# VPN keeps dropping



## tauese (Jul 12, 2006)

I have two identical D-link VPN routers at two different locations using the same ISP... 
I set up a VPN tunnel between the two sites... but every now and then we lose connection over the VPN and have to reboot one of the routers to get it going again... at first i thought it was the IPSEC and IKE LIFE TIME setting but i've tried both extending it and setting it to zero which seemed to make it worste... attached are pictures of the VPN settings.(Minus our Global IP address of course) ... hopefully someone can help.. we have one sonic wall router which isn't being used right now and we're contemplaiting getting another and making it a Sonic wall VPN instead of a D-link one.. but i'd rather just save the 2 grand and fix the problem with what we've got now...


----------



## tauese (Jul 12, 2006)

No takers yet, that's aight, this has stumped me for a while... anyways i updated the firmware on both sides of the VPN thinking that the auto-reconnect feature in the 1.43 version would save me from having to reboot the routers but sure enough this morning i had to do just that... i actually had to physically reboot one of them as i couldn't even ping it from my computer.... then, to get the VPN going we had to reboot the other sites router but it worked through the routers GUI...


----------



## tauese (Jul 12, 2006)

OK.. it's still giving me hassles and i'm runnig out of options... I'm thinking that it's a problem with my ISP but they of course don't... either that, or D-Link makes the worste VPN routers in the world.... one thing though is upgrading the Firmware has seemed to reduce the down time a little as it seems to have stayed up over the long weekend (local holiday yesturday), but this morning as people actually tried to use it disconnected several times... could it be some malware on one of the client machines ???


----------



## O111111O (Aug 27, 2005)

Makes IKE timeout longer than IPSEC. Keep IPSEC timeout short. IPSEC SA on one side may be expiring on one side because of no interesting traffic. Keep IPSEC timeout short to make it renegotiate sooner.

IKE timer is quite often 24 hours or more, but many time I keep IPSEC timer short - around 2 hours if possible. Timers should be identical on both routers.

-------------

Also, not sure about the Dlink & it's setup. But general IPSEC rules prohibit you from encapsulating any overlap. I.E. - 192.168.1.0 can't encrypt to 192.168.1.0. IPSEC SA rules should be different subnets with IDENTICAL netmasks and no overlap.

example.

site 1. 192.168.1.0 255.255.255.0
site 2 192.168.2.0 255.255.255.0

Site 1 encrypts traffic from 192.168.1.0 /24 to 192.168.2.0 /24
site 2 encrypts traffic from 192.168.2.0 /24 to 192.168.1.0 /24


----------



## Memnoch322 (May 11, 2005)

O111111O said:


> Also, not sure about the Dlink & it's setup. But general IPSEC rules prohibit you from encapsulating any overlap. I.E. - 192.168.1.0 can't encrypt to 192.168.1.0. IPSEC SA rules should be different subnets with IDENTICAL netmasks and no overlap.
> 
> example.
> 
> ...


DLINK is the same.


----------



## tauese (Jul 12, 2006)

Thanks for the reply... 

The subnets were always different with the same netmask and i set the IPSEC life time to 2 hours after reading your post and The IKE lifetime to about 3 days .. yet i still have the same problem ... though now it seems as if our Router (on one side) needs to be physically rebooted almost every morning in order for the internet to work, let alone the VPN... as the router can't be pinged sometimes... also other times it seems as if the VPN is up but we cannot get internet traffic , then after a software boot of the router the VPN is dropped and the Internet is back on...


I'm also having trouble now with our server .. it only seems to accept Terminal Service connections over our LAN and not over the VPN anymore even when it's working and all the adresses can ping each other.. i've reset the licenses but the error log on the server keeps returning that it can't issue a license to that machine.. not sure if it is related


----------



## O111111O (Aug 27, 2005)

Sounds like state table timeout.

Is there any way to show the connection table in the firewall?


----------



## tauese (Jul 12, 2006)

thanks again for the reply... i had a look at our connection logs and found one PC was using up all the bandwidth on P2P so i blocked that IP from accessing the WAN.. which made things run smoother and the VPN seemed to stay stable...but the Terminal Server still wouldn't connect and when we deleted the licence key on the clients side it would show a black screen on there side then disconnect after a while..

I tried using REALVNC to access a machine on the other side of the VPN but upon connection i would just get a black screen as well... so i figured it wasn't the server...

I was looking over the router settings and checking other forums for simmilar issues when i saw a post mentioning MTU's and i remembered lowering the MTU's on our router a week ago to see if it improved throughput any cause our connection is only a 512K line... anyway i reset it to the default 1500 and viola the Terminal Service and the VNC worked fine.... 

I'll see how the VPN holds up over the next week but i have a feeling it'll be alright i just have to put more restrictions on our network to keep my co-workers from bringing down the VPN...

Thanks for your help


----------

