2003 Server RRAS Site-To-Site VPN Dropping

Hi All,

I have two sites linked together with a 2003 Server Site to Site VPN which
is dropping rather frequently, every 24 hours or so. People try and access
in the morning over the link and it's dead.

Site 1 has Windows Server 2003 SBS SP1 dual-homed. LAN = 192.168.0.0/24,
WAN = 10.0.0.0/24 with ADSL router acting as a bridge (NAT but all ports
forwarded to SBS server).

Site 2 has Windows Server 2003 Standard SP1 dual homed. LAN =
192.168.1.0/24, WAN = 10.0.0.0/24, again with ADSL router acting as a bridge
with NAT and port forwards.

Have set up the site to site VPN correctly with the opposite router
names/credentials etc and it works for the most part, but the VPN will
occasionally drop out, sometimes in the middle of the night so it is down
when they get in in the morning, or sometimes (as last week) it will drop
numerous times during the day. It doesn't seem to automatically reconnect
because it thinks it is still connected, but if you disconnect it it will
re-establish itself fine and carry on working. Both sides of the connection
are set to persistent connection, and both have the demand-dial route
ticked.

It's worth noting that we have created a similar setup with another company
on 2003SBS and 2003 Standard (both non SP1) about 2 years ago and theirs
never drops the connection unless the ADSL goes down, it which case it
reconnects with no problem at all.

I have tried setting only one side to persistent and the other to
demand-dial, but with the same problem (apparently the routers are deaf for
incoming connections if they are dialling!?), I have also tried setting the
WAN NIC to the primary adapter in Network -> Advanced Settings on both
machines.

The Internet connection on both sides stays up, as the routers always have
large uptimes when this happens (200-300 hours), so that's not knocking it
out. One main difference with the previous successful install is that the
ADSL connections are with two different ISP's, but I don't see how that
would affect it, and especially seeing as it's refusing to automatically
reconnect - in fact seems like it's refusing to know that it has dropped?

The Site 2 server does have SQL SP3a on it, which i've heard may cause a
problem, but how? I've also heard of an MTU change - does anyone think this
will help before I go changing reg values on these boxes?

I'm going out of my tiny little mind here because this client keeps on
hassling us about this, so if anyone can come up with any suggestions I'd be
very appreciative.

Thanks in advance.

Russell Preece

Russell Preece wrote:
> Hi All,
>
> I have two sites linked together with a 2003 Server Site to Site VPN which
> is dropping rather frequently, every 24 hours or so. People try and access
> in the morning over the link and it's dead.
>
> Site 1 has Windows Server 2003 SBS SP1 dual-homed. LAN = 192.168.0.0/24,
> WAN = 10.0.0.0/24 with ADSL router acting as a bridge (NAT but all ports
> forwarded to SBS server).
>
> Site 2 has Windows Server 2003 Standard SP1 dual homed. LAN =
> 192.168.1.0/24, WAN = 10.0.0.0/24, again with ADSL router acting as a bridge
> with NAT and port forwards.
>
> Have set up the site to site VPN correctly with the opposite router
> names/credentials etc and it works for the most part, but the VPN will
> occasionally drop out, sometimes in the middle of the night so it is down
> when they get in in the morning, or sometimes (as last week) it will drop
> numerous times during the day. It doesn't seem to automatically reconnect
> because it thinks it is still connected, but if you disconnect it it will
> re-establish itself fine and carry on working. Both sides of the connection
> are set to persistent connection, and both have the demand-dial route
> ticked.
>
> It's worth noting that we have created a similar setup with another company
> on 2003SBS and 2003 Standard (both non SP1) about 2 years ago and theirs
> never drops the connection unless the ADSL goes down, it which case it
> reconnects with no problem at all.
>
> I have tried setting only one side to persistent and the other to
> demand-dial, but with the same problem (apparently the routers are deaf for
> incoming connections if they are dialling!?), I have also tried setting the
> WAN NIC to the primary adapter in Network -> Advanced Settings on both
> machines.
>
> The Internet connection on both sides stays up, as the routers always have
> large uptimes when this happens (200-300 hours), so that's not knocking it
> out. One main difference with the previous successful install is that the
> ADSL connections are with two different ISP's, but I don't see how that
> would affect it, and especially seeing as it's refusing to automatically
> reconnect - in fact seems like it's refusing to know that it has dropped?
>
> The Site 2 server does have SQL SP3a on it, which i've heard may cause a
> problem, but how? I've also heard of an MTU change - does anyone think this
> will help before I go changing reg values on these boxes?
>
> I'm going out of my tiny little mind here because this client keeps on
> hassling us about this, so if anyone can come up with any suggestions I'd be
> very appreciative.
>
> Thanks in advance.
>
> Russell Preece
>
>

In article <VI-(E-Mail Removed)>,
russell_dot_preece@activetechnology*co*uk says...
> The Internet connection on both sides stays up, as the routers always have
> large uptimes when this happens (200-300 hours), so that's not knocking it
> out. One main difference with the previous successful install is that the
> ADSL connections are with two different ISP's, but I don't see how that
> would affect it, and especially seeing as it's refusing to automatically
> reconnect - in fact seems like it's refusing to know that it has dropped?
>
> The Site 2 server does have SQL SP3a on it, which i've heard may cause a
> problem, but how? I've also heard of an MTU change - does anyone think this
> will help before I go changing reg values on these boxes?

