Windows XP VPN client loses connection

[Dagwin]

We have a Check Point Firewall-1/VPN-1 NG FP3 firewall
that is configured to allow VPN access to the office
network.
This works fine with Check Point VPN clients.

But with the XP VPN, connection is always dropped after 6-
7 hours. I've spent weeks doing tests for Check Point
support, they even issued a hotfix which improved the
results, but finally this was their conclusion:

-quote-
From the debug files that you sent this time, we can see
the same scenario, we also were able to reproduce exactly
what you got in our lab - the Microsoft client is the one
who's responsible for closing the L2TP tunnel. This is
also supported by the oakley.log file.

It seems that after 7-8 hours the Main Mode SA is
expired. The Microsoft client sends a Main Mode DELETE to
the GW, causing the VPN tunnel to close. It is now up to
the Microsoft client to re-establish the tunnel, by
initiating a new Key Exchange, which it doesn't do. This
will eventually close the L2TP tunnel as well.

Why the L2TP client does not re-establishes the VPN
tunnel ? this question should be forwarded to Microsoft.
I can only guess that it is due to maybe lack of traffic
from the client.

I suggest that you contact Microsoft regarding this issue
and ask them to investigate it.

-end quote-

It doesn't seem to be the lack of traffic, because the
connection get's closed too when I'm doing a continuous
ping.
Installing the Advanced Networking package also didn't
help.
Installing

Anybody an idea ?

Dagwin

 

[Joe Wu [MSFT]]

Hello Dagwin,

Thank you for your post.

This is a complicated issue and it is difficult for us to make any
conclusion without studying the trace and debug files. Due to the
complexity of this issue, I would like to suggest that you contact
Microsoft Product Support Services via telephone so that a dedicated
Support Professional can assist with your request.

Our PSS department will be glad check this issue for you. Also, please be
advised that contacting phone support may be a charged call.

To obtain the phone numbers for specific technology request please take a
look at the web site listed below.

http://support.microsoft.com/default.aspx?scid=fh;EN-US;PHONENUMBERS

If you are outside the US please see http://support.microsoft.com for
regional support phone numbers.

Thank you for your understanding and have a nice day!

Regards,
Joe Wu
Product Support Services
Microsoft Corporation

Get Secure! - www.microsoft.com/security

====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

--------------------
|Content-Class: urn:content-classes:message
|From: "Dagwin" <[email protected]>
|Sender: "Dagwin" <[email protected]>
|Subject: Windows XP VPN client loses connection
|Date: Wed, 21 Jan 2004 00:26:25 -0800
|Lines: 45
|Message-ID: <[email protected]>
|MIME-Version: 1.0
|Content-Type: text/plain;
| charset="iso-8859-1"
|Content-Transfer-Encoding: 7bit
|X-Newsreader: Microsoft CDO for Windows 2000
|X-MIMEOLE: Produced By Microsoft MimeOLE V5.50.4910.0300
|Thread-Index: AcPf+EJp+byC3dIHS7KrJmYlz54M5Q==
|Newsgroups: microsoft.public.windowsxp.network_web
|Path: cpmsftngxa07.phx.gbl
|Xref: cpmsftngxa07.phx.gbl microsoft.public.windowsxp.network_web:159656
|NNTP-Posting-Host: tk2msftngxa14.phx.gbl 10.40.1.166
|X-Tomcat-NG: microsoft.public.windowsxp.network_web
|
|We have a Check Point Firewall-1/VPN-1 NG FP3 firewall
|that is configured to allow VPN access to the office
|network.
|This works fine with Check Point VPN clients.
|
|But with the XP VPN, connection is always dropped after 6-
|7 hours. I've spent weeks doing tests for Check Point
|support, they even issued a hotfix which improved the
|results, but finally this was their conclusion:
|
|-quote-
|From the debug files that you sent this time, we can see
|the same scenario, we also were able to reproduce exactly
|what you got in our lab - the Microsoft client is the one
|who's responsible for closing the L2TP tunnel. This is
|also supported by the oakley.log file.
|
|It seems that after 7-8 hours the Main Mode SA is
|expired. The Microsoft client sends a Main Mode DELETE to
|the GW, causing the VPN tunnel to close. It is now up to
|the Microsoft client to re-establish the tunnel, by
|initiating a new Key Exchange, which it doesn't do. This
|will eventually close the L2TP tunnel as well.
|
|Why the L2TP client does not re-establishes the VPN
|tunnel ? this question should be forwarded to Microsoft.
|I can only guess that it is due to maybe lack of traffic
|from the client.
|
|I suggest that you contact Microsoft regarding this issue
|and ask them to investigate it.
|
|-end quote-
|
|It doesn't seem to be the lack of traffic, because the
|connection get's closed too when I'm doing a continuous
|ping.
|Installing the Advanced Networking package also didn't
|help.
|Installing
|
|Anybody an idea ?
|
|Dagwin
|
|