question

ArturZaprzala avatar image
0 Votes"
ArturZaprzala asked SekoBayo-9817 edited

VPN disconnects after 5 minutes ignoring -IdleDisconnectSeconds option

I created a VPN connection on Windows 10 Pro 2004 19041.746 using a PowerShell command:
Add-VpnConnection -Name "Test VPN" -ServerAddress libreswan-server-address -TunnelType Ikev2 -AuthenticationMethod MachineCertificate -EncryptionLevel Required -SplitTunneling -PassThru -IdleDisconnectSeconds 0

VPN is working fine, but after 5 minutes of inactivity it is disconnected, regardless of the value set by IdleDisconnectSeconds option. Even if IdleDisconnectSeconds is set to 60 seconds, it is disconnected after 5 minutes.
The status of the connection is shown as connected on client side, but disconnected at server side. When I send some network traffic (like ping) from Windows through the VPN, connection is activated and works as if nothing happened, but I can't do the same from the server side. In the server logs I can see clearly that Windows sent a request to delete the IPSec SA (Security Association).

A very similar problem was reported 4 years ago on technet (the final post says it was fixed, but now it is broken again):
https://social.technet.microsoft.com/Forums/en-US/29da6504-c0cd-4125-980d-92db9b7bfe76/updated-windows-10-anniversary-update-drops-ikev2-vpn-connection-to-cisco-router-in-exactly-60?forum=win10itpronetworking

windows-10-network
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi,
Please allow me some time to do some research, I will reply you as soon as possible.

0 Votes 0 ·
GloriaGu-MSFT avatar image
0 Votes"
GloriaGu-MSFT answered ArturZaprzala commented

Hi,

Thank you for posting in Q&A!

Have you installed any third party firewall application on VPN client and server? First please try to disable the third party firewall on both the client and server. Then you can check the windows build-in firewall logs on both sides.

According to this thread, the op found out the VPN traffic was blocked by firewall, which might be the cause of this issue:
windows-vpn-always-disconnects-after-3-minutes-only-from-my-network


Hope you have a nice day : )
Gloria
============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
https://docs.microsoft.com/en-us/answers/articles/67444/email-notifications.html


· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

There are no third party firewalls on either side.

How would you explain that I can't make the VPN disconnect sooner then 5 minutes using IdleDisconnectSeconds option? I confirmed that the connection is idle using tcpdump (only ikev2 and keep-alive packets are being sent).

0 Votes 0 ·
GaryNebbett avatar image
0 Votes"
GaryNebbett answered

Hello @ArturZaprzala,

There are several timeout values that can affect VPN behaviour.

I think that most of what you are observing can be explained by the idleTimeoutSeconds value in this structure:

 typedef struct IPSEC_SA_IDLE_TIMEOUT0_ {
   UINT32 idleTimeoutSeconds;
   UINT32 idleTimeoutSecondsFailOver;
 } IPSEC_SA_IDLE_TIMEOUT0;

The default value used under Windows is hard coded in vpnike.dll and can only be overridden by undocumented registry values. It is not influenced by the IdleDisconnectSeconds value that you set.

This timeout controls when a "quick mode" (also known as a "child") Security Association (SA) can be expired. So long as the "main mode" SA remains valid, a new "quick mode" SA can be created by either end of the communication channel whenever needed (there is a separate "quick mode" SA for each direction (inbound/outbound traffic)).

To know whether you actually have any issue at all, we would need a bit more information. For example, can you ping the client from the server during the first few minutes of a new VPN connection? The VPN connection on the client might be in the firewall "public" profile and just drop inbound ICMP echo requests.

If pings work in the first few minutes, then we can examine (via more tracing) why the server is not able to establish new quick mode SAs when it needs them - let us know if you need any advice on how best to do this.

Gary

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

SekoBayo-9817 avatar image
0 Votes"
SekoBayo-9817 answered SekoBayo-9817 edited

Hi,

I have the exact same issue and disabling the windows firewall fix the issue. Completly disabling the windows firewall is not always the desired option.

I kept the in windows firewall turned on and followed step 3 through this tutorial from this site; https://windowsreport.com/vpn-blocked-windows-firewall/

I want to find a powershell command that enables this, but so far couldn't find it. If someone does how to do this please share.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.