[Simon]

This morning a colleague of mine came to my office and described a rather weird problem. He has a PB at home hooked up to an AP base station (white) and has recently started using VPN to connect to our lab from home. But the VPN connection gets interrupted roughly every 25 minutes. He then has to manually re-establish the connection. He said that if he then just plugged the PB into the base station's LAN port and turned off the PB's AirPort interface the VPN connection would work perfectly fine over Ethernet.

That didn't immediately ring a bell. I asked him a couple of simple things that came to mind. He claims he's installed the latest firmware on the base station. He's also updated the PB to 10.4.7. He didn't know of any interference issues (wireless phones, etc.), that is, he has never observed any Airport traffic interruptions other than with VPN connections.

On the base station he's using NAT since he only gets two IP addresses from his provider but wants to connect 3 Macs.

Do you guys have any ideas where this could be coming from?

[Simon]

Nobody?

[ghporter]

It could be that his broadband connection is getting interrupted every 25 minutes and the ethernet LAN handles this ok while wireless does not. What kind of broadband does he have?

[Simon]

It's a cable modem connection. I have the same cable provider and haven't noticed periodic interruptions.

[Moose]

Originally Posted by ghporter

It could be that his broadband connection is getting interrupted every 25 minutes and the ethernet LAN handles this ok while wireless does not.

It could also be solar flares....

Is it every 25 minutes on the button? Or just "about" every 25 minutes?

[ghporter]

Originally Posted by Simon

It's a cable modem connection. I have the same cable provider and haven't noticed periodic interruptions.

Cable shouldn't have any periodic interruptions-it's not uncommon for DSL to have them though. I want to hear Moose's question answered too: what is the timing for these drop outs?

I wonder if there's something about the DHCP address lease time involved here, which leads to another question: does your friend experience dropouts when surfing wirelessly WITHOUT the VPN?

[Simon]

Originally Posted by Moose

Is it every 25 minutes on the button? Or just "about" every 25 minutes?

Yeah, I should have made that more clear. It is roughly every 25 minutes.

[Simon]

Originally Posted by ghporter

I wonder if there's something about the DHCP address lease time involved here, which leads to another question: does your friend experience dropouts when surfing wirelessly WITHOUT the VPN?

He claims that he never experiences wireless dropouts otherwise.

He also says that VPN directly over the cable modem works, it just gets interrupted when the AP base station is in between and he's using AP to connect. I'm wondering if this is some kind of incompatibility between VPN and the AP base station...

[ghporter]

Double

I hate mysteries without enough clues to get going on-or when all the clues are negative, like now.

I can't think of how a VPN would be incompatible with the ABS-it's got to be a tunneling-like protocol of some kind. What VPN is it specifically?

[Simon]

Yeah, it's really not a "nice" problem.

It's a Cisco VPN client software. Normal Mac OS X installer. Doesn't mention any incompatibility with AP.

[ghporter]

The Cisco VPN is reputed to be quite compatible with everything. Very odd.

One thought: is your friend's Mac configured with a larger or smaller than normal MTU? If the Maximum Transmission Unit is too small it could cause problems through the wireless link. And if it's still set at the default 1500, that could goober up traffic too.

All tunneling protocols (including PPPoE) take a bite out of the data packet (the "transmission unit" by another name), so if your friend's machine is trying to put 1500 bytes through a tube that only can hold say 1400 due to tunneling wrapper data, the authentication of the packets could be completely lost. If he's trying to put 500 bytes through it could mess up the VPN's error management too.

[Moose]

Originally Posted by Simon

Yeah, I should have made that more clear. It is roughly every 25 minutes.

So he'll be actively sending data over the VPN connection and it will just drop? He's absolutely positive he's not hitting an idle timeout?

[Simon]

Originally Posted by ghporter

The Cisco VPN is reputed to be quite compatible with everything. Very odd.

Good to know. He thought it might be the client software, since it's not Apple's built-in VPN client. So that's probably not it.

One thought: is your friend's Mac configured with a larger or smaller than normal MTU? If the Maximum Transmission Unit is too small it could cause problems through the wireless link. And if it's still set at the default 1500, that could goober up traffic too.

I doubt he messed around with that, at least not deliberately. He's certainly not a 'power-user'. I can ask him. I don't know this Cisco VPN client (because I prefer to use remote ssh logins, port forwarding, etc. rather than VPN) - where would he change the MTU in the Cisco client?

[Simon]

Originally Posted by Moose

So he'll be actively sending data over the VPN connection and it will just drop? He's absolutely positive he's not hitting an idle timeout?

He says he's reading and sending email. From what I understand, he's not just letting the connection idle for 25 min. But I'll ask again to make sure.

[Simon]

Btw, thanks for your help guys, I really appreciate it. I know it's definitely not a very entertaining problem.

[Simon]

Here's an update:

• He didn't fool around with any MTU setting at all.
• It is definitely a timeout, but it only happens when connected over AP. He says he gets a message like 'The connection has been closed by the server because the timeout has been reached', but he only gets it when connected over AP. When he does the exact same VPN connection but over Ethernet (direct cable connection between PB and cable modem) he doesn't get the timeout.

Is there some kind of communication to keep the VPN connection alive that happens on a port that isn't forwarded by the APBS's NAT?

[Moose]

Originally Posted by Simon

When he does the exact same VPN connection but over Ethernet (direct cable connection between PB and cable modem) he doesn't get the timeout.

Does he get it when he's wired to the Airport's internal ethernet interface?

[Simon]

He's tried that as well and it works. He doesn't get the timeouts when he connects the PB to the base station's LAN port.

[Moose]

Originally Posted by Simon

He's tried that as well and it works. He doesn't get the timeouts when he connects the PB to the base station's LAN port.

Curious.

Is it possible to download a large file from a host on the network to which he's connecting?

[Simon]

I don't think he can do that. The quota there is barely enough for email.

[ink]

Originally Posted by Simon

Here's an update:

• He didn't fool around with any MTU setting at all.
• It is definitely a timeout, but it only happens when connected over AP. He says he gets a message like 'The connection has been closed by the server because the timeout has been reached', but he only gets it when connected over AP. When he does the exact same VPN connection but over Ethernet (direct cable connection between PB and cable modem) he doesn't get the timeout.

Is there some kind of communication to keep the VPN connection alive that happens on a port that isn't forwarded by the APBS's NAT?

I wonder if the Airport filters out TCP keepalive packets....?

[Simon]

Originally Posted by ink

I wonder if the Airport filters out TCP keepalive packets....?

Now that sounds like something that could explain this strange behavior! Does anybody know AP well enough to comment on that?