Are you doing site-site using the routers or are you actually doing
SBS2003 to SBS2003 site to site vpns?

If you have fixed IP on the WAN ports, then use the routers to do the
IPSec tunnels and not SBS, it's easier to manage and moves the load onto
the routers.

--

(E-Mail Removed)
remove 999 in order to email me

"Leythos" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> In article <VI-(E-Mail Removed)>,
> russell_dot_preece@activetechnology*co*uk says...
>> The Internet connection on both sides stays up, as the routers always
>> have
>> large uptimes when this happens (200-300 hours), so that's not knocking
>> it
>> out. One main difference with the previous successful install is that
>> the
>> ADSL connections are with two different ISP's, but I don't see how that
>> would affect it, and especially seeing as it's refusing to automatically
>> reconnect - in fact seems like it's refusing to know that it has dropped?
>>
>> The Site 2 server does have SQL SP3a on it, which i've heard may cause a
>> problem, but how? I've also heard of an MTU change - does anyone think
>> this
>> will help before I go changing reg values on these boxes?
>
> Are you doing site-site using the routers or are you actually doing
> SBS2003 to SBS2003 site to site vpns?
>
> If you have fixed IP on the WAN ports, then use the routers to do the
> IPSec tunnels and not SBS, it's easier to manage and moves the load onto
> the routers.
>
> --
>
> (E-Mail Removed)
> remove 999 in order to email me

Thanks for the reply. I'm doing the vpn via sbs at the moment. The routers
do support IPSec tunnels, but I've no idea how to set this up. Also I
thought it may be a problem that the WAN network is on a different subnet
(10.) and so wouldn't be able to route the two interconnecting ranges
together?

In article <(E-Mail Removed)>,
russell_dot_preece@activetechnology*co*uk says...
> "Leythos" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed)...
> > In article <VI-(E-Mail Removed)>,
> > russell_dot_preece@activetechnology*co*uk says...
> >> The Internet connection on both sides stays up, as the routers always
> >> have
> >> large uptimes when this happens (200-300 hours), so that's not knocking
> >> it
> >> out. One main difference with the previous successful install is that
> >> the
> >> ADSL connections are with two different ISP's, but I don't see how that
> >> would affect it, and especially seeing as it's refusing to automatically
> >> reconnect - in fact seems like it's refusing to know that it has dropped?
> >>
> >> The Site 2 server does have SQL SP3a on it, which i've heard may cause a
> >> problem, but how? I've also heard of an MTU change - does anyone think
> >> this
> >> will help before I go changing reg values on these boxes?
> >
> > Are you doing site-site using the routers or are you actually doing
> > SBS2003 to SBS2003 site to site vpns?
> >
> > If you have fixed IP on the WAN ports, then use the routers to do the
> > IPSec tunnels and not SBS, it's easier to manage and moves the load onto
> > the routers.
> >
>
> Thanks for the reply. I'm doing the vpn via sbs at the moment. The routers
> do support IPSec tunnels, but I've no idea how to set this up. Also I
> thought it may be a problem that the WAN network is on a different subnet
> (10.) and so wouldn't be able to route the two interconnecting ranges
> together?

I don't do SBS to SBS site-site VPN's, but I also don't do Dual NIC
installs either. I install a Firewall Appliance (not a cheap nat router)
and do the IPSec tunnels between appliances - this makes sharing
resources simple as the LAN on both sides (access) is controlled by the
firewall not the server. As long as the network have different subnets
it makes it easy to share resources - as long as you have DNS setup
properly.

Since you want to do SBS to SBS I will have to bow out and let one of
the others assist you.

--

(E-Mail Removed)
remove 999 in order to email me

Leythos wrote:
> In article <(E-Mail Removed)>,
> russell_dot_preece@activetechnology*co*uk says...
>
>>"Leythos" <(E-Mail Removed)> wrote in message
>>news:(E-Mail Removed)...
>>
>>>In article <VI-(E-Mail Removed)>,
>>>russell_dot_preece@activetechnology*co*uk says...
>>>
>>>>The Internet connection on both sides stays up, as the routers always
>>>>have
>>>>large uptimes when this happens (200-300 hours), so that's not knocking
>>>>it
>>>>out. One main difference with the previous successful install is that
>>>>the
>>>>ADSL connections are with two different ISP's, but I don't see how that
>>>>would affect it, and especially seeing as it's refusing to automatically
>>>>reconnect - in fact seems like it's refusing to know that it has dropped?
>>>>
>>>>The Site 2 server does have SQL SP3a on it, which i've heard may cause a
>>>>problem, but how? I've also heard of an MTU change - does anyone think
>>>>this
>>>>will help before I go changing reg values on these boxes?
>>>
>>>Are you doing site-site using the routers or are you actually doing
>>>SBS2003 to SBS2003 site to site vpns?
>>>
>>>If you have fixed IP on the WAN ports, then use the routers to do the
>>>IPSec tunnels and not SBS, it's easier to manage and moves the load onto
>>>the routers.
>>>
>>
>>Thanks for the reply. I'm doing the vpn via sbs at the moment. The routers
>>do support IPSec tunnels, but I've no idea how to set this up. Also I
>>thought it may be a problem that the WAN network is on a different subnet
>>(10.) and so wouldn't be able to route the two interconnecting ranges
>>together?
>
>
> I don't do SBS to SBS site-site VPN's, but I also don't do Dual NIC
> installs either. I install a Firewall Appliance (not a cheap nat router)
> and do the IPSec tunnels between appliances - this makes sharing
> resources simple as the LAN on both sides (access) is controlled by the
> firewall not the server. As long as the network have different subnets
> it makes it easy to share resources - as long as you have DNS setup
> properly.
>
> Since you want to do SBS to SBS I will have to bow out and let one of
> the others assist you.
>
I've had a similiar issue (i know it's a cop-out but i ended up taking
the hardware route as well!)

