My customer is using a NETGEAR FVS338 for internet access and s2s-connectivity for his two locations, which works flawlessly.
He (and a couple of his employees) also use the ShrewSoft VPN software client to connect to the office while on the road.
The roadwarriors (and my customer in his homeoffice) use the VPN Client to connect to his company network and use a RDP session to a terminalserver in the office to work with our applications.
Today he reported the following problem:
- Client-A (roadwarrior) establishes a VPN connection and RDP session to the server.
- Connection is stable and works without issues
- If Client-B (customer in homeoffice) connects to the VPN, the RDP session to CLIENT-A drops.
While I was having a look at the connected RDP users (roadwarrior is connected) my customer established a VPN connection. I could observe that the RDP session does not drop immediately but after a couple of minutes while the roadwarrior told us he lost the connection immediately after my customers connection was established.
Therefore I believe, that it isn't really the RDP session that is dropping but it is the VPN dying and the RDP session is timing out.
To mititgate this problem I made sure that both users are using discrete VPN policies with different Remote-ID values as seen by the router (resp. different Local-IDs when viewed from the VPN client).
The clients share the following settings (they actually don't share those because as I said before these are different policies, but have the same settings configured):
IKE Policy
- Remote Endpoint – both connect to the same router
- Remote ID for the router (which is the routers IP address)
- Exchange Mode (Aggressive)
- Encryption and Authentication Algorithm
- DH-Group for Phase 1
- SA-Lifetime
VPN Policy
- The remote Subnet (as seen by the client which is the company network they are connecting to)
- Local Traffic Selection (which is set to "Any" on the router so should allow anything the client sends)
- Policy Type (Automatic Policy Generation)
- Encryption and Integrity algorithm
- PFS group
- SA Lifetime
The only thing that I can think of being a problem is the Local Traffic selection so that somehow the Netgear Router cannot differentiate between both clients and drops one of the connections (or let it timeout).
Is this realistic? If so, could this be mitigated by setting two discrete IP adresses in the traffic selection of the router and configure the virtual adapter on the client accordingly?
Are there any other hints you could give me to troubleshoot this?
Best Answer
Swap the local and remote subnets round, in the VPN policy. if you are defining them on the FVS338. I'd also double check the Mode Config screen to confirm that there are plenty of remote IPs available.