12-19-2008 10:38 AM
We've been having issues with several users having their VPN tunnel randomly drop. In reviewing the NCService log, I see the following messages in all cases:
2008/12/11 16:11:35.105 dsNcService: tC04 "DebugId" 'DSSSL_recv' [Debug] DSSSL_recv: returned 0x2746 error.
2008/12/11 16:11:35.105 dsNcService: t4EC "DebugId" 'ncphandler' [Debug] ncphandler: control channel disconnected due to error 2746
2008/12/11 16:11:35.105 dsNcService: t4EC "DebugId" 'session' [Debug] session: reconnecting attempts = 1
2008/12/11 16:11:35.105 dsNcService: t4EC "DebugId" 'session' [Debug] session: Registering new timer for reconnection
2008/12/11 16:11:35.105 dsNcService: t4EC "DebugId" 'adapter' [Debug] adapter: unregistering the adapter IO handler
In some cases the error is 2745 rather than 2746. Has anybody else seen this or know what may be causing it?
08-28-2009 02:14 AM
I'm running IVE OS v6.3R1.2 and I'm experiencing the same issue.
I've asked JTAC to investigate because I did not find any trace of this issue on the release note 6.3R4
06-09-2010 12:22 AM
Did anyone find the cause or resolution for the "ncphandler: control channel disconnected due to error 2746" problem?
Appreciate your help in advance.
06-09-2010 03:11 AM
The information I can find on error 2746 is that is a disconnect due to a TCP RESET. The RESET usually happens due to the IVE or devices between the IVE and NC. A tcpdump on the IVE external port and NC ethernet port will find out where the RESET is coming from. If the SSL control channel traffic is not being transferred between the NC client and the IVE then the NC session will be closed.
Some possible causes are client DHCP leases expiring; client interfaces going down; SSL traffic blocked so the IVE RESETs the connection; client IP changing when roaming is not enabled; third party software such as AVs or Firewalls on the client PC interfering with the NC connection or route monitoring enabled and the client route table changing. Is http://kb.juniper.net/KB14131 applicable -are the clients using Verizon Aircard?
Do the users see any pop-up messages about the failing NC connection? Are they able to re-connect? Can they access and log into the SA webpage and get their homepage during the failure?
06-09-2010 05:06 AM
I fixed my issue. My problem occured because the ESP Rekey timer was set higher then the NCP Timeout. Even when you set your sessions to use ESP, NCP is still used to handle the control traffic. By default, the NCP timer is set to 2 hours. If you set your ESP rekey timeout to anything more then 2 hours. You will get this problem. The solution is to either to leave the ESP timeout at 1 hour or to increase to NCP timeout to a value higher then the ESP timeout.
06-14-2010 02:13 PM
I found the rest of the blog and read about the ESP lifetime setting vs the NCP timeout. My ESP lifetime is set for 20 minutes and NCP timeout is 120 minutes so i already fit the scenerio that was described. I'm on 6.3R5 code. So far I have only seen this on the one user i am working with so will try some other things but was just checking to see if anyone else was still seeing the issue after adjusting the timers.
06-14-2010 06:01 PM
This only affects users who are using ESP. It will not affect users using NCP.
Also, most of my ESP users never complained because, they typically did not stay connected for 2 hours. My users connect, replicate and disconnect.