The Help Desk ticket had been in progress for over 5 hours over 2 days as a remote user could not connect to the VPN. Despite hours of troubleshooting by both a Level 2 and a Level 3 technician, nobody could figure out why. John my colleague in the help desk said he had checked everything and he had.
John had indeed tried almost everything, from a full uninstall and reinstalled multiple versions of the CheckPoint VPN client, he had the user try connecting from three or four different internet sources (home internet, mobile hotspot, coffee shop WiFi), checked firewall settings, verified the user’s account wasn’t locked, confirmed their VPN permissions in Active Directory. Nothing worked. The VPN would connect briefly, then immediately disconnect with authentication errors.
As I got on the call with John and the employee in question, I allowed him to explain everything. John told me that it only kind of worked better for a minute at that local starbucks or at her moms house. Then I saw my first clue a MFA error in the logs, so we reset her MFA credentials. I then tried to login to the VPN using her credentials and new MFA and it worked perfectly fine on my computer.
Then I heard the magic words, “She lives in Indiana near Illinois border.
Then I asked something that seemed unrelated: “Where exactly do you live? What’s your address?” The user gave me their address, and I looked it up on a map. That’s when I saw it – they lived right on the border between Central Time and Eastern Time zones. The majority of the town she lived in was literally positioned where the time zone boundary ran through their county and the 1 place it worked better sometimes, the Starbucks, it was was positioned just outside of the CST / EST timezone line.
I had a hunch about what was happening. Our VPN authentication used time-based tokens – the server and the client needed to agree on what time it was in order to validate the authentication. If the user’s computer was set to one time zone but their actual location was being detected as another, the time stamps wouldn’t match and authentication would fail. I asked the John to check the users time zone config. It was set to “Automatic”.
I explained that this meant Windows was trying to be smart about their time zone but getting confused by their border location.
I had John set their time zone to Central and made them reboot. The VPN connected immediately and stayed connected. John was blown away, and when he told the other Level 3 he almost couldn’t believe that a time zone jumping around caused them 5+ hours of pain.