cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1517
Views
0
Helpful
13
Replies

WRVS4400N unable to handle simultaneous QuickVPN connections

abrar
Level 1
Level 1

Hello,

We have been unable to simultanelously login more than one user (client) with QuickVPN from the same remote location (behind the same remote router).

We require 3 users to remotely login using QuickVPN from a remote location.

We can successfully login any single user/client via QuickVPN connection but if a second is added it either hangs at verifying address or will connect but the initial connection is dropped.  Note that each client has a unique username.

The router also has a 'direct' IPSEC connection to another router that remains up during this time.

Firmware version is V2.0.0.8

VPN passthrough is enabled for all routers:

IPsec PassThrough

PPTP PassThrough

L2TP PassThrough

Remote location is basic router with same VPN passthrough settings.

Expected with NAT transversal more than one user could connect behind a router.  Any advice or help is most appreciated.

I don't think we have a bandwidth issue as both locations have Cable.

Tested bandwidth for router location is 17310 Kb/s  down and 3553 Kb/s up

Tested bandwidth for client location is 19068 Kb/s down and 1702 Kb/s up

Clients can connect from different locations but not from behind the same router/NAT.

OS of clients are Windows 7

Thanks,

-Amrik

13 Replies 13

mpyhala
Level 7
Level 7

Hi Amrik,

Thank you for posting. You are correct, you should be able to have multiple simultaneous QuickVPN connections from the same location. This issue is sometimes related to a bandwidth shortage somewhere between the router and the client. I have a few questions that might help figure this out:

  1. What type of internet connections do you have at the router and client? (Cable, DSL, T1)
  2. How much bandwidth do these connections have? (Tested, not advertised)
  3. Can you connect another client from a different location while one is connected already?

Hello mpyhala,

I don't think we have a bandwidth issue as both locations have Cable.

Tested bandwidth for router location is 17310 Kb/s  down and 3553 Kb/s up

Tested bandwidth for client location is 19068 Kb/s down and 1702 Kb/s up

Clients can connect from different locations but not from behind the same router/NAT.

Router models at client locations vary but two examples are:

1)  Linksys  E3000

2)  DDWRT firmware

Te-Kai Liu
Level 7
Level 7

The issue could be caused by the NAT device in front of the QuickVPN clients. What's the model number of the NAT device you have? In such a case, disabling IPSec Passthrough on the NAT sometimes can work around the issue as WRVS4400N does support NAT-T for IPsec.

BTW, what's the OS the QuickVPN clients run on?

Hello tekliu,

The routers/NAT the cleints are connecting from vary.  Two I am currently testing are:

Linksys E3000

DD-WRT firmware

Clients are running Windows 7 and Windows 7 sp1

We have previoulsy noticed that when we disable NAT passthrough we find QuickVPN client tends to hang at "Verifying Network".

Thanks,

Amrik

rmanthey
Level 4
Level 4

The symptoms you are showing resemble only having one user profile created. With our QuickVPN you for multiple users each user needs a unique name. Also verify in the router that the user sessions are disconnecting properly. The session will sometimes hang if the router doesn't see the disconnect from the client.

Cisco Small Business Support Center

Randy Manthey

CCNA, CCNA - Security

Hi Randy,

I think you have identified the problem, thanks.  Each client does have a unique username created on the router and used to login via QuickVPN client.  However within the QuickVPN client software found on each machine we have named the Profiles the same. 

This was done because their are actually three different locations that have a WRVS4400n that clients connect to.  Also several laptops go home with different individuals.  So needed a consistent naming convention for the three Profiles so users could easily connect to the desired resource .  Did not realize Profile name alone was used to identify a "connnection" by the router.  Just thought a hash of the Profile name plus the username would be used to ensure a unique identifier.

Will test this later today and let you know. 

Thanks,

Amrik

Hi Randy,

I changed the names of the profiles and still have the same problem.  This probelm exists on 3 different WRVS4400n.

This is really frustrating.  Any suggestions?

If you could try replacing the NAT device at a remote location with another WRVS4400N, I bet you will not see a problem to support 3 QuickVPN clients (Win7 and XP).

Thanks but unfortunately this does not resolve the problem.  I do not have control over what router may exist at an outside location.  If I did I could install another WRVS4400n and setup a router to router tunnel which seems to work fine.

Are all the users logging in with the same user name and password?

for example, if you have user1,

Bob, Mary, and Jo can't all log in with user1 as the username. Each user needs their own username and password.

Have you checked teh router to see if the QVPN session for that user is still connected when they are having issues?

Cisco Small Business Support Center

Randy Manthey

CCNA, CCNA - Security

Yes as mentioned above each user/client has a unique login and password for the VPN which was created on the router.

State of each connection is correct prior to second user attempting to connect behind same router/NAT.  Users who are not connected appear disconnected on the router.  User who is connected appears connected on router.

After second user attempts connection either they can not connect or they do connect but knock the other user off.  The user who is knocked off does not have correct state listed on router so must login to router to manually disconnect them to ensure they can connect later.

I see this issue on three different WRVS4400n all running same firmware of 2.0.0.8

I see there is a newer firmware available that I will install at one location and hope this resolves the problem.

If that fails only thing left I can think of is to recreate all users and regenerate pem files to be distributed.

Will post how next two steps go.

Thanks,

Amrik

Hello Amirik,

I tested this issue that you are having with our WRVS4400n V2, on firmware version 2.0.0.8. in our lab.

The Quick VPN although was not exactly setup the way that you may be operating with. Just the router connected to a T1 running DHCP. I reset the device back to it's default stage. I created 4 users, Kobe , Wade , Lebron , and test2011 all using the same password for my convenience. Generated a certificate for each user. Was able to get all four user online using different OS's, Windows XP, Windows 7, and Vista all 64 bit. With windows 7 machines you need to have the firewall on and the machine needs to be in compatibilty mode for Windows XP service pack 3. If not this could cause connection problems. Make sure the user are all utilizing the latest QVPN Client that we have availabe which is QVPN version 1.4.1.2. If this doesn't work you need to call into our office so that we can test the connection from our lab.

Technical Support for this device is 24 hrs seven days  a week.

Our number is 1-866-606-1866 if calling from within the United States.

Fredrick A Wofford

Network Support Engineer

Cisco Small Business Support

Hi Fredrick,

Thanks for your reply.  After reading your response I thought maybe running in Windows XP SP3 compatibility may solve my problem as I have been running it as a native application.  Oddly, if I run in Windows XP SP3 compatibility mode I am unable to make any connection while going through router/NAT where client is located. Simply hangs at "Verifying Network".  Tried with and without Windows Firewall enabled and could not connect.

Please note most recent tests were made with Windows 7 SP1 on the client machines (all I have available right now). 

So far to get a client running Windows 7 SP1 to connect to WRVS4400n V2 (firmware 2.0.0.8) using QuickVPN from behind a router/NAT device requires:

  1. User needs to have Administrative privileges (have not tested if can simply run as Administrator)
  2. Windows Firewall has to be enabled
  3. Under Services make sure IPsec Policy Agent starts automatically
  4. No Compatability mode used

Problem seems to have something to do with transversing the NAT device.

I will contact Technical Support as I have been unable to get this to work with the changes suggested.

Thanks,

Amrik