I have several remote Windows 2000/XP Pro workstations that make "permanent"
PPTP VPN connections to a VPN server in our office. All of these are
configured the same way and "call" the same VPN server using PPTP.

However one XP Pro machine has constant traffic on the VPN link. For example
between 1AM and 1PM this machine has sent/received some 544MB over the VPN. I
suspect that this is all overhead as the network usage in the XP Task Manager
shows less than 1% traffic average on the VPN or the primary Internet
connections. At our head office the primary router reports that some 17% of
the T-1 was occupied during this period --- if we drop this VPN the T-1 usage
drops to an average 4-5%.

We have deleted and reconfigured the remote VPN several times and the result
is always the same. The XP VPN is NOT configured to use the remote (head
office) gateway --- only head office traffic flows over the VPN, all other
uses the direct DSL connection. The remote is not cofigured to use head
office WINS servers and does not dynamically update the head office DNS.

Anyone have any idea why this machine exhibits this behavior and more
important how do I get rid of it.

If you haven't, do a malware scan on the machine. Then disable the computer browser service on it.

After this, you have two ways to diagnose the problem: you can start killing processes and services until you find the culprit, or
you can turn up netmon or Ethereal on the server to sniff the traffic and see what it is. 500MB is a lot more than just background
noise from any system process that a workstation would be doing, unless you are running WUS or something that would be pushing a lot
of updates.

Steve Duff, MCSE, MVP
Ergodic Systems, Inc.

"John Steele" <(E-Mail Removed)> wrote in message news:48D41A4B-D7B5-4206-AABC-(E-Mail Removed)...
>I have several remote Windows 2000/XP Pro workstations that make "permanent"
> PPTP VPN connections to a VPN server in our office. All of these are
> configured the same way and "call" the same VPN server using PPTP.
>
> However one XP Pro machine has constant traffic on the VPN link. For example
> between 1AM and 1PM this machine has sent/received some 544MB over the VPN. I
> suspect that this is all overhead as the network usage in the XP Task Manager
> shows less than 1% traffic average on the VPN or the primary Internet
> connections. At our head office the primary router reports that some 17% of
> the T-1 was occupied during this period --- if we drop this VPN the T-1 usage
> drops to an average 4-5%.
>
> We have deleted and reconfigured the remote VPN several times and the result
> is always the same. The XP VPN is NOT configured to use the remote (head
> office) gateway --- only head office traffic flows over the VPN, all other
> uses the direct DSL connection. The remote is not cofigured to use head
> office WINS servers and does not dynamically update the head office DNS.
>
> Anyone have any idea why this machine exhibits this behavior and more
> important how do I get rid of it.

Steve

Thanks. We are not running anything that would be pushing data to the
server, and certaily not at theat level. The other thing that is confusing
is that it doesn't show up as network traffic in Task Manager and it only
occurs when the VPN is up.

I'll try the malware approach first and then I guess we'll have to go from
there.

John


"Steve Duff [MVP]" <(E-Mail Removed)> wrote in message
news:%(E-Mail Removed)...
> If you haven't, do a malware scan on the machine. Then disable the
> computer browser service on it.
>
> After this, you have two ways to diagnose the problem: you can start
> killing processes and services until you find the culprit, or you can turn
> up netmon or Ethereal on the server to sniff the traffic and see what it
> is. 500MB is a lot more than just background noise from any system process
> that a workstation would be doing, unless you are running WUS or something
> that would be pushing a lot of updates.
>
> Steve Duff, MCSE, MVP
> Ergodic Systems, Inc.
>
> "John Steele" <(E-Mail Removed)> wrote in message
> news:48D41A4B-D7B5-4206-AABC-(E-Mail Removed)...
>>I have several remote Windows 2000/XP Pro workstations that make
>>"permanent"
>> PPTP VPN connections to a VPN server in our office. All of these are
>> configured the same way and "call" the same VPN server using PPTP.
>>
>> However one XP Pro machine has constant traffic on the VPN link. For
>> example
>> between 1AM and 1PM this machine has sent/received some 544MB over the
>> VPN. I
>> suspect that this is all overhead as the network usage in the XP Task
>> Manager
>> shows less than 1% traffic average on the VPN or the primary Internet
>> connections. At our head office the primary router reports that some 17%
>> of
>> the T-1 was occupied during this period --- if we drop this VPN the T-1
>> usage
>> drops to an average 4-5%.
>>
>> We have deleted and reconfigured the remote VPN several times and the
>> result
>> is always the same. The XP VPN is NOT configured to use the remote (head
>> office) gateway --- only head office traffic flows over the VPN, all
>> other
>> uses the direct DSL connection. The remote is not cofigured to use head
>> office WINS servers and does not dynamically update the head office DNS.
>>
>> Anyone have any idea why this machine exhibits this behavior and more
>> important how do I get rid of it.
>
>

Thanks.

Well, I found it. It was the Windows Time Service! I disabled this and the
problem simply stopped.




