Maybe I'll tell you about it anyway - we are fighting a nasty bug which has some of the symptoms your users are seeing. In our case, it is related to the Sophos Client Firewall, but there might be issues with other firewalls, too. What is interesting is that the bug does not affect Cisco or Nortel IPSEC VPN. I'm not sure why, and I'm still trying to figure it out.
Every network VPN I've seen uses the address of the session as the default gateway in the IP stack. The effect of that is that the PC ARPs for every IP address to which it wants to communicate. In the case of NC, at least, the client immediately responds to the ARP with a dummy MAC address associated with the NC virtual adapter. What we are seeing is that - when the communication is initiated by a host within the secure network - the PC does not receive the ARP response from the NC client. It turns out that the firewall is throwing it away because it arrives too fast.
This turns out to affect TCP applications which maintain long sessions, even if the communications is initiated by the remote PC. When the TCP session starts, the ARP is done, and succeeds. The address of the host within the secure network is put into the ARP cache of the remote PC. After 10 minutes, the ARP entry times out and is flushed. If the next packet in the session comes from the host in the secure network, the ARP for the address fails, the remote PC fails to respond, and typically the other end resets the session after deciding the remote PC has gone away. The net effect is that applications fail after 10 minutes, or 20 minutes, or 30 minutes - very regularly.
Use this if it makes sense. If not, you have your trivia for today.
Ken
