[vpn-help] Shrew-disconnect not reported
Kevin VPN
kvpn at live.com
Tue Dec 3 18:58:38 CST 2013
On 10/29/2013 05:27 AM, Richter, Dominic wrote:
> Hi everybody,
>
> we got a problem with shrew in our company: our field staff is
> connected to our servers with shrew, no problems so far. But when the
> connection is lost, e.g. through a bad connection, shrew still shows
> the tunnel as connected while our staff can't reach the server.
> Furthermore, if the connection is lost about 2 minutes shrew is
> unable to reconnect the tunnel, but still seems to be connected
> (tested with ping server -t). Is there a solution that shrew reports
> to our field staff immediatly when their connection is lost?
>
Hi Dominic,
Shrew does have a mechanism where it checks that the VPN gateway is
still responding (Dead Peer Detection, DPD), but it does not have a
mechanism to check if resources on the remote network are still accessible.
Even Shrew's gateway check can have a delay, since it initially waits 15
seconds for a response from the gateway. If there's no response, it
tries again (I think twice), then uses a decreasing counter (5s, 4, ..
1), leading to approximately 1 minute before it determines that the
gateway is not responding and tears down the tunnel.
The reconnect problem may be related to the far end gateway thinking
that the tunnel is still up and rejecting the new connect attempt until
it has itself torn down its end of the tunnel.
More information about the vpn-help
mailing list