Support Center > Search Results > SecureKnowledge Details
Some Remote Access users are not able to connect to large Remote Access VPN Communities
Symptoms
  • Occasional intermittent VPN traffic outage and Remote Access connectivity issues on Security Gateway:

    • Some Remote Access VPN clients are not able to connect.
    • Some Remote Access VPN clients might be disconnected seconds after they connect.
    • Traffic might stop passing over Site-to-Site VPN.
  • Output of "top" command / "ps auxw" command on Security Gateway during the issue shows that VPND daemon consumes CPU at high level.

  • VPND daemon might crash:

    • Output of "dmesg" command on Security Gateway might show:
      vpnd[PID]: segfault at ... rip ... rsp ... error ...

    • Output of "grep core /var/log/messages.*" command on Security Gateway might show:
      Date Time HostName kernel: do_coredump: argv_arr[1] = /var/log/dump/usermode/vpnd.<PID>.core
  • /var/log/dump/usermode/ directory might contain core dump files for 'VPND' process (see sk92764 / sk53363).

  • Debug of VPND daemon per sk89940 shows that VPND daemon was restarted in the middle of MEP Topology calculations.

    Example excerpt from vpnd.elg:
    ... ... ...
    [vpnd PID_1 ...]@HostName[Date Time] getAllowedRanges: entering
    [vpnd PID_1 ...]@HostName[Date Time] ConvertSetToVectorInterfaces: addr (1): X.X.X.X is external: false 
    [vpnd PID_1 ...]@HostName[Date Time] ConvertSetToVectorInterfaces: returnedAddress (...),(X.X.X.X)
    [vpnd PID_1 ...]@HostName[Date Time] getAllowedRanges: entering
    [vpnd PID_1 ...]@HostName[Date Time] ConvertSetToVectorInterfaces: addr (2): Y.Y.Y.Y, is external: true 
    [vpnd PID_1 ...]@HostName[Date Time] ConvertSetToVectorInterfaces: returnedAddress (...),(Y.Y.Y.Y)
    ... ... ...
    [vpnd PID_1 ...]@HostName[Date Time] getAllowedRanges: entering
    [vpnd PID_1 ...]@HostName[Date Time] ConvertSetToVectorInterfaces: addr (6): Z.Z.Z.Z, is external: true 
    [vpnd PID_1 ...]@HostName[Date Time] ConvertSetToVectorInterfaces: returnedAddress (...),(Z.Z.Z.Z)
    [vpnd PID_2 ...]@HostName[Date Time] vpnd: DDD MM DD HH:MM:SS YYY
    [vpnd PID_2 ...]@HostName[Date Time] ------------ VPND Starting: DDD MM DD HH:MM:SS YYY
    ... ... ...
    
Cause

Searching whether this Security Gateway belongs to a VPN community is a costly operation, which might create bottlenecks on Security Gateway, such as:

  • VPND daemon consumes CPU at high level.
  • VPND daemon crashes.

Eventually, FWD daemon restarts the VPND daemon.

Most common scenarios where the above symptoms were observed:

  • Large number of non-contiguous networks in the VPN domain.
  • Multiple Remote Access users try to connect to Security Gateway.
  • Remote Access community contains multiple Security Gateways.

Solution
Note: To view this solution you need to Sign In .