"John Steele" <(E-Mail Removed)> wrote in message
news:42c6d012$0$37130$(E-Mail Removed)...
> Steve
>
> Thanks. We are not running anything that would be pushing data to the
> server, and certaily not at theat level. The other thing that is
> confusing is that it doesn't show up as network traffic in Task Manager
> and it only occurs when the VPN is up.
>
> I'll try the malware approach first and then I guess we'll have to go from
> there.
>
> John
>
>
> "Steve Duff [MVP]" <(E-Mail Removed)> wrote in message
> news:%(E-Mail Removed)...
>> If you haven't, do a malware scan on the machine. Then disable the
>> computer browser service on it.
>>
>> After this, you have two ways to diagnose the problem: you can start
>> killing processes and services until you find the culprit, or you can
>> turn up netmon or Ethereal on the server to sniff the traffic and see
>> what it is. 500MB is a lot more than just background noise from any
>> system process that a workstation would be doing, unless you are running
>> WUS or something that would be pushing a lot of updates.
>>
>> Steve Duff, MCSE, MVP
>> Ergodic Systems, Inc.
>>
>> "John Steele" <(E-Mail Removed)> wrote in message
>> news:48D41A4B-D7B5-4206-AABC-(E-Mail Removed)...
>>>I have several remote Windows 2000/XP Pro workstations that make
>>>"permanent"
>>> PPTP VPN connections to a VPN server in our office. All of these are
>>> configured the same way and "call" the same VPN server using PPTP.
>>>
>>> However one XP Pro machine has constant traffic on the VPN link. For
>>> example
>>> between 1AM and 1PM this machine has sent/received some 544MB over the
>>> VPN. I
>>> suspect that this is all overhead as the network usage in the XP Task
>>> Manager
>>> shows less than 1% traffic average on the VPN or the primary Internet
>>> connections. At our head office the primary router reports that some 17%
>>> of
>>> the T-1 was occupied during this period --- if we drop this VPN the T-1
>>> usage
>>> drops to an average 4-5%.
>>>
>>> We have deleted and reconfigured the remote VPN several times and the
>>> result
>>> is always the same. The XP VPN is NOT configured to use the remote (head
>>> office) gateway --- only head office traffic flows over the VPN, all
>>> other
>>> uses the direct DSL connection. The remote is not cofigured to use head
>>> office WINS servers and does not dynamically update the head office DNS.
>>>
>>> Anyone have any idea why this machine exhibits this behavior and more
>>> important how do I get rid of it.
>>
>>
>
>

It is supposed to be running.

--
Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com
-----------------------------------------------------
Understanding the ISA 2004 Access Rule Processing
http://www.isaserver.org/articles/IS...cessRules.html

Microsoft Internet Security & Acceleration Server: Guidance
http://www.microsoft.com/isaserver/t...dance/2004.asp
http://www.microsoft.com/isaserver/t...dance/2000.asp

Microsoft Internet Security & Acceleration Server: Partners
http://www.microsoft.com/isaserver/partners/default.asp
-----------------------------------------------------


"John Steele" <(E-Mail Removed)> wrote in message
news:42c6d9f7$0$37159$(E-Mail Removed)...
> Thanks.
>
> Well, I found it. It was the Windows Time Service! I disabled this and the
> problem simply stopped.
>
>
>
>
> "John Steele" <(E-Mail Removed)> wrote in message
> news:42c6d012$0$37130$(E-Mail Removed)...
> > Steve
> >
> > Thanks. We are not running anything that would be pushing data to the
> > server, and certaily not at theat level. The other thing that is
> > confusing is that it doesn't show up as network traffic in Task Manager
> > and it only occurs when the VPN is up.
> >
> > I'll try the malware approach first and then I guess we'll have to go
from
> > there.
> >
> > John
> >
> >
> > "Steve Duff [MVP]" <(E-Mail Removed)> wrote in message
> > news:%(E-Mail Removed)...
> >> If you haven't, do a malware scan on the machine. Then disable the
> >> computer browser service on it.
> >>
> >> After this, you have two ways to diagnose the problem: you can start
> >> killing processes and services until you find the culprit, or you can
> >> turn up netmon or Ethereal on the server to sniff the traffic and see
> >> what it is. 500MB is a lot more than just background noise from any
> >> system process that a workstation would be doing, unless you are
running
> >> WUS or something that would be pushing a lot of updates.
> >>
> >> Steve Duff, MCSE, MVP
> >> Ergodic Systems, Inc.
> >>
> >> "John Steele" <(E-Mail Removed)> wrote in message
> >> news:48D41A4B-D7B5-4206-AABC-(E-Mail Removed)...
> >>>I have several remote Windows 2000/XP Pro workstations that make
> >>>"permanent"
> >>> PPTP VPN connections to a VPN server in our office. All of these are
> >>> configured the same way and "call" the same VPN server using PPTP.
> >>>
> >>> However one XP Pro machine has constant traffic on the VPN link. For
> >>> example
> >>> between 1AM and 1PM this machine has sent/received some 544MB over the
> >>> VPN. I
> >>> suspect that this is all overhead as the network usage in the XP Task
> >>> Manager
> >>> shows less than 1% traffic average on the VPN or the primary Internet
> >>> connections. At our head office the primary router reports that some
17%
> >>> of
> >>> the T-1 was occupied during this period --- if we drop this VPN the
T-1
> >>> usage
> >>> drops to an average 4-5%.
> >>>
> >>> We have deleted and reconfigured the remote VPN several times and the
> >>> result
> >>> is always the same. The XP VPN is NOT configured to use the remote
(head
> >>> office) gateway --- only head office traffic flows over the VPN, all
> >>> other
> >>> uses the direct DSL connection. The remote is not cofigured to use
head
> >>> office WINS servers and does not dynamically update the head office
DNS.
> >>>
> >>> Anyone have any idea why this machine exhibits this behavior and more
> >>> important how do I get rid of it.
> >>
> >>
> >
> >
>
>