VPN Client & Concentrator 3000 DHCP Renewal Problem

Unanswered Question
Mar 25th, 2008

I have a strange problem when using the VPN Client over a WLAN. A customer runs a public WLAN and allows its users to establish connections with the VPN Client to a 3000 series concentrator. The customer is a university and has a lot of mobile device movement joining and leaving the infrastructure throughout the day. This is why he limited the DHCP lease time (of the WLAN subnet over which the VPN runs) to a short five minutes.

Now the scenario:

The WLAN and VPN connection processes finish successfully and data can be exchanged. Now at the half of the DHCP lease time (2.5 mins), the NIC attempts to renew its DHCP lease, according to the DHCP standard. This will fail in the sense that the client doesn't send out any DHCPREQUEST at all (not even encrypted through the tunnel). Half a minute before the actual lease expiry time Windows takes another attempt to renew the address (clear text on the WLAN NIC), will even get an ACK (can be sniffed with another machine using Wireshark over WLAN), yet the client won't process the answer (no sniffer output on the affected client). In process, the VPN connection fails upon DHCP lease expiry. After the VPN client has disconnected, IP address renewal will succeed.

In general, if the VPN client is not in use, the process of the DHCP renewal works without problems.

I've tried different split tunneling settings, including "tunnel all" to "tunnel all except local LAN".

See the attachment for a sniffer output of the additional machine sniffing the WLAN media during a DHCP renewal failure.

Does anybody know the root of this problem? Any help is greatly appreciated!



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
johnd2310 Wed, 03/26/2008 - 04:16

Hi Toni,

You could be having routing issues.

1)Have you had a look at the routing table on the client? Does it look okay.

2)Check for routing issue on the vpn concentrator. You might have to add a static route on the concentrator to tell it that the wireless subnet is on the outside.



tgrundbacher Wed, 03/26/2008 - 09:39

Hi John

Thanks for your post. Can't verify the routing table right now...but there are no problems with Windows Vista, Mac and Unix clients. Do you think Windows XP needs a special configuration on the concentrator?


johnd2310 Wed, 03/26/2008 - 13:33

Hi Toni,

I guess it is a windows XP issue but i am not aware of any special config for XP.

Check the routing on the XP and also check that the concentrator is not pushing a firewall policy to the XP machines.




This Discussion