We have recently installed an RV082 to allow us to use both our ADSL connections. VPN connections to our windows server, behind the RV082, now drop after a few minutes and then cant be reconnected until the VPN session on the server times out. This worked fine before the RV082 was in place - does anyone know what I can change on the RV082 to fix this?
Port 1723 is forwarded to the server
The routers PPTP is not enabled
Ive tried reducing the MTU from 1500 down as low as 1350 but this hasnt helped.
A couple of qualifying questions, How do have the RV082 setup for WAN connectivity (Dual wan-load Balance of Smart link backup). What firmware are you currently running on the RV082 and do you have PPTP pass through checked in the router..
PPTP Passthu is enabled - before we configured the vpn tunnels today we needed this but I can conceivably disable this now without too much pain.
The router is set up for load balancing and the firmware is the latest downloadable from cisco (I upgraded it beofre setting up the router). - sorry Im not in the office now so cant give you the exact version but its the only one available when you go to the downloads section.
Which flavor PPTP server and client are you using?
To pin-point the issue, could you try using smartlink backup instead of load balancing on RV082 and see if you run into the same problem?
Hi its a windows server 2008 and were connecting using the standard MS pptp vpn connection. I'll try with load balancing turned off although this will defeat the whole point of us buying the rv082.
One other thing which may or may not be significant - when the connection drops it looks like packets on port 1723 from the windows server to my ip address are bing dropped with "Connection Refused - Policy Viloation" in the system log.
OK - Ive got the router set in Smartlink mode and just had a vpn session open and using remote desktop to a mahcine for 30 mins without a dropout. It looks like in load balancing mode its refusing some vpn packets and that drops the connection. Any idea what I can do to get around this as I bought the router specifically for load balancing but its not much use to use if we cant use our vpn connections.
You are probably coming into the RV082 via a single Global IP address, but returned packets were probably round robined between WAN1 and WAN2 ports. So your client is seeing returned packets coming from two Global IP sources. Your client would be getting half the packets from a different Global IP address.
For grins and giggles (worth a try), see if you can use the bandwidth management tab to link PPTP egress to WAN1 only. I have loaned my RV082 out, so i can't check that option.
If you can do policy routing of PPTP traffic, You may then be able to enable and run load sharing on the WAN ports again.
I did try this over the weekend and it didnt appear to help. Only switching to smartlink seems to help which defeats the main object of having the rv082. Do you have any ideas of what else might work?
Binding all traffic from Windows PPTP Server in the LAN to the PPTP clients with WAN1 may work around your problem for the time being - see attached.
BTW, how many NIC cards does your Windows 2008 server has? Could you provide a network topology and perhaps send us the configuration file of your RV082 so we can look into the issue further?
OK - I had already bound pptp to one port. I can only bind all traffic to the clients VPN IP address not their source address but I will give this a go. I'm happy to send a config file if theres a way I can edit it to remove vpn passwords - is there a way to edit the files?
Our topology is as follows -
2 ADSL lines - one with single static IP address, one with 5 static IPs (one of which is assigned to WAN1 of the RV082)
We use BT (2 wire 2700) routers. The way the static IP addresses work on the router firmware is that the WAN ports are set up with dhcp and the 2700s route the public static ips to the WAN ports of the RV082 as a DMZ i.e. no NAT and no firewall.
The windows 2008 server (PPTP VPN server) is directly attached to a LAN port of the RV082. It has 2 NICs installed but we only use one. All PPTP traffic is bound to WAN2 from the servers IP address to all IP addresses. VPN in is only instigated on the WAN2 IP address i.e. in and out PPTP is initiated and bound to the same port.
When the router is in load balance mode under this conifg, the VPN drops after anywhere from 5 to 30 minutes and its then difficult to reestablish - the server end doesnt seem to timeout properly for some reason. With the router in smartlink mode, the vpn is much more stable (I had a connection yeterday for 2 hours). If it drops we're able to reconnect within minutes.
By the way I noticed that when you switch the router from smartlink to load balance it doesnt automatically renew the IP address on what was the backup port - you have to renew it manually - I assume this is a bug.
I will try binding all traffic to the assigned vpn ip address subnet to the VPN WAN port and let you know how this goes.
Thanks for all of your help with this issue.
I configured the binding all protocols to one port - I though this had fixed it - it certainly seemed better (it lasted 50 minutes before disconnecting last night) but this morning its back to disconnecting every 5 minutes or less. I will go back to smartlink mode for now - please let me know if theres a way to edit the passwords out of my config file so I can send that to you for any further advice as suggested.
If you are concerned with the VPN passwords, you can always change them before you export the config file. So far we are not able to duplicate the issue you described. Would you please confirm the attached network topology is what you have?
Thanks - the topology is correct. Im out of the office at the moment and will be for another week or so so cant mod the config to send to you hust yet. This morning I logged into the vpn server and was disconnected almost immeidately.I managed to take a look at the log by logging in via a remote site - it seems the initial request is accepted and then the same requests on the same ports are rejected - this is whats disrupting the vpn connection. (the www.xxx.yyy.zzz ip address in the log below is my home ip address where I was connecting from. I dont know if this points to the problem or not. I will send the config file as soon as Im back in the office.
Aug 20 08:08:21 2009 Connection Accepted TCP www.xxx.yy.zzz:52920->192.168.2.1:1723 on ixp2
Aug 20 08:08:22 2009 Connection Accepted GRE www.xxx.yy.zzz ->192.168.2.1 on ixp2
Aug 20 08:08:31 2009 System Log 192.168.2.182 access
Aug 20 08:09:55 2009 Connection Refused - Policy violation TCP www.xxx.yy.zzz:52920->192.168.2.1:1723 on ixp2
Aug 20 08:09:57 2009 Connection Accepted TCP www.xxx.yy.zzz:53119->192.168.2.1:1723 on ixp2
Aug 20 08:10:13 2009 Connection Refused - Policy violation TCP www.xxx.yy.zzz:52920->192.168.2.1:1723 on ixp2
I'm back in the office now and decided to take settings out one by one to see what happened. I removed all access rules for pptp and gre (leaving only the port forwarding for pptp active) and low and behold it now works fine. This is despite many forum entries stating the access rules needed to be added for PPTP behind the router to work. Thought I'd post my findings incase anyone else has the same problems.
Thanks all for your input on this issue.
Glad to know that the issue is resolved. Would you mind sharing with us what kind of Access Rule could cause this PPTP dropping issue?
as well as the application forwarding for pptp to our vpn server, I had enabled PPTP and GRE access in on both wan connections (as this was recommneded in the forum). It could have just been a coincidence but when I deleted all forwarding and access rules and then rebooted and only renabled the pptp application forwarding it started behaving normally.
I have had the same issue when load balancing on the RV082. If my client works continuously on on the application she is connected to, all is well. But if she walks away for a few minutes, she gets disconnected by the host. The VPN connection is solid if I switch to smart backup. I'll give your solution a shot and let the community know whether it works for me.