Troubleshooting Persistent VPN Disconnections Within 3 Minutes on Windows Networks


4 views

For two years, my Windows Server 2003 VPN exhibits a peculiar behavior: connections consistently drop within 3 minutes only from my home network. While functional across multiple networks (corporate/ISP combinations) and client OSes (XP/Vista/7), this specific failure pattern persists through:

  • ISP changes on both endpoints
  • Router hardware replacements
  • Additional domain controller deployment
  • Client device rotation (Windows/iOS)

The surviving constant is the domain controller handling WINS/VPN services. However, packet routing shouldn't involve the DC for outbound traffic - it flows directly through the firewall/router to the cable modem.

// Sample PowerShell to verify routing tables
Get-NetRoute -AddressFamily IPv4 | 
Where-Object { $_.DestinationPrefix -notlike "127.*" } | 
Format-Table -AutoSize

Using Wireshark revealed GRE packets (Protocol 47) being dropped after exactly 178 seconds. The firewall logs showed:

// Firewall log excerpt
DENY: IN=eth0 OUT= MAC=... SRC=74.93.XXX.XXX DST=192.168.1.24 
LEN=60 TOS=0x00 PREC=0x00 TTL=57 ID=54321 PROTO=47 
SPT=0 DPT=0 LEN=40

Testing with varied MTU sizes uncovered fragmentation issues. The solution required adjusting both client and server settings:

:: Windows Registry Fix
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters]
"EnablePMTUBHDetect"=dword:00000000
"EnablePMTUDiscovery"=dword:00000001
"Tcp1323Opts"=dword:00000003

Switching from PPTP to L2TP/IPsec with certificate authentication resolved the drops entirely. Configuration required:

  1. Generating machine certificates via AD CS
  2. Updating RRAS policies
  3. Modifying client connection settings

The home router's NAT implementation was found to prematurely expire VPN state entries. Forcing keepalives proved effective:

netsh interface ipv4 set global icmpredirects=enabled
netsh interface teredo set state disabled
netsh interface ipv6 set global randomizeidentifiers=disabled

After two years of battling this exact issue across multiple network configurations, I've compiled my findings. The VPN disconnection consistently occurs within 3 minutes only when connecting from my home network, regardless of client device or ISP. Here's how I systematically eliminated variables:

// Test methodology pseudo-code
function testVPNStability() {
    const testEnvironments = [
        {network: "Home LAN", devices: ["Windows 7", "Windows 10", "iPhone"]},
        {network: "Mobile Data", devices: ["iPhone"]},
        {network: "Office LAN", devices: ["Windows Server 2016"]}
    ];
    
    testEnvironments.forEach(env => {
        if (env.network === "Home LAN" && vpnConnection.dropsWithin(180000)) {
            isolateNetworkVariables();
        }
    });
}

Wireshark revealed an interesting pattern during the disconnections:

  1. No TCP RST packets observed
  2. PPTP/L2TP control channel remains intact
  3. Last successful packet always shows normal MTU size

Even after replacing routers, these settings proved critical:

# Suggested Cisco-like config snippets
interface GigabitEthernet0/0
 no ip nat service pptp
 ip tcp adjust-mss 1360
!
ip inspect name VPN-INSPECT pptp
ip inspect name VPN-INSPECT esp

These registry modifications helped stabilize some connections:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters]
"EnablePMTUBHDetect"=dword:00000000
"EnablePMTUDiscovery"=dword:00000001
"TcpMaxDataRetransmissions"=dword:00000010

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PolicyAgent]
"AssumeUDPEncapsulationContextOnSendRule"=dword:00000002

Using this PowerShell script helped identify the optimal MTU:

# MTU Test Script
$target = "192.168.10.1" # VPN server LAN IP
$minMTU = 576
$maxMTU = 1500

for ($mtu = $maxMTU; $mtu -ge $minMTU; $mtu--) {
    $result = Test-NetConnection -ComputerName $target -TraceRoute -InformationLevel Detailed -MtuSize $mtu
    if ($result.MtuResult -eq "Success") {
        Write-Output "Working MTU found: $mtu"
        break
    }
}

The combination that finally resolved my issue:

  • Router: Disabled all SPI firewall features for VPN traffic
  • Windows: Set interface MTU to 1400 via netsh
  • VPN Server: Enabled L2TP/IPsec instead of PPTP
netsh interface ipv4 set subinterface "Ethernet" mtu=1400 store=persistent