1

My customer is using a NETGEAR FVS338 for internet access and s2s-connectivity for his two locations, which works flawlessly.

He (and a couple of his employees) also use the ShrewSoft VPN software client to connect to the office while on the road.

The roadwarriors (and my customer in his homeoffice) use the VPN Client to connect to his company network and use a RDP session to a terminalserver in the office to work with our applications.

Today he reported the following problem:

  • Client-A (roadwarrior) establishes a VPN connection and RDP session to the server.
  • Connection is stable and works without issues
  • If Client-B (customer in homeoffice) connects to the VPN, the RDP session to CLIENT-A drops.

While I was having a look at the connected RDP users (roadwarrior is connected) my customer established a VPN connection. I could observe that the RDP session does not drop immediately but after a couple of minutes while the roadwarrior told us he lost the connection immediately after my customers connection was established.

Therefore I believe, that it isn't really the RDP session that is dropping but it is the VPN dying and the RDP session is timing out.

To mititgate this problem I made sure that both users are using discrete VPN policies with different Remote-ID values as seen by the router (resp. different Local-IDs when viewed from the VPN client).

The clients share the following settings (they actually don't share those because as I said before these are different policies, but have the same settings configured):

IKE Policy

  • Remote Endpoint - both connect to the same router
  • Remote ID for the router (which is the routers IP address)
  • Exchange Mode (Aggressive)
  • Encryption and Authentication Algorithm
  • DH-Group for Phase 1
  • SA-Lifetime

VPN Policy

  • The remote Subnet (as seen by the client which is the company network they are connecting to)
  • Local Traffic Selection (which is set to "Any" on the router so should allow anything the client sends)
  • Policy Type (Automatic Policy Generation)
  • Encryption and Integrity algorithm
  • PFS group
  • SA Lifetime

The only thing that I can think of being a problem is the Local Traffic selection so that somehow the Netgear Router cannot differentiate between both clients and drops one of the connections (or let it timeout).

Is this realistic? If so, could this be mitigated by setting two discrete IP adresses in the traffic selection of the router and configure the virtual adapter on the client accordingly?

Are there any other hints you could give me to troubleshoot this?

pacey
  • 3,833
  • 1
  • 15
  • 31
  • some companies might limit the number of concurrent vpn connections you can have. So you might want to make sure you should be able to use multiple connection in the first place. (I only did read somewhere about a premium package for some router which enabled more concurrent vpn connections) – Dennis Nolte Jul 11 '16 at 08:52
  • are both clients logging in with the same credentials? Sometimes this will drop everyone else when you log in. – Peter Jul 11 '16 at 11:43
  • Thanks for your recommandations @Peter and Dennis. I already made sure both clients use different credentials and aren't even connecting from the same network - so I think this can be ruled out. There is also no upgrade/premium package available for this router and we are well within the limits of the supported VPN connections. I guess I'll try to reproduce this issue in a simple LAN setup and see if I can get two simultaneous connections up. – pacey Jul 11 '16 at 13:29
  • Just to clarify: When Client-B (homeoffice) connects to VPN, does Client-A (roadwarrior) immediately get disconnected? Or does the VPN connection persist and only the RDP session tanks? Or does starting the second RDP session coincide with the disconnect? Is there a "Client-C" and do the same issues occur? Is this a new issue or only recently reported? Have you tried the Netgear VPN Client (I think a 30 day trial is free) and does that have the same results? Can you provide a screen shot of your Mode Config Record and IKE Policy? (obviously, please obscure sensitive fields) – sippybear Jul 12 '16 at 22:49
  • Are your VPN tunnels using XAuth for user authentication? – shodanshok Jul 15 '16 at 21:25

3 Answers3

1

The other connection is dropping because I think you are using the same IP in both the VPN clients, so when both the VPN clients are connecting they are assigned the same IP address. This is like having two PCs with same IP address in a LAN.

To resolve this change the IP in VPN client for each client.

enter image description here

enter image description here

Stuggi
  • 3,366
  • 4
  • 17
  • 34
Deepak Agrawal
  • 11
  • 2
0

Swap the local and remote subnets round, in the VPN policy. if you are defining them on the FVS338. I'd also double check the Mode Config screen to confirm that there are plenty of remote IPs available.

EnviableOne
  • 1
  • 1
0

Shrew is IPSec VPN client, which is may be limited by NAT existence between client(s) and server. If same NAT is traversed by both clients, that could be a good reason for the first session to stop working

alexlev2004
  • 200
  • 1
  • 7