Summary:
Network events that are external and transparent to TotalRoam can cause a Client to no longer communicate through the TotalRoam VPN. Many times using loopback packets can eliminate the problem.
Symptoms:
A TotalRoam Client successfully establishes a route registration with the Gateway and communicates through the VPN. However, following a period of inactivity the Client stops communicating through the TotalRoam VPN even though the sentinel for one of the network adapters remains green.
Cause:
The TotalRoam VPN between a Client and a Gateway is established during the route registration process. During this process the Gateway records the address and port of the Client in its route table. Upon successfully establishing a route registration for a primary network, the Client will only re-attempt a route registration for the network if it detects that the corresponding network adapter has gone out and back into coverage, or if another higher priority network comes into coverage. Otherwise, the Client expects that the TotalRoam VPN remains intact.
It is becoming more common for firewalls and routers to remove NAT translations for UDP connections after a period of inactivity. If that happens and UDP communications resume, the firewall/router begins using a different NAT translation.
If a Client sits behind a firewall or router that changes the NAT translation for its TotalRoam UDP traffic after a successful route registration, the Client will no longer be able to communicate through TotalRoam. The TotalRoam traffic from the Client reaches the Gateway, but the Gateway sends any return traffic to the Client using the address and port it recorded for the Client during the route registration process, which is no longer valid.
Resolution:
This issue can be resolved in two ways. The first is to eliminate or extend the UDP NAT timeout value on the firewall or router. The second is to configure the TotalRoam network adapter(s) on the Client for Loopback mode rather than Link Status mode. In Loopback mode, the Client will send regular loopback packets to the Gateway to check connectivity status. These loopback have the additional benefit of preventing the UDP NAT timeout value on the firewall or router from being exceeded and therefore ensure that the NAT translation for the Client is not changed. If this problem occurs with a Wireless LAN adapter, it will need to be deleted and recreated as a Universal IP adapter.
Applies To:
Clients using Universal IP or Wireless LAN adapters that may roam behind a firewall / router that changes NAT translations frequently.
Product Version:
All Versions
Platform:
TotalRoam Software
Remote Access Router™
|