I've got a script somewhere that checks the opposite end of the tunnel
is reachable and if not it forces RRAS to drop the connection (and dial
it again automatically) - I'll try to find it tomorrow.

In article <#(E-Mail Removed)>,
(E-Mail Removed) says...
> I've had a similiar issue (i know it's a cop-out but i ended up taking
> the hardware route as well!)

The hardware method was around and working before SBS was ever invented
and in a properly secured network will be much more stable than a soft
solution.

--

(E-Mail Removed)
remove 999 in order to email me

Leythos wrote:
> In article <#(E-Mail Removed)>,
> (E-Mail Removed) says...
>
>>I've had a similiar issue (i know it's a cop-out but i ended up taking
>>the hardware route as well!)
>
>
> The hardware method was around and working before SBS was ever invented
> and in a properly secured network will be much more stable than a soft
> solution.
>
Woah!

What i meant was I didn't spend any time on the RRAS VPN to sort the
problem as the hardware option was available to me.


Ian

"Ian" <(E-Mail Removed)> wrote in message
news:%(E-Mail Removed)...
> Leythos wrote:
>> In article <(E-Mail Removed)>,
>> russell_dot_preece@activetechnology*co*uk says...
>>
>>>"Leythos" <(E-Mail Removed)> wrote in message
>>>news:(E-Mail Removed)...
>>>
>>>>In article <VI-(E-Mail Removed)>,
>>>>russell_dot_preece@activetechnology*co*uk says...
>>>>
>>>>>The Internet connection on both sides stays up, as the routers always
>>>>>have
>>>>>large uptimes when this happens (200-300 hours), so that's not knocking
>>>>>it
>>>>>out. One main difference with the previous successful install is that
>>>>>the
>>>>>ADSL connections are with two different ISP's, but I don't see how that
>>>>>would affect it, and especially seeing as it's refusing to
>>>>>automatically
>>>>>reconnect - in fact seems like it's refusing to know that it has
>>>>>dropped?
>>>>>
>>>>>The Site 2 server does have SQL SP3a on it, which i've heard may cause
>>>>>a
>>>>>problem, but how? I've also heard of an MTU change - does anyone think
>>>>>this
>>>>>will help before I go changing reg values on these boxes?
>>>>
>>>>Are you doing site-site using the routers or are you actually doing
>>>>SBS2003 to SBS2003 site to site vpns?
>>>>
>>>>If you have fixed IP on the WAN ports, then use the routers to do the
>>>>IPSec tunnels and not SBS, it's easier to manage and moves the load onto
>>>>the routers.
>>>>
>>>
>>>Thanks for the reply. I'm doing the vpn via sbs at the moment. The
>>>routers do support IPSec tunnels, but I've no idea how to set this up.
>>>Also I thought it may be a problem that the WAN network is on a different
>>>subnet (10.) and so wouldn't be able to route the two interconnecting
>>>ranges together?
>>
>>
>> I don't do SBS to SBS site-site VPN's, but I also don't do Dual NIC
>> installs either. I install a Firewall Appliance (not a cheap nat router)
>> and do the IPSec tunnels between appliances - this makes sharing
>> resources simple as the LAN on both sides (access) is controlled by the
>> firewall not the server. As long as the network have different subnets it
>> makes it easy to share resources - as long as you have DNS setup
>> properly.
>>
>> Since you want to do SBS to SBS I will have to bow out and let one of the
>> others assist you.
>>
> I've had a similiar issue (i know it's a cop-out but i ended up taking the
> hardware route as well!)
>
> I've got a script somewhere that checks the opposite end of the tunnel is
> reachable and if not it forces RRAS to drop the connection (and dial it
> again automatically) - I'll try to find it tomorrow.

Hi Ian,

Thanks for the response, if you could find that script it would be much
appreciated. When we next do a visit at that site I think we may
investigate the hardware route, although I still don't understand why it
should drop and not reconnect. Maybe I'll get onto Microsoft to see why
their software doesn't work properly... ;o)

Russell.