2. Click Properites.
3. Navigate to Option, adjust the "idle time before disconnecting" to
proper value.
Also, you can extend TcpMaxConnectRetransmissions to increase the timeout
for VPN connection. Please follow the below steps to extend it on client:
1. Click Start\Run, then type: regedit, press entry.
2. Navigate to HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters.
3. Right click on the right space, choose New then DWORD Value.
4. Test and modify the value to a proper value (by default it is 2)
Here is more information about the registry key:
TCP, acting as the transport for the application, sends a SYN segment to
the destination host specifying the initial sequence number in an attempt
to initialize the connection. If the destination host is unavailable or
expired, TCP will retransmit this original SYN packet the number of times
specified in the TcpMaxConnectRetransmissions registry parameter (the
default is three times). The retransmission time-out is doubled with each
successive retransmission in a given connection attempt. The initial
time-out value is three seconds.
After retransmitting the number of times specified in the registry key
mentioned above, the transport will notify the application of a time-out
error.
For example, if the TcpMaxConnectRetransmissions registry parameter is set
to 1, you should see the following correct behavior when the destination
host is down:
1. Client sends the first SYN segment
2. Three seconds later, the SYN packet is retransmitted
3. Six seconds later, TCP reports a timeout error to the application.
This time, the total time-out is approximately nine seconds, which is the
correct behavior with the default configuration settings. For additional
information, see the following article or articles in the Microsoft
Knowledge Base:
172983 (http://support.microsoft.com/kb/172983/EN-US/) Explanation of the
Three-Way Handshake via TCP/IP
120642 (http://support.microsoft.com/kb/120642/EN-US/) TCP/IP and NBT
Configuration Parameters for Windows 2000 or Windows NT
Another suggestion is that upgrade your external NIC's driver to newest
version. If possible, change another NIC as a test.
If we cannot resolve the issue after we perform the above steps, please
help me collect some information for further investigation:
Information Need
==============
1. If you are using RRAS, please gather the log under c:\program
files\Microsoft Windows Small Business Server\Support\rraslog.txt.
2. If you are using ISA, please help to gather the ISA ISA logs as below:
1) Schedule a down time.
2) Open ISA 2004 management console.
3) Expand the server node and highlight 'Monitoring'.
4) In the right pane, switch to the 'Logging' tab, make sure the 'Task
Pane' is showed there.
5) In the 'Task Pane', click 'Configure Firewall Logging' under 'Logging
Tasks', and then switch the 'log storage format' from 'MSDE database'
(default) to 'File'.
6) Switch to the 'Fields' tab, click 'Select All', and then click OK.
7) In the 'Task Pane', click 'Configure Web Proxy Logging' under 'Logging
Tasks', and then switch the 'log storage format' from 'MSDE database'
(default) to 'File'.
8) Switch to the 'Fields' tab, click 'Select All', and then click OK.
9) Click 'Apply' to save changes and update the configuration.
10) Temporarily disable the Firewall service. To do that, please click
Monitoring | Services tab, and then right click 'Microsoft Firewall' to
choose 'Stop'.
11) Clear the current existing W3C logs. To do that, go to the log saving
directory and clean any existing .W3C logs. By default, the logs will be
saved to 'C:\Program Files\Microsoft ISA Server\ISALogs'. (Some MDF may not
be able to deleted, that's normal.) You may backup them first and then
delete them.
12) Go back to the ISA 2004 management console, and then Start the stopped
'Microsoft Firewall' service.
13) Reproduce the problem, stop the service, and then gather the resulting
W3C files to me for analysis.
14) Please also let me know the IP address of the testing clients so that I
can filter the data.
3. On the connection manager's properties, check the check box of "Enable
Logging", while connection timeout, click "View Log" and save the log to
vpnclientlog.txt.
Please zip the logs and send to me at v-gzwang@xxxxxxxxxxxxx
I look forward to your reply. Also, if you have any questions or concerns,
please do not hesitate to let me know. I am happy to help. :-)
Thank you for your time and cooperation!
Best regards,
Gary Wang(MSFT)
Microsoft CSS Online Newsgroup Support
Get Secure! - www.microsoft.com/security
=====================================================
This newsgroup only focuses on SBS technical issues. If you have issues
regarding other Microsoft products, you'd better post in the corresponding
newsgroups so that they can be resolved in an efficient and timely manner.
You can locate the newsgroup here:
http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
When opening a new thread via the web interface, we recommend you check the
"Notify me of replies" box to receive e-mail notifications when there are
any updates in your thread. When responding to posts via your newsreader,
please "Reply to Group" so that others may learn and benefit from your
issue.
Microsoft engineers can only focus on one issue per thread. Although we
provide other information for your reference, we recommend you post
different incidents in different threads to keep the thread clean. In doing
so, it will ensure your issues are resolved in a timely manner.
For urgent issues, you may want to contact Microsoft CSS directly. Please
check http://support.microsoft.com for regional support phone numbers.
Any input or comments in this thread are highly appreciated.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------
| Thread-Topic: VPN timeouts
| thread-index: Aci6TAMxysacw1gURRWpQwTTsCfNUQ==
| X-WBNR-Posting-Host: 207.46.192.207
| From: =?Utf-8?B?U2NvdHQ=?= <Scott@xxxxxxxxxxxxxxxxxxxxxxxxx>
| Subject: VPN timeouts
| Date: Tue, 20 May 2008 00:35:01 -0700
| Lines: 7
| Message-ID: <635123BC-57EB-4EBA-86DF-8658A4A12233@xxxxxxxxxxxxx>
| MIME-Version: 1.0
| Content-Type: text/plain;
| charset="Utf-8"
| Content-Transfer-Encoding: 7bit
| X-Newsreader: Microsoft CDO for Windows 2000
| Content-Class: urn:content-classes:message
| Importance: normal
| Priority: normal
| X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.2992
| Newsgroups: microsoft.public.windows.server.sbs
| Path: TK2MSFTNGHUB02.phx.gbl
| Xref: TK2MSFTNGHUB02.phx.gbl microsoft.public.windows.server.sbs:108462
| NNTP-Posting-Host: tk2msftibfm01.phx.gbl 10.40.244.149
| X-Tomcat-NG: microsoft.public.windows.server.sbs
|
| Hi all.
| Does anyone know how to extend the time out period that SBS2003r2 waits
for
| authentication of a VPN connection?
| VPN works fine when the Internet is quiet (after hours). Once the staff
| arrive on site & begin sending mail etc the remote users have connection
| issues. The timeout seems to be about 1 minute but I cannot see hoe to
alter
| this.
|
- Follow-Ups:
- RE: VPN timeouts
- From: Guozhen Wang[MSFT]
- RE: VPN timeouts
- References:
- VPN timeouts
- From: Scott
- RE: VPN timeouts
- From: Guozhen Wang[MSFT]
- VPN timeouts
- Prev by Date: Re: ICF error and internet connection
- Next by Date: Re: Remote Web Workplace and IE7 ActiveX error
- Previous by thread: RE: VPN timeouts
- Next by thread: RE: VPN timeouts
- Index(es):
Relevant Pages
|
