Phase 1 parameters: Pre Shared Key Triple DES SHA-1 300 sec Diffie-Hellman Group 2 i.e. same as you
Both Win98se and Win NT4 clients are set up the same way. I am about to upgrade the Win98SE client to Windows 2000 - will let you know in a couple of days whether that has the big "hiccup" or not. The firewalls we talk to are GB-1000, currently V3.2.1 and V3.2.2 - but the "hiccup" performance appears to be the same for both. I'm pinging a V3.2.2 site from my w98se client as I write this. The usual ping time is 57mS - but perhaps 20% of the time is is longer - several hundred mS, and occasionally it times out (over 1 sec) - probably because the site is fairly busy. However it is clear watching the VPN log viewer that the excessive ping times do not occur at either Phase 1 or Phase 2 renegotiation points. It's not evident that the key renegotiations incur any delay - at least, not on the basis of the current 15 minute snapshot of traffic. My colleague Andy will no doubt confirm that the significant "hiccups" seen on a NT4 client do occur at the same time as the key renegotiation - if he's listening ... Regards, � -- Graham Jones Linnet Solutions Ltd. [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> 01953 717605 or 077 74 894200 � > -----Original Message----- > From: Brian Fort (Mushkin) [mailto:[EMAIL PROTECTED]] > Sent: 16 January 2002 07:19 > To: [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED] > Subject: RE: [gb-users] SA renewal causes Win2K Terminal Client > disconnection > > > I set the SA life parameter under "Authentication (Phase 1) > > Proposal 1" to > 537 seconds, and the SA life parameter under "Key Exchange (Phase II) > > Proposal 1" to 600 seconds and I'm still encountering the same problem. > However, I can at least now tell that the SA renewal for the > Authentication > Phase is taking 19-24 seconds. The Key Exchange Phase took one second at > most but usually wasn't noticeable. > > So this problem apparently has to do with the Authentication Phase. I'm > using 3DES encryption, Diffie-Hellman Group 2, and hmac-sha1. Would > changing any of these parameters possibly help? Graham, what Phase I > parameters do you have for that Win98 computer that only has 3-4 second > "hiccups"? > > Also, I'm using GNATBox Flash 3.2.2 and I'm having this problem on both > Windows 98 and Win2K Pro (Only OS's I've tried the client on). > > Thanks, > Brian > > > -----Original Message----- > From: Graham Jones [mailto:[EMAIL PROTECTED]] > Sent: Monday, January 14, 2002 9:09 AM > To: [EMAIL PROTECTED] > Subject: RE: [gb-users] SA renewal causes Win2K Terminal Client > disconnection > > What platform are you running the mobile VPN client on? > > With the firewall running version 3.2.1 and a Windows 98SE running the > client, we found that the VPN connection "hiccups" for two or > three seconds > every ten minutes or so, but with a Windows NT4 machine running the client > the "hiccup" lasts a minute or more - again occurring every 10 minutes or > so. In the latter case a terminal services session will die and > have to be > restarted. > > With Firewall version 3.2.0 both client platforms suffered the more > extensive hiccup. > > There is a recommendation to have different values for the SA > life parameter > in the authentication and key exchange proposals - e.g. 123 and > 300 seconds. > > If you ping -t <target ip behind firewall> from a DOS window you > can see the > delays. > > Regards, > � > -- Graham Jones > Linnet Solutions Ltd. > [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> > 01953 717605 or > 077 74 894200 > > >
