dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
1184
share rss forum feed


JakeTheSnake

@cgocable.net

L2TP VPN disconnects on sustained file transfer from VPN server > client

**VPN Server:**

- Windows Server 2008 x86
- RRAS installed and running
- All necessary firewall ports are open, I no longer get rejected log entries
- Behind router which is DHCP, serving 192.168.0.2 to 192.168.0.99
- Its IP is 192.168.0.3 on the router's LAN
- Serves static IP address to VPN clients from 192.168.0.101 to 192.168.0.111...the internal VPN gateway is 192.168.0.100
- IPv6 inactive
- Connected VPN clients can ping LAN clients as well as server, and can browse and download files*
- L2TP connection using windows authentication with a preshared key
- Multilink connections with BAP/BACP selected
- LCP extensions selected
- Software compression selected
- MTU of "RAS (Dial In) Interface" set to 1400, as I went through ping tests to client while client was connected via VPN.

**VPN Client:**

- Windows 7 x64
- Behind router which is DHCP, serving 192.168.1.2 to 192.168.1.irrelevant
- AssumeUDPEncapsulationContextOnSendRule set to 2 as both my client and the VPN server are NATed
- I get no firewall blