#1  
Old November 12th, 2009, 10:29 AM
Whookie Whookie is offline
Junior Member
NETGEAR Newbie
 
Join Date: Nov 2009
Posts: 36
Whookie is on a distinguished road
Default FVS338 Frequent VPN drops and lockup

I'm fighting with our FVS338 VPN Router for a while now (about 2 years, with the impression that the issue got worst with each firmware update (used almost every on up until 3.0.5-24 which is installed now))

Internet access (from inside of our company) is *always* stable and there arn't any problems so far.

VPN does work too, for some time (minutes, hours, even 2 to 3 days at best) our employees can connect and work (there are no more then 2 to 4 at a time) but from one moment to the other all vpn connections are dropped and loggin is locked (but no issues with the i.net connection!)! From this moment on, no one is able to log in again.
For a while (firmware < 3.0.5-24) rebooting the device did always heal the issue and so wo bought a timer which disconnects the mains every night at 5o'clock - reissuing power 5 minutes later.
But as of 3.0.5-24 not every reboot resulted in a working VPN (besides getting constantly poked by my fellows when rebooting the router isn't that funny too).
So I started experimenting and found that the following procedure does heal the issue without rebooten and 100% of all cases:
1. Go to VPN->Policies->IKE Policies->Edit (there is only one policy)
2. Change "Identifier Type" from "FQDN" to any other (invalid) setting
3. Press "Apply" and when page from Pkt 1 gets displayed press "Edit" again
4. Change back "Identifier Type" ti "FQDN"
5. Press "Apply" and instantly anyone can log in again!

But as the VPN should always be up (especially on week-ends) my boss isn't blessed anymore because he seems to have a sensor telling him to log in anytime the VPN is down so we had a few arguments lately

I really need a solution to this problem and hope you can help me!

TIA
Whookie
Reply With Quote
  #2  
Old November 12th, 2009, 11:33 AM
adit's Avatar
adit adit is offline
Moderator
NETGEAR Fanatic
 
Join Date: Nov 2006
Location: USA
Posts: 5,377
adit is on a distinguished road
Default Re: FVS338 Frequent VPN drops and lockup

Site to Site or VPN Client to Site VPN? You didn't specifially say, but it looks like the latter.

Static IP's or Dynamic on the 338?

ISP, Connection Type, Location, Modem info?

UPS on the unit? Power Issues?

When you upgraded to 3.0.5-24 did you Factory Default the unit and manually reconfigure all the settings?

VPN or Mode Config VPN Client setup?

SA Lifetimes?

Are the users Disconnecting the sessions, or are they just closing their laptops/pulling the plug?

Are you using Netgear VPN Client? Which version?
Reply With Quote
  #3  
Old November 12th, 2009, 12:40 PM
Whookie Whookie is offline
Junior Member
NETGEAR Newbie
 
Join Date: Nov 2009
Posts: 36
Whookie is on a distinguished road
Default Re: FVS338 Frequent VPN drops and lockup

# Sorry forgot to mention: VPN Client (using ProSafe VPN Client) to Site VPN (338)
# IP is static (and always was)
# We do have a broadband ISP (UPC, Zyxel-modem) but there are no "surfing issues" the whole internet access is done through the FVS338 without any disconnection problems.
# There is a surge protector but no UPS on the unit (UPS is for the servers only)
# There are no power issues as far as I can tell.
# What do you mean by "location"? All server and access related stuff is in a server room held at 23C by a nice air condition .
# I did not reconfig on the last update but the one before, because it lost some information at that update (that was a huge amount of work because we use mac-filtering for all our PC's and have alot of vpn-accounts, ...). I also had the impression that things got worst since manually reconfiguring the device.
# Not sure what you mean with "VPN or Mode Config", but I am using a mode config record in the IKE policy.
# SA lifetime is: 86400
# When the drop/lock occurs the user does neither ... they just do their work, wondering why the remote-desktop is trying to reconnect.
# Most session are opened in the morning and are kept open until evening or later (most of our employees have a home-working-day per week). As for me, I always close the session using the client, but I'm sure some others will just shut down their pc's. There are rare conditions, when a user is off road, that a laptop is used but I never had this sort of issue "just after a client logged out" by going to standby (or at least I'm not aware of).
# We are using only the Netgear Client 10.1.1 (build 10) on XP, we got Vista-version (10.8.3) but Vista isn't used by anyone except an ex-external worker a year ago. Since yesterday we also have one employee how uses the Shrew-Soft client which seems to work very well with Windows 7.

I hope you can make anything out from that ...

TIA
Whookie
Reply With Quote
  #4  
Old November 12th, 2009, 05:26 PM
adit's Avatar
adit adit is offline
Moderator
NETGEAR Fanatic
 
Join Date: Nov 2006
Location: USA
Posts: 5,377
adit is on a distinguished road
Default Re: FVS338 Frequent VPN drops and lockup

read this thread: http://forum1.netgear.com/showthread.php?t=43398

Location: Texas, London, Peru, etc.

You should put a battery backup on it.

There are 2 different type of VPN client setup methods. One uses a traditional VPN policy and the other uses the Mode Config record.

The traditional VPN has a different VPN Client security policy (i.e. policy.spd that you export/import) for each user.

The Mode Config record allows you to use the same VPN Client security policy for all users.

Are they remote desking, or connecting to a real Terminal Server?

How many remote users are there?

10.8.3 is not a Vista version. All of your PC's should be running it. 10.1.1 is way out of date.

When the user gets disconnected from the session, does the VPN Status page still show it as connected?
Reply With Quote
  #5  
Old November 12th, 2009, 10:56 PM
Whookie Whookie is offline
Junior Member
NETGEAR Newbie
 
Join Date: Nov 2009
Posts: 36
Whookie is on a distinguished road
Default Re: FVS338 Frequent VPN drops and lockup

Hi again
#1 So you suggest, that I reset the router do its default and manually reconfigurate it each time I update the firmware? That is a huge amount of work, at least a half day plus another day to correct all the typos - isn't there a way to automate that?

#2 Austria (no we do not have kangaroos!)

#3 There is no free plug on our UPS at the moment, but I will give this a try in the near future (but I'm quite sure it has no influence on the current state and it is surge protected too)

#4 As stated in my last answer (8th #), I use a mode config record and each user gets its own .spd file (just changing the "Domain Name" string)

#5 Some use the Remote-Desktop, most of them just connect to shared server drives (W2003) or browse our in-house web-platform. In addition mostly all of them connect to the MSExchange server (another W2003)

#6 There are 25 accounts but as stated in my first post there are no more then 3 to 4 users using the VPN at a time.

#7 I tried the 10.8.3 back then when I got it but as it crashed the test pc on installation I thought, it would just support Vista (besides the risk rolling it out on 25 working pc's and getting stoned to death for breaking access)

#8 The user isn't shown on the Status page (but I can't tell you if this is true in 100% of all cases) on the client side in most cases the VPN-Client thinks it is connected (but not always).

TIA
Whookie
Reply With Quote
  #6  
Old November 13th, 2009, 07:40 AM
adit's Avatar
adit adit is offline
Moderator
NETGEAR Fanatic
 
Join Date: Nov 2006
Location: USA
Posts: 5,377
adit is on a distinguished road
Default Re: FVS338 Frequent VPN drops and lockup

Go back to that link and read my first post in the thread.

You are on 3.0.5-24. If you upgraded from 3.0.4.-19 or lower, and didn't default the router and manually reprogram the router then do so.

No kangaroos? Not even in a zoo? Terminators?

You should be using a single Mode Config for all users. It makes everything easy. You can add Extended Authentication (User Database or Radius) as well to allow/disallow VPN access. Take a look at my 538 Mode Config tutorial for future reference.

Why does each employee have their own policy?

What are you doing with the MAC filters?
Reply With Quote
  #7  
Old November 13th, 2009, 12:21 PM
Whookie Whookie is offline
Junior Member
NETGEAR Newbie
 
Join Date: Nov 2009
Posts: 36
Whookie is on a distinguished road
Default Re: FVS338 Frequent VPN drops and lockup

Hi!
Manuall reconfiguration isn't that easy to accomplish! I'm using more then 100 mac addresses (blocking all and permitting those entered) and also IP/MAC Binding for the complete intra-net (we did have internet-miss use in the office so with this settings we can easily band-width-limit an account and get notified if some is trying to fake ip and/or mac). There are several Bandwidth Profiles (non of them actually used at the moment - everyone is honest for the time beeing)
So I *definitly* need a procedure to store all settings and do an automatic setup, because just writing down all that data and double-check if its correct would take an extra day

## Could I do that via telnet (e.g. write some sort of script which does the setup - making it worth to invest the time for future use)???

Yes - sadly it's true - we had one of those nasty Terminators! Fortunately it was married away by an american gal - I belief they even had a job for it !

I use a single Mode Config and I use the User Database and I'm pretty sure each user needs to get the same .spd file alterating just the "Domain Name" string (see #4 in my previous post) so: XXX VPN->My Identity->ID Type = "Domain Name" and that name is: "username.company_remote.com" where "username" is unique for each account, which leads to an .spd - file for each user (do you mean that by "their own policy"?).

BTW: In that state of VPN lockup each attempt to connect to from client-side places the following message in the vpn-log:

2009 Nov 13 20:31:27 [FVS338] [IKE] Could not find configuration for 85.XXX.XXX.XXX[500]_
Reply With Quote
  #8  
Old November 13th, 2009, 08:18 PM
adit's Avatar
adit adit is offline
Moderator
NETGEAR Fanatic
 
Join Date: Nov 2006
Location: USA
Posts: 5,377
adit is on a distinguished road
Default Re: FVS338 Frequent VPN drops and lockup

You should have the one of your Windows Servers running DHCP (if not already). Setup different LAN pools (one for good MACs and one for the rest). This way you can make Rules in the router based on LAN ranges rather than dealing with the MACs there.

You don't need to modify the .spd with username1., username2., etc. Both the router and client can just use company_remote.com and company_local.com. Everyone in the company can use the same .spd without modification.
Reply With Quote
  #9  
Old November 14th, 2009, 05:02 AM
Whookie Whookie is offline
Junior Member
NETGEAR Newbie
 
Join Date: Nov 2009
Posts: 36
Whookie is on a distinguished road
Default Re: FVS338 Frequent VPN drops and lockup

Hello again!
We do have a pool of good and bad IP's, but some of our employees tried to spoof the good ones too...

Ok thats new for me, I always sought that is the way to disdinguish the accounts from one another???
But as I lock each policy and apply the log in-password of the account there has do be a different .spd for each user

But whats really troubling me at the moment is the question about a way to automate a new setup .. wouldn't telnet be an option?
I had a look into it. One can easily read out the current configuration but the commands to add anything are not working in an understandable way (for me)

I'm thinking about implementing a ca and switching to certificates, but had a few problems. First of it, I entered another mode-config record (I need to implement certs in parallel so the current users can access the system while I'm testing certs), but at that point the normal vpn did stop working???

TIA
Gustav
Reply With Quote
  #10  
Old November 14th, 2009, 07:46 AM
adit's Avatar
adit adit is offline
Moderator
NETGEAR Fanatic
 
Join Date: Nov 2006
Location: USA
Posts: 5,377
adit is on a distinguished road
Default Re: FVS338 Frequent VPN drops and lockup

PM me a temporary admin username and password. I would like to see what is programmed in the router.


The Extended Authentication (EA) Username and Password comes from the router, not the client. (i.e. One of my customers has 20 VPN client users on a Mode Config VPN setup, all 20 use the same .spd, and each has their own username and password setup on the router that requires them to enter before the VPN connects).

I am working on getting them to add a feature to the VPN Connection Status page that shows the (EA) username so you can easily identify who is logged in at each IP.

Get one thing working before you move on to the next (CA's).

There is no easy way to automate the process. Search the forum/KB for CLI, there are a few guides out there. And you may not want to automate it anyway as you might be reloading the problem that is dropping the VPN clients. Bite the bullet and do it.

As for the Spoofers....if you are in a Domain you can lock them out from being able to change their IPs. Remove their admin access to the PC's.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off



All times are GMT -8. The time now is 01:36 PM.