Fast answer
Chronic VPN drops usually trace to: a firewall handling more tunnels than it was sized for, MTU/fragmentation mismatches that kill specific applications, idle timeouts tuned for security theatre instead of real work, home-router conflicts (double NAT, aggressive session tables), or an unstable office-side connection that drops every tunnel at once. Each has a specific fix — and for many businesses, per-app zero-trust access beats the full-tunnel VPN entirely.
The office side: one undersized box, everyone suffers
\nVPN encryption is CPU-intensive. A firewall sized years ago for five occasional remote users now terminates twenty daily tunnels, and at peak load it drops the oldest sessions to survive. The pattern that gives it away: disconnects cluster at busy hours and affect multiple people simultaneously.
\nAlso on the office side: if the office internet connection itself blips, every tunnel drops at once. Dual-WAN failover with session preservation keeps remote workers connected through ISP hiccups — part of proper network design.
\n\nMTU: the obscure setting behind \'VPN connects but X doesn\'t work\'
\nVPN encapsulation adds overhead to every packet. When packet sizes exceed what the path supports, large packets fragment or silently vanish — producing the maddening symptom where the VPN connects fine, small things work, but file copies stall and specific apps hang. It looks random; it\'s deterministic.
\nThe fix: measure the real path MTU and set tunnel parameters accordingly. Fifteen minutes of engineering that ends months of mystery tickets.
\n\nTimeouts, keepalives, and the home-network wildcard
\n- \n
- Idle timeouts that kill sessions during lunch force constant re-logins — modern MFA-backed tunnels can hold sessions safely for a full workday. \n
- Missing keepalives let home routers silently expire the tunnel\'s NAT entry — the VPN looks connected but traffic stops. \n
- Double NAT (ISP modem + user\'s own router) breaks some VPN protocols outright; switching protocol or fixing modem bridge mode resolves it. \n
- One user with chronic drops usually means a home network problem; everyone dropping means office side. Triage by pattern first. \n
The bigger question: do you still need a full VPN?
\nTraditional VPNs put remote users "inside the office network" — which is both the security problem (a compromised laptop is now inside) and the reliability problem (everything depends on one tunnel). Zero-trust access flips it: users authenticate per application, with MFA, and never join the network at all. File access, internal apps, and desktops each get their own authenticated path.
\nFor teams whose remote work is mostly Microsoft 365 plus one or two internal systems, replacing the VPN with per-app access removes the disconnection problem class entirely. We implement both — tuned VPN or zero-trust — based on what your team actually accesses. That decision is part of our security engineering.
\n\n