This article describes the failover mechanism of dial-on-demand (DOD) Virtual Private Network (VPN) interfaces in Routing and Remote Access in Microsoft Windows 2000.
You can use Routing and Remote Access to route traffic to a remote network using a secured VPN. You may need to have a backup access path to a remote network for critical business applications. You can configure Routing and Remote Access with two or more VPN DOD interfaces to provide access to the same remote network through a different path (and possibly a different remote VPN server). Static routes for each interface and the remote network use different metrics to determine which is the preferred interface/path. For example, a VPN DOD interface provides connectivity to network A by establishing a VPN session to a VPN server on network A. You can configure another VPN DOD interface to use a different path (and possibly a different remote VPN server) to provide access to network A in case connectivity through the first VPN DOD interface is unsuccessful.
In the following section, the two example VPN DOD interfaces (DOD1 and DOD2) are configured in Routing and Remote Access to access network A, where the static route for DOD1 has a lower metric (preferred path). The times provided below are just an example. You can use them as a reference, but they actually depend on several factors (for example, the media and hardware platform you are using).
How a Broken VPN Link Is Detected and a Backup VPN DOD Interface Is Connected
- After the DOD1 VPN link fails, Routing and Remote Access takes 2-3 minutes to discover the broken link (with default settings) and marks DOD1 as "disconnected."
- Routing and Remote Access then tries to reconnect DOD1. The attempt is unsuccessful (takes 15-25 seconds) and DOD1 is marked as "unreachable."
- The second static route (used by DOD2) is plumbed into the TCP/IP stack, and it takes 15-25 seconds for DOD2 to establish a connection.
How Routing and Remote Access Monitors Connectivity on the Preferred Broken VPN Link
Routing and Remote Access continuously attempts to connect the "unreachable" interface. The time interval between each attempt increments with each attempt; each consecutive attempt has a greater time interval than the previous attempt. The following time intervals between attempts are provided as an example.
|Connection Attempt Number||Approximate Time Interval|
How Routing and Remote Access Reconnects the Preferred VPN DOD Interface When the Link/VPN Server Is Back Up
- The preferred VPN DOD interface (DOD1) reconnects (15-25 seconds) after a time interval that correlates to the time DOD1 remained in an "unreachable" state.
- The static route with the lower metric is then plumbed into the TCP/IP stack.
- Traffic is then routed through DOD1, and DOD2 is disconnected.
Reducing the Time it Takes for Routing and Remote Access to Detect a Broken VPN LinkNote
Use caution when you modify these settings as they affect all Point to Point Tunneling Protocol (PPTP) and Layer 2 Tunneling Protocol (L2TP) connections on the computer.
PPTP and L2TP use control messages to set up, maintain, and end the tunnels. To monitor the status of a VPN session, PPTP and L2TP use a "keep alive" type of control message (PPTP uses PPTP_ECHO_REQUEST and PPTP_ECHO_REPLY messages over TCP segments; L2TP uses the HELLO message over User Datagram Protocol (UDP) datagrams).
A VPN DOD interface is marked "disconnected" after a certain number of ECHO (default is 6) or HELLO (default is 5) messages do not receive a response. You can reduce the time interval between these packets by modifying the registry.Warning
If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk.
For PPTP, you can modify the InactivityIdleSeconds parameter located in the following registry key
is the 000x
is a number) key that has the DriverDesc parameter set to a value of WAN Miniport (PPTP).
The default value for the InactivityIdleSeconds parameter is 60 (seconds). If this value is set to 1, Routing and Remote Access may detect a down PPTP link in as little as 30-45 seconds.
For L2TP, you can modify the HelloMS parameter located in the following registry key
is the 000x
is a number) key that has the DriverDesc parameter set to a value of WAN Miniport (L2TP).
The HelloMS parameter does not exist by default and needs to be created. It is a REG_DWORD type parameter that holds a value expressed in milliseconds; when the parameter does not exist, the default value of 60000 (1 minute) is used.
Setting the HelloMS value to 1 does not reduce the time it takes for Routing and Remote Access to detect a down L2TP link as much as the InactivityIdleSeconds parameter does for PPTP links (it may reduce this time to approximately 1.5 to 2 minutes). This is because the HelloMS value is used only after a reply to a HELLO message is received or a timeout has expired. This timeout value can be set by creating the MaxSendTimeoutMs REG_DWORD parameter in the same registry key where the HelloMS parameter is created. The default is 10 seconds but the standard states that it should not be less than 8 seconds so you can only decrease this value to 8.
Another option is to decrease the number of HELLO messages that Routing and Remote Access sends (without getting a response) before marking the L2TP DOD interface as "disconnected." To set this option, create the MaxRetransmits REG_DWORD registry parameter in the same location where the HelloMS parameter is located (for example, you can set it to 1).
For additional information, click the following article number to view the article in the Microsoft Knowledge Base:
How to use static routes with Routing and Remote Access Service