Sounds like those home users have modems with NAT enabled. Could you confirm that only those users apply NAT?

If not, you might have something more difficult (also NAT though):

- example user has a home networker 10.x.x.x/24

- example NC IP range 10.x.x.x/16 or /8

Imagine the routing issues here...Aye cap'n, where's me gateway gone?

Even a much simpler example case of the NC gateway on 10.0.0.10 and the home net gateway on 10.0.0.1, where the NC client computer cannot find either one, depending on the NC settings on your SA, will cause troubles like this.

Good luck!

This sounds like it could be an MTU size issue. It could be the ISP is restricting the size (may be due to some tunnelling they employ). I believe Network Connect bases it's MTU on th physical Interface. If the ISP is restricting the size for a direct connection like browsing the stack will sort things out but you can get a situation where Network Connect thinks the MTU is larger and tries to send bigger packets that get dropped/fragmented. Try reducing the MTU on the physical interface, 1400's normally a good starting point (if I remember correctly this is done in the registry).

Thanks for the suggestions. I changed the MTU setting in Windows registry for the user, so we'll see how it goes tonight.

If changing MTU doesn't help, then you should have your users upgrade their home router firmware as a next step.

Dropped packets can also occur over WIFI connections. Interferance and low signal strength can cause this. Have the users try to replicate the issue while wired to the router directly.

---

@jkopko wrote:

Thanks for the suggestions. I changed the MTU setting in Windows registry for the user, so we'll see how it goes tonight.

---

Reduce the MTU on the IVE to 1400 since the problem seems to be on the users home network.

Also, is the user's home network wi-fi? Wi-fi is notorious for dropping packets and connections and IPSec vpn's don't really like that.

Hi JKopko,

any results from your users?

Thansk in advance!

If your customers are on networks (like AT&T) where everyone is behind a row of proxy servers, your roaming configuration may be breaking their connections.

On my AT&T connection I had to configure my communication manager to do no accelleration (bytemobile client off) otherwise, every 3-10 minutes, AT&T would route me out through a different proxy and my roaming disallowed SA2500 would kick me off for changing networks (from 32.x.x.x to 166.x.x.x). Also, if your users are getting RFC-1918 addresses, then there may not be much they can do, short of getting a static ip address, unless you open up roaming. (so far i have only seen this on Linux AT&T wireless clients.)

We have a handful of users who are having problems on WiMax connections such as Clearwire. I'd be curious to know if anyone else has seen this.

jkopko - You might want to see if the user gets dropped packets with SSL transport mode instead of ESP. I agree with the others to look at the user's home router as well.