[vpn-help] Random Disconnects

Kevin VPN kvpn at live.com
Sat Jan 14 20:30:35 CST 2012


On 01/10/2012 07:47 AM, Mark A. DeMichele wrote:
> I came across you web page that explains how to make a report, so here
> it is.
>
> Problem:
>
> VPN normally works, but during the night (and sometimes during the day),
> I lose my connection for no apparent reason.
>
> I ran overnight with the debug log on.  Sometime after 6:00am I lost the
> connection.  Is there something in the log that can help.
>
> VPN Client Version = 2.1.7
> Windows OS Version = Windows 7 Home Premium SP 1 - 64bit
>
> Gateway Make/Model = Netscreen 10
> Gateway OS Version = 3.0.1r7.0
>
>
> From: Mark A. DeMichele
> Sent: Monday, January 09, 2012 10:17 PM
> To: 'vpn-help at lists.shrew.net'
> Subject: Random Disconnects
>
> I'm using the latest ShrewSoft with Windows 7 64bit.  I'm connecting to
> a Netscreen 10.  Everything works except I get random disconnects.  I
> also noticed on one of my boxes, if I use Windows Explorer to upload a
> large file to my server I'm connected to, the VPN hangs.  I then need to
> restart all the services and re-connect.  What's odd is that I have two
> Windows 7 64bit machines and one works fine for uploading.  However,
> both will disconnect randomly,  especially, if my machine is dormant.
>

Hi Mark,

I think part of your problems may be a phase1 lifetime mismatch between 
the gateway (Netscreen) and client (Shrew).

You can see in the log snippets below that the phase2 security 
association (sa) renegotiates every 48 minutes, so the next phase2 
renegotiation should have initiated at 06:31.  However, the gateway 
appears to have sent a disconnect (DELETE) message before that. 
According to the log, the phase2 still had time to go (15m or so) and 
the phase1 still had a long while (16h) to go.

The DELETE message came almost 8 hours exactly after the phase1 session 
was established.  I'd check on the gateway to see if perhaps the phase1 
lifetime is set to 28800 seconds on that side (instead of the 86400 that 
Shrew thinks).  If the gateway and Shrew do not agree on lifetimes, the 
VPN can still be established, but the phase1 will not be renegotiated 
properly, leading to sudden disconnects when the gateway's phase1 timer 
expires.

I'm not sure about your uploading problems, let's see if they persist 
after we fix the disconnects issue.

Log snippets:
12/01/09 22:27:13 DB : new phase1 ( ISAKMP initiator )
12/01/09 22:27:15 ii : matched isakmp proposal #1 transform #1
12/01/09 22:27:15 ii : - life seconds = 86400
12/01/09 22:27:34 DB : new phase2 ( IPSEC initiator )
12/01/09 22:27:35 ii : matched ipsec-esp proposal #1 transform #1
12/01/09 22:27:35 ii : - life seconds = 3600
12/01/09 22:27:35 ii : phase2 sa established
12/01/09 23:15:35 ii : phase2 sa will expire in 721 seconds
12/01/09 23:15:37 ii : phase2 sa established
12/01/10 00:03:37 ii : phase2 sa will expire in 721 seconds
12/01/10 00:04:06 ii : phase2 sa established
12/01/10 00:52:06 ii : phase2 sa will expire in 721 seconds
12/01/10 00:52:58 ii : phase2 sa established
12/01/10 01:40:58 ii : phase2 sa will expire in 721 seconds
12/01/10 01:41:28 ii : phase2 sa established
12/01/10 02:29:28 ii : phase2 sa will expire in 721 seconds
12/01/10 02:30:24 ii : phase2 sa established
12/01/10 03:18:24 ii : phase2 sa will expire in 721 seconds
12/01/10 03:19:22 ii : phase2 sa established
12/01/10 04:07:22 ii : phase2 sa will expire in 721 seconds
12/01/10 04:07:53 ii : phase2 sa established
12/01/10 04:55:53 ii : phase2 sa will expire in 721 seconds
12/01/10 04:55:54 ii : phase2 sa established
12/01/10 05:43:54 ii : phase2 sa will expire in 721 seconds
12/01/10 05:44:24 ii : phase2 sa established
12/01/10 06:27:45 ii : received peer DELETE message
12/01/10 06:27:45 ii : - xxx.xxx.78.2:500 -> 192.168.2.19:500
12/01/10 06:27:45 ii : - isakmp spi = 9847316d1acea25c:124ab0a9a93773f2




More information about the vpn-help mailing list