First, this problem has existed for almost two years. Until serverfault was born, I pretty much gave up on solving it - but now, hope is reborn!
I've set up a Windows 2003 server as a domain controller and VPN server at a remote office. I am able to connect to and work over the VPN from every windows client I've tried, including XP, Vista, and Windows 7 without issue, from at least five different networks (corporate and home, domain and non.) It works fine from all of them.
However, whenever I connect from clients on my home network, the connection drops (silently) after 3 minutes or less. After a short while, it will eventually tell me the connection has dropped and attempt to redial/reconnect (if I've configured the client that way.) If I reconnect, the connection will re-establish and appear to work correctly, but again will silently drop, this time after a seemingly shorter time period.
These are not intermittent drops. It happens every single time, in exactly the same way. The only variable is how long the connection survives.
It doesn't matter what type of traffic I send. I can sit idle, send continuous pings, RDP, transfer files, all of that at once - it makes no difference. The result is always the same. Connected for a few minutes, then silent death.
Since I doubt anyone has experienced this exact situation, what steps can I take to troubleshoot my evanescing VPN?
Additional background
During this two year span, I have changed ISPs (on both ends), added a new domain controller (my network), and changed routers (both networks). None of that had any affect.
The issue is reproducible from multiple PCs, with different OSes, but only from my network.
I verified that the behavior is client agnostic by testing on a non-Windows device.. I configured the VPN on my iPhone and connected via wifi over my network. Using an app called Scany, I pinged the server continuously until the connection dropped after about 2 minutes - same behavior I was seeing on Windows clients. Afterward, I disabled wifi and VPN'd over AT&Ts 3G and pinged continuously with no lost requests for 11 minutes. This test adequately isolated the issue to my network.
The only consistent component over the two year span is my domain controller which handles WINS and also acts as a VPN server for inbound connections. But, outbound traffic shouldn't route through my DC, it goes straight to the firewall/router, which is connected directly to my cable modem.
More Notes
A request was made that I verify my routes aren't funky when the VPN connection is established. I took a look and don't see anything obviously wrong, but my experience with route configuration is quite limited, so I'm posting the data.
My LAN's class C range is 192.168.1.255, the remote LAN's class C range is 192.168.10.255. I also masked the VPN server's public IP (74.93.XXX.XXX).
>route print (VPN Disconnected)
===========================================================================
Interface List
17...00 ff 10 80 57 0c ......Juniper Network Connect Virtual Adapter
11...00 23 ae e6 bb 49 ......Realtek RTL8168C(P)/8111C(P) Family PCI-E Gigabit
Ethernet NIC (NDIS 6.20)
1...........................Software Loopback Interface 1
12...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter
13...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #2
16...00 00 00 00 00 00 00 e0 Teredo Tunneling Pseudo-Interface
===========================================================================
IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.1.1 192.168.1.24 10
127.0.0.0 255.0.0.0 On-link 127.0.0.1 306
127.0.0.1 255.255.255.255 On-link 127.0.0.1 306
127.255.255.255 255.255.255.255 On-link 127.0.0.1 306
192.168.1.0 255.255.255.0 On-link 192.168.1.24 266
192.168.1.24 255.255.255.255 On-link 192.168.1.24 266
192.168.1.255 255.255.255.255 On-link 192.168.1.24 266
224.0.0.0 240.0.0.0 On-link 127.0.0.1 306
224.0.0.0 240.0.0.0 On-link 192.168.1.24 266
255.255.255.255 255.255.255.255 On-link 127.0.0.1 306
255.255.255.255 255.255.255.255 On-link 192.168.1.24 266
===========================================================================
Persistent Routes:
None
>route print (VPN Connected)
===========================================================================
Interface List
25...........................VPN Test
17...00 ff 10 80 57 0c ......Juniper Network Connect Virtual Adapter
11...00 23 ae e6 bb 49 ......Realtek RTL8168C(P)/8111C(P) Family PCI-E Gigabit
Ethernet NIC (NDIS 6.20)
1...........................Software Loopback Interface 1
12...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter
13...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #2
16...00 00 00 00 00 00 00 e0 Teredo Tunneling Pseudo-Interface
===========================================================================
IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.1.1 192.168.1.24 10
74.93.XXX.XXX 255.255.255.255 192.168.1.1 192.168.1.24 11
127.0.0.0 255.0.0.0 On-link 127.0.0.1 306
127.0.0.1 255.255.255.255 On-link 127.0.0.1 306
127.255.255.255 255.255.255.255 On-link 127.0.0.1 306
192.168.1.0 255.255.255.0 On-link 192.168.1.24 266
192.168.1.24 255.255.255.255 On-link 192.168.1.24 266
192.168.1.255 255.255.255.255 On-link 192.168.1.24 266
192.168.10.0 255.255.255.0 192.168.10.134 192.168.10.134 11
192.168.10.134 255.255.255.255 On-link 192.168.10.134 266
224.0.0.0 240.0.0.0 On-link 127.0.0.1 306
224.0.0.0 240.0.0.0 On-link 192.168.1.24 266
255.255.255.255 255.255.255.255 On-link 127.0.0.1 306
255.255.255.255 255.255.255.255 On-link 192.168.1.24 266
255.255.255.255 255.255.255.255 On-link 192.168.10.134 266
===========================================================================
Persistent Routes:
None
Tremendous thank you to @Warner and @William for their suggestions. Ultimately it was William's answer which lead me to the final resolution. For anyone who comes looking, here's the deal.
After a ton of messing around trying to isolate the problem, I finally did as William suggested and pulled up my firewall logs. Not expecting to find anything interesting, I was surprised when I saw this line:
Knowing that PPTP is how this VPN is configured, I did some searching on the error. It turns out, other people have seen it as well. Specifically, people with my exact router, the D-Link DIR-655.
The solution, it turns out, is simple.
In the router's web administration interface, access the Advanced tab and click on Firewall Settings on the left-hand menu. In the section labeled "APPLICATION LEVEL GATEWAY (ALG) CONFIGURATION", uncheck the box for PPTP (optionally, also uncheck IPsec if your VPN uses that protocol.) Click "Save Settings" and tell the router to reboot. Voila!
Unfortunately, disabling these ALG options means certain advanced routing features will not work. For instance, the PPTP support is intended to allow multiple NAT'd clients to tunnel to the same VPN server simultaneously. That probably will not work if the box is cleared. However, if like me your VPN doesn't really work at all when the box is checked, you probably don't mind.
I am still unclear as to why I seem to recall having this issue previously with a totally different router, but I'm happy it is working nonetheless.
At a guess, there is a component of the VPN traffic that is required but being blocked (eg at a firewall) or lost, and causing the drop out. Check firewall logs if you have them for dropped packets. Double check the rules to ensure all necessary ports and protocols are enabled. You might also want to do some continuous route monitoring on your end to see if traffic is mis-directed after the VPN tunnel comes up. The "route print" command shows this info on Windows.
I was having the same fault with openwrt and luci, I would connect via vpn to my openvpn server on my router. Connection would be established, then it would keep restarting my 3g modem and loosing my connection, the answer was in, firewall (thank you for pointing the direction) and edit the :1194 connection. Here you have a choice where the vpn connection was coming from and by default it was device, the other two options where lan and wan so for my situation it was wan, a quick change and restart and works great..
Basic troubleshooting. Eliminate equipment. Internet connection directly to PC. If reproducible, a different PC. Replace modem, try different ISPs (cell modem). Keep on going down the line until isolated then troubleshoot the equipment it's isolated to.