We’ve had some issues recently with VPN stability, namely users’ connections locking up or timing out. Can you offer a VPN stability checklist of low-hanging fruit we should check for?
Depending on the vendor your company uses, the location from which you’re trying to establish a VPN connection, and other factors, a user could come up with a hundred different possible issues with authenticating to a VPN. Here are some areas to look at first regarding the stability of a VPN connection.
Ask the Expert!
Have questions about network security for expert Matt Pascucci? Send them via email today! (All questions are anonymous.)
One of the first things to do when troubleshooting a VPN session timeout or lockout issues is to determine the user’s location. It’s important because if a user can always connect while he or she is at home, but can never connect on an open Wi-Fi connection at the local coffee house, that should enable isolation of the issue quickly. This is one of the simplest forms of VPN troubleshooting, but can save a lot of time during the process.
Another way to start determining the root cause of the VPN issue is to ask the user to connect to the VPN both on the WLAN and the wired LAN. The majority of VPN connections these days are connected wirelessly. In the past, I’ve noticed certain vendor agents are less tolerant of network loss due to the poor strength of a Wi-Fi connection, which could result in VPN stability issues. If a user is able to connect via the wired LAN without any issues, but has an issue periodically with the WLAN, start troubleshooting the agent logs and the origin of the logon attempts with an eye toward wireless-related issues.
There’s also the issue of timeout periods for users. I’ve seen many default values around timeouts, such as idle connections after 10 minutes, and a max session at 60 minutes with a reminder of five minutes before timeout. This might not suit all users, so these values could be reworked to fit the needs of the company and user population. This could be an issue where the defaults are too low for what the user needs the session for; this is especially true in SSL VPNs.
When using IPSec, verify the connection settings of your phase 1 and phase 2 rekey policies. The phase 1 policy will be able to go down without an issue and rekey, but if your phase 1 and phase 2 timers go down at the same time, there’s the potential for a timeout or longer connection time.
There are many other potential issues that could cause a VPN session timeout or lockout, but many of these are dependent on the OS that it’s installed on, the vendor that’s being used, and the ISP that it’s traveling over. Reviewing the logs of the workstation and VPN systems will help guide you toward a proper solution. It’s also possible that many agent-based VPN clients aren’t compatible with a certain OS or are in need of an upgrade. Getting as much detail as possible on the locations of users and the software being used is going to be a huge help in determining the root cause of the VPN connectivity issue.
This was first published in June 2012