Support Center > Search Results > SecureKnowledge Details
Endpoint Connect client disconnects every 20 seconds after connecting successfully to VPN Gateway Technical Level
Symptoms
  • Endpoint Connect client disconnects every 20 seconds after connecting successfully to VPN Gateway.

  • Endpoint Connect client's trac.log file shows (right-click - VPN Options - 'Advanced' tab - check 'Enable logging' - Close - replicate the issue - click 'Collect Logs'):

    [tunnel] IkeTunnel::CheckDGDTimeStamp: timeout reached. Scheduling tunnel test every 2000 ms until 20000.
    ......
    [tunnel] IkeTunnel::SendTunnelTestPkt: no reply from the gw. Sending tunnel test pakcet
    ......
    [tunnel] IkeTunnel::TunnelTestTimeout:Tunnel is disconnected !!!!

  • The following log is found in the vpnd.elg file:
    send_packet : could not send tunnel test packet, error = 101

Cause

The Endpoint Connect client disconnects because the client does not receive a reply from VPN Gateway to client's Tunnel Test packets.

Most probable causes:

# Cause Description
1

The Tunnel Tests packets were not processed correctly on the VPN Gateway (VPND daemon listens to Tunnel Test packets only on specific interface - the first interface in the output of 'fw ctl iflist' command. Therefore, if Tunnel Test packet was received on another interface, it will not be answered).

2

Office Mode IP Pool is part of the VPN Encryption Domain (Office Mode assigns an IP address from one of the 'internal' networks behind VPN Gateway) - in such case:

  1. Client's Tunnel Test packets might be dropped by VPN Gateway after decryption due to Anti-Spoofing.

    When a client connects, it begins sending Tunnel Tests packets. After decryption, when the Office Mode IP address is visible, the Security Gateway performs an Anti-Spoofing check. Since the Office Mode IP address is an internal address and the packets are received on an external interface, the Tunnel Test packets are dropped. After 20 seconds of no Tunnel Test reply from the Security Gateway, there is a timeout, and the client disconnects.

  2. VPN Gateway's reply packet might be routed through one of the internal interfaces.
3

Office Mode IP Pool is part of the VPN Encryption Domain (Office Mode assigns an IP address from one of the 'internal' networks behind VPN Gateway) and 'Location Aware Connectivity' settings are configured for Endpoint Connect client - in such case, Endpoint Connect client might consider itself located on the internal network, and disconnect.

4

The "Maximum concurrent tunnels" and/or "Maximum concurrent IKE negotiations" is(are) too low.

5

Other reasons related to Anti-Spoofing, Routing, rulebase, etc.


Solution
Note: To view this solution you need to Sign In .