An interesting problem with Exchange2007 MAPI Outlook clients and VPN conection
I hope i didnt post to the wrong forum,We got a interesting problem, dont know if anyone had a simular one,When a user uses a VPN client and connects to Exchange 2007 like a MAPI client with Outlook, he get constatly disconnected. He makes numerous connections to the mailobx server and as the treshhold is 32 connections he cant try to connects until a connection on the mailbox server expires. After that the cilent trys to connects againg and get disconnected.When the users connect using VPN and Outlook with RPC/HTTPS the connection i stable. And everything is OK.After a lot of google i found something that looks as the cause of this isue but the EVENT isnt completly the same http://www.itsyourip.com/Windows/how-to-fix-exchange-outlook-connection-issues-over-ipsec-vpn/ EVENT ID: 9646 Mapi session "OU=....cn=user...." exceeded the maximum of 32 objects of type "session".This event that we get is actualy the effect of the loose connection when a users uses VPN and MAPI.Anyone had a simular isue?
February 23rd, 2010 5:16pm

What you're seeing suggests there may be excessive latency in the VPN connection. RPC's are very time-sensetive and will time out if there is too much latency or any packet loss. I'd have the user test the ping times (using 2K packets to test for do not fragment flags), and see what the ping times and packet loss are.If there's a lot of latency or packet loss, they probably need to be using RPC over HTTPS. That's what it was designed for.
Free Windows Admin Tool Kit Click here and download it now
February 23rd, 2010 5:23pm

As already stated VPN connections are usually the culprit here, I would troubleshoot the uptime and connection status of your VPN.OliverOliver Moazzezi | Exchange MVP, MCSA:M, MCTS:Exchange 2010, BA (Hons) Anim | http://www.exchange2007.com | http://www.exchange2010.com | http://www.cobweb.com |
February 23rd, 2010 5:24pm

On Tue, 23 Feb 2010 14:16:15 +0000, ZarkoC wrote:>I hope i didnt post to the wrong forum,We got a interesting problem, dont know if anyone had a simular one,When a user uses a VPN client and connects to Exchange 2007 like a MAPI client with Outlook, he get constatly disconnected. He makes numerous connections to the mailobx server and as the treshhold is 32 connections he cant try to connects until a connection on the mailbox server expires. After that the cilent trys to connects againg and get disconnected.When the users connect using VPN and Outlook with RPC/HTTPS the connection i stable. And everything is OK.After a lot of google i found something that looks as the cause of this isue but the EVENT isnt completly the same http://www.itsyourip.com/Windows/how-to-fix-exchange-outlook-connection-issues-over-ipsec-vpn/ >>EVENT ID: 9646 Mapi session "OU=....cn=user...." exceeded the maximum of 32 objects of type "session".This event that we get is actualy the effect of the loose connection when a users uses VPN and MAPI.Anyone had a simular isue? You'll have to fix/adjust things on the VPN to actually make theproblem go away. In the meantime you can help a bit by shortening thevalue of the KeepAliveTime value in the TcpIp service to 5 minutesinstead of the 2 hours it's probably set to now.http://support.microsoft.com/kb/324270---Rich MatheisenMCSE+I, Exchange MVP--- Rich Matheisen MCSE+I, Exchange MVP
Free Windows Admin Tool Kit Click here and download it now
February 24th, 2010 5:45am

Tnx Rich,i presume that this is done on the server side? if its so i cant test this.But yes u are write, it an isue on the VPN, and we are going to investigate it future, but for the time being RPC/HTTPS will have to do the job, for the clinets that connect with VPN.Tnx!!!
February 24th, 2010 11:08am

Tnx mjolinorThis is one thing that i didnt test, so am goin to test the ping form the client side to the mailbox server?I'll try and send you the results. Tnx!!!
Free Windows Admin Tool Kit Click here and download it now
February 24th, 2010 11:09am

On Wed, 24 Feb 2010 08:08:04 +0000, ZarkoC wrote:>Tnx Rich,i presume that this is done on the server side? That's correct.>if its so i cant test this.It's a pretty easy change to make, and it has beneficial effects forother common problems, too. If, for example, you have WiFi users theymay experience the same sort of problem if they move frequentlybetween access points in the network.>But yes u are write, it an isue on the VPN, and we are going to investigate it future, Be sure to try reducing the MTU size on the troublesome clients. Onequick test to see if it might be a problem is to use "ping":This should work:ping <exchange-server> -l 1472 -fThis should fail:ping <exchange-server> -l 1473 -fIf the ping with the 1472 length fails you'll have to keep trying withshorter packet sizes until you find one that works. Then adjust theMTU on the client to suit.>but for the time being RPC/HTTPS will have to do the job, for the clinets that connect with VPN.Tnx!!! ---Rich MatheisenMCSE+I, Exchange MVP--- Rich Matheisen MCSE+I, Exchange MVP
February 25th, 2010 5:45am

