[Vpn-help] Random connection loss but Shrew stays connected.

Sat Dec 12 13:27:05 CST 2009

a wrote:
> I also face exactly the same issue. Does any body else face this issue or got it resolved? Please let me know. 
> 
> ps: I have Windows 7 home premium 64bit and I have Shrew 2.1.5 installed in my machine. I never had this issue when I was running cisco client on vista 32bit.
> 
> From: Phill Devey 
> Sent: Tuesday, December 08, 2009 8:33 AM
> To: vpn-help at lists.shrew.net <http://lists.shrew.net/mailman/listinfo/vpn-help> 
> Subject: [Vpn-help] Random connection loss but Shrew stays connected.
> 
> Hi Group.
> 
> I have successfully been able to connect the screw client to both a Netgear FVS318v3 and an FVS336G using Windows 7 Home Premium 64bit.  I have since dropped the FVS318 because it could not hold more than 8 VPN connections so we upgraded to the FVS336G.
> 
> I have a weird problem though.  I appear to be randomly dropping the connection as follows:
> 
> When the VPN client is connected, remote desktop is used to connect to a work desktop.
> 
> After connecting, remote desktop will either disconnect within approximately:
> 
> 3 - 5 minutes,
> 45 minutes
> not drop at all.
> 
> The remote desktop session disconnects but shrew still states it IS connected.  When I try to ping any network device (including the router I am connected to), I get no response (ping is turned on)
> 
> I am lost.  I have never seen a problem as random as this.  I have tried changing all kinds of settings on both the VPN router and the shrew client.  Nothing seems to give me a reliable connection.  The router does also have 8 gateway to gateway IPSEC VPN's that are constantly active however, the router should be able to host 25 simultaneous IPSEC VPN connections.
> 
> Anyone got any ideas?
> 
> I also see there is a new version available and I will install and test but has anyone else had/solved this problem. 
> 

A drop before the SA expire is usually due to a DPD timeout. DPD is an 
option for gateways that use IKE to detect when a peer device is no 
longer available. DPD messages are sent periodically to the peer with a 
sequence number. The peer is expected to respond with the same sequence. 
If several subsequent DPD messages get sent but are unanswered, the 
client will terminate the connection. You should see this using the VPN 
Trace application with the log output set to debug level. Alternatively, 
you can try to disable DPD in the site configuration but that may cause 
other problems if a connection actually does die ( because it won't be 
detected ). However, doing this temporarily could rule out DPD as a 
potential issue if the connection appears more stable.

If your phase2 lifetime is set to 60 minutes and the connection dies in 
45 mins, I wouldn't be surprised if this is related to an issue with 
IPsec SA re-negotiation. The client will attempt to create a replacement 
SA when a current SA reaches 80% of its lifetime ( 48 mins for a 60 min 
SA ). One way to test this is to set the lifetime to 600 secs instead of 
3600 secs on both ends. If the connection dies consistently after 8 mins 
( 80% of 10 mins ), then you know its a re-negotiation problem.

Hope this helps,

-Matthew