VPN, RDP, file sharing failure on Vista.

July 2nd, 2009 | by admin |

If you are on Vista (any Service Pack or version) and:

  • The network connection fails, particularly behind a VPN.
  • Mail clients may slowly respond or even crash.
  • Remote access like rdp, ssh, xwindows clients, may  respond slowly and loose the connections.
  • Any low latency protocol may experience a poor network performance.

This is due to the new IP stack implementation in vista, that follows compliance with RFC 1323′s TCP window scale option, which isn’t fully understood by some layer 3 network devices (routers, firewalls, etc), used by your Vista client, when connecting to the network. 

Awkward as it might be, this isn’t a vista problem, but a network problem, therefore the responsibility of your sysadmin.

As a user, you can turn off this option on Vista by going to the command prompt and typing:

netsh interface tcp set global autotuninglevel=disabled

…and restarting your computer. The connection problems should be gone now.To turn back on this feature, type this:

netsh interface tcp set global autotuninglevel=normal

…and restart again. This is the default behavior, and on connections without problems, it can increase your network throughput, doing a more efficient TCP flow control.

If you are the sysadmin, you can resolve this problem at the network devices:

  • Linksys RV series (RV042, RV081, RV-16)
  • NetApp Cache Appliances NC 6.0.2 or an earlier version: The TCP splicing feature may not work together with the Window Scaling feature in Windows Vista. By default, the TCP splicing feature is enabled on NetApp Cache Appliances NC 6.0.2 or on an earlier version.
  • Cisco PIX 6.1(5), Cisco PIX 6.2(3), and Cisco PIX 6.3(1): These devices do not support the Window Scaling feature in Windows Vista.
  • Cisco IOS Software Release:Cisco IOS Software Release 12.3(15) and later versions of this software support the Window Scaling feature in Windows Vista.
  • Sonicwall: The Window Scaling feature in Windows Vista may not work if you enable either of the following features on a Sonicwall firewall device:
    • Strict TCP Enforcement Option
    • Enforce strict TCP compliance with RFC 793 and RFC 1122
  • Checkpoint NG R55 (and other versions): To work around this issue, disable the Sequence Verifier Enforcement feature.

    • As a real world example, Checkpoint’s VPN secureclient/securemote software, will surely have this behaviour, on Vista, even in it’s latest version, if the sequence verifier check (above) is turned on at the VPN server, together with the window scale option at the vista vpn client. As it isn’t Checkpoint fault, the security solutions company doesn’t release a workaround for this.

    For more information, please visit the corresponding Microsoft knowledge base.

    Tags: , , , , , , ,

    Post a Comment