Welcome to ISAserver.org
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
RE: S2S VPN: why is a new QM SA negotiated every 5 minutes ?
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
RE: S2S VPN: why is a new QM SA negotiated every 5 minu... - 13.Jul.2006 1:25:46 AM
|
|
|
murpy
Posts: 43
Joined: 4.Mar.2006
Status: offline
|
I have installed a fresh copy of Windows Small Business Server 2003 (with Small Business server Service pack 1 integrated in the media) and I don't see the SAIdleTime registry key.
I have the ipsec tunnel up but if it drops out it can only be reconnected from the server. I have set my phase 2 time to be 3600 in ISA server and Sonicwall but I was curious about the registry key?
|
|
|
|
|
RE: S2S VPN: why is a new QM SA negotiated every 5 minu... - 13.Jul.2006 10:24:23 PM
|
|
|
spouseele
Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline
|
Hi murpy,
if the SAIdleTime regkey doesn't exists, you'll have to create it!
HTH,
Stefaan
|
|
|
|
|
RE: S2S VPN: why is a new QM SA negotiated every 5 minu... - 14.Jul.2006 12:22:00 AM
|
|
|
murpy
Posts: 43
Joined: 4.Mar.2006
Status: offline
|
OK but do you know when it would be created? I have a very well documented procedure for getting a SonicWall TZ150 and an ISA server with an edge router (SBS 2003 SP1) communicating with IPSEC but when the connection is dropped for any reason only the server can renogiate the connection. Note this is with no SAIdleTime configfured. I am also not using pfs (peferect forward secrecy).
It looks like a recent update included a new ipsec.sys that is more than what was described in this thread so I was thinking that that should have been included but apperently not.
|
|
|
|
|
RE: S2S VPN: why is a new QM SA negotiated every 5 minu... - 14.Jul.2006 11:42:22 AM
|
|
|
spouseele
Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline
|
Hi murpy,
the 'SAIdleTime' regkey is only needed as a mitigating factor or temporary workaround until the fixed 'ipsec.sys' is released. Once the fixed 'ipsec.sys' is released the 'SAIdleTime' regkey isn't *required* anymore because the default value of 300 sec should be OK in most environments.
HTH,
Stefaan
|
|
|
|
|
RE: S2S VPN: why is a new QM SA negotiated every 5 minu... - 8.Sep.2006 11:14:57 PM
|
|
|
murpy
Posts: 43
Joined: 4.Mar.2006
Status: offline
|
I (just yesterday found one problem with my setup with the aid of Microsoft PSS. Esentially when using ISA server with Small Business Server 2003 (SP1) you need to add an entry on the remote side vpn that describes the WAN side of the network on the ISA server side of things. The trick is to specify the IP address of the WAN interface with a subnet mask of 255.255.255.255.
I hope to blog on my findings in a day or so. I will read your response now.
|
|
|
|
|
RE: S2S VPN: why is a new QM SA negotiated every 5 minu... - 8.Sep.2006 11:44:49 PM
|
|
|
murpy
Posts: 43
Joined: 4.Mar.2006
Status: offline
|
Wow that's interesting. My current configuration is:
LANA SonicwallTZ150 Internet EDGEROUTER ISASERVER LANB
Things seem to be working pretty well for me after the SAIdletime reg hack, the introduction of a network entry for the WAN side of ISA in the SOnicwall with special subnet mask.
I do have two minor issues that I am still wading through and I think you touched on one of them earlier in this post:
1) Pings from ISA to anything on LANA or client on LANA to anything behind ISA will periodically timeout (Say 3 per hour but it is somewhat random) (I have a script that attempts a ping every three seconds from both sides and logs an error in a file if there is an error.)
2) If the ISA server reboots the VPN tunnel has a hard time coming back up. I ussually need to reboot the SonicWall.
Is 1) above normal behaviour? I umderstand that for tcp based aps that won't matter because of retry but udp?
|
|
|
|
|
RE: S2S VPN: why is a new QM SA negotiated every 5 minu... - 19.Oct.2006 4:45:21 PM
|
|
|
cristi
Posts: 1
Joined: 19.Oct.2006
Status: offline
|
It looks like there is a FIX article about it: http://support.microsoft.com/kb/923339/en-us. Basically it's a patch fot Windows 2003 SP1 or wait until SP2.
|
|
|
|
|
RE: S2S VPN: why is a new QM SA negotiated every 5 minu... - 25.Oct.2006 7:28:22 PM
|
|
|
johnno
Posts: 1
Joined: 25.Oct.2006
Status: offline
|
All,
I battled a Sonicwall tz170 and ISA 2004 dropping out the vpn randomly. I followed the posts in this thread, and finally contacted MS and applied the ms hot fix http://support.microsoft.com/kb/923339/en-us
It fixed my issues. Thanks to those in this thread for all your efforts, I felt I should also let others know it will fix vpn dropouts with a sonicwall tz170. I was trying to keep terminal server sessions open, and they would just dissapear. The link would drop only for maybe 2 minutes, and come back up no worries.
Good luck and thanks again for all the info.
Johnno
|
|
|
|
|
RE: S2S VPN: why is a new QM SA negotiated every 5 minu... - 26.Oct.2006 2:28:59 PM
|
|
|
spouseele
Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline
|
Hi Johnno,
good to hear that http://support.microsoft.com/kb/923339/en-us fixes your VPN issue too!
Thanks,
Stefaan
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
