We use the F5 SSL VPN with 1000 users. These days , we started noticing the PPP Tunnel getting flapped very often. The Edge client connectivity status shows connected, However the users loose the access to the assigned network resources for a while and it restores it self.
When the issue occurs, any open tcp connections like Skype, RDP session , outlook will be lost and when the PPP tunnel gets restored all the applications star working.
1 If it's the client side (Laptop) which is triggering the network events like route changes to modify the static route for the Full tunnel, any idea how to find out?
2 We did prohibit the route changes on the client side.
3 The VPN is a full tunnel.
4 On the APM logs , we see PPP Tunnel CLosed and started logs when the user experience the issue.
5 We see the inbound traffic going to Zero on the Edge client when the issue occurs.
I am looking to forward to see if any one noticed the same issue.
We're a much smaller deployment but have started seeing this some as well. Early on we were getting more consistent errors with the PPP tunnel related to RAS 720 errors ( https://support.f5.com/csp/article/K10445740 ) and conflicts with our Zscaler tunnel.
There are some very old topics on this, but yours is the newest and most verbose so I'm happy to bump and upvote to promote more up-to-date discussion.
Mine is not consistent as I survey the user base, and I am hoping those I am seeing are just the result of the local connection transitioning on the laptop. Only one complaint so far, so it's unclear if this is actually a problem for us. What is your interval like for flapping? Is it consistent throughout the day?
The local log file ( %TEMP%\logterminal.txt ) was helpful for solving our previous more consistent issues. We have left instructions with our support desk to retrieve this in the event of further complaints.
Thanks and I appreciate your time . Yes , we see the Reconnects are consistent through out the day. The client side team hard coded the Regkeys to force all the traffic through the VPN dialers via the proxy (Blue coat). I defiantly noticed the client side route transition and i see the error RAS Connection dropped in the CTC logs.
As the client team configured everything to go through the proxy, If the proxy is not reachable or timeout , would that cause the tunnel to flap ?
Yes, this is similar to the behavior we saw early on with Zscaler. I would recommend disabling Blue Coat entirely for a test group and monitoring the behavior, especially since you're a full tunnel. Zscaler recommends disabling their client when using a full tunnel VPN, Blue Coat may do the same.