Nomad_Soul - Fotolia

Identifying and troubleshooting VPN session timeout issues

Troubleshooting VPN session timeout and lockout issues should focus first on isolating where the root of the problem lies -- be it the internet connection, the VPN vendor or the user device.

When troubleshooting a VPN timeout issue, it is important to remember that the root of the problem could be the VPN vendor, the user's internet connection, or the user's device and software, so isolating the issue first is critical.

Potential VPN timeout issues include the following:

  • The internet connection is spotty.
  • The internet connection at a certain location blocks VPN access.
  • The VPN server stops responding.
  • The VPN provider's DNS server stops responding.
  • The user's firewall or router settings could block VPN access.
  • The user's VPN software needs to be updated.
  • The VPN rekey process is failing.

Steps to troubleshooting VPN timeout causes

When troubleshooting VPN session timeout or lockout issues, it's critical to isolate the problem to ensure faster and easier remediation.

Step 1. Assess the user

First, determine the user's location. If users are allowed to connect to the VPN from anywhere except a specific location, such as their local coffee shop, it could be that the internet connection at that location is blocking VPN access.

Another way to determine the root cause of the VPN issue is to ask the user to connect to the VPN using a wired connection. The majority of users connect via wireless LAN (WLAN) or Wi-Fi, and although it is becoming rarer for VPN software to lose connection due to poor Wi-Fi signal strength, it is a potential cause. If the user can connect via the wired LAN without any issues but has an issue periodically with the Wi-Fi or WLAN, start troubleshooting the agent logs and the origin of the logon attempts with an eye toward wireless-related issues.

Image of how a VPN works

Step 2. Assess the vendor

If the user's internet connection isn't the issue, the next step is to ensure the VPN vendor isn't the root of the problem. This means checking that the VPN server being used is responding properly and that the DNS server used by the VPN vendor doesn't have any issues. If the vendor ends up being the cause, it might be time to change the VPN server or DNS server.

Step 3. Assess the device

Once outside causes have been ruled out, it's time to check the settings and software for the remote user. One of the first settings to check is the VPN timeout setting itself. By default, VPN software might shut down a connection that has been idle for as little as 10 minutes, which might be too short for many users. These values should be set to fit the needs of the company and its end users. This is especially true with the use of SSL VPNs.

VPN timeout issues could also potentially arise from out-of-date software, so security admins must ensure the VPN software on the user device is updated properly.

Consideration should be made to users' firewall settings on their device or router, as well as router settings. What might appear to be a VPN timeout issue could actually be security software shutting down the connection inappropriately.

When using an IPsec VPN, verify the connection settings of phase 1 and phase 2 rekey policies. The phase 1 policy will be able to go down without an issue and rekey, but if phase 1 and phase 2 timers go down at the same time, there's the potential for a timeout or longer time to connect.

Dig Deeper on Network security

Networking
CIO
Enterprise Desktop
Cloud Computing
ComputerWeekly.com
Close