Can i presume that this maybe a "normal" condition? Im just thiniking, im using VPN to connect to the corporate network over a "loose" internet link, maby RPC over HTTPS is the only way that outlook will work over VPN? Isnt the latency going to increase even more if for example I go abroad and establish a VPN connection?
Free Windows Admin Tool Kit Click here and download it now
March 24th, 2010 4:12pm

On Wed, 24 Mar 2010 13:12:54 +0000, ZarkoC wrote:>>>Can i presume that this maybe a "normal" condition?I wouldn't describe it as "normal", but problems with VPN and packetfragmentation aren't uncommon.>Im just thiniking, im using VPN to connect to the corporate network over a "loose" internet link, maby RPC over HTTPS is the only way that outlook will work over VPN? If you're using RPC-Over-HTTPS why are you using VPN?>Isnt the latency going to increase even more if for example I go abroad and establish a VPN connection?Well, sure . . . unless you've figured out a way to increase the speedof light! Adding distance always increases latency.---Rich MatheisenMCSE+I, Exchange MVP--- Rich Matheisen MCSE+I, Exchange MVP
March 25th, 2010 4:50am

The latency question is more of just of a observation, let say that the VPN with MAPI is working ok, if my client goes to Figi he will have issues :P We arent using RPC over HTTPS as default config in our corp network. We have the box "for slow connections...." in outlook checked, but that wont do the trick for a VPN connection, or is there a way? The client will stay HTTPS if i turn Outlook first and then the VPN, but that not realy the solution, as i have to aslo take in count the users that will turn VPN first and then Outlook. As i can see the only workaround is to have the laptops configured so that Outlook usees RPS over HTTPS all the time.
Free Windows Admin Tool Kit Click here and download it now
March 25th, 2010 10:53am

Just a quick update, an I realized that i didnt mention that the VPN clinet that we used was from Cisco, we just testid the MAPI client with MS SSTP over UAG and everything is working as it is supposed to. No disconnecting or any of those things.
March 25th, 2010 3:25pm

On Thu, 25 Mar 2010 07:53:17 +0000, ZarkoC wrote:>>> The latency question is more of just of a observation, let say that the VPN with MAPI is working ok, if my client goes to Figi he will have issues :P If, by "issues" you mean that connections take longer to accomplish aparticular task, sure. But if they use RPC-Over-HTTPS the differenceswon't be as noticeable.>We arent using RPC over HTTPS as default config in our corp network. We have the box "for slow connections...." in outlook checked, but that wont do the trick for a VPN connection,Well, not unless the VPN is really slow.>or is there a way?If you don't need the VPN for anything except e-mail, publish your CASservers on the Internet and have them use Outlook Anywhere(RPC-Over-HTTPS) instead of the VPN.>The client will stay HTTPS if i turn Outlook first and then the VPN, but that not realy the solution, It isn't the solution, but it sure points out a problem with your VPN!>as i have to aslo take in count the users that will turn VPN first and then Outlook. Do they use VPN only out of habit, or do they need it for somethingelse?>As i can see the only workaround is to have the laptops configured so that Outlook usees RPS over HTTPS all the time.The only reason that might work is because HTTP is more tolerant oflong latencies and crappy connection then RPC is. But that doesn't fixyour problem which is sounding more and more like it's related to theVPN.---Rich MatheisenMCSE+I, Exchange MVP--- Rich Matheisen MCSE+I, Exchange MVP
Free Windows Admin Tool Kit Click here and download it now
March 26th, 2010 5:19am

On Thu, 25 Mar 2010 12:25:48 +0000, ZarkoC wrote:>>>Just a quick update, an I realized that i didnt mention that the VPN clinet that we used was from Cisco, we just testid the MAPI client with MS SSTP over UAG and everything is working as it is supposed to. No disconnecting or any of those things. So using a different VPN makes a difference? I'd sure be looking atthe MTU size and packet fragmentation.---Rich MatheisenMCSE+I, Exchange MVP--- Rich Matheisen MCSE+I, Exchange MVP
March 26th, 2010 5:20am

Thx for the advice Rich, will do that!!!
Free Windows Admin Tool Kit Click here and download it now
March 26th, 2010 12:20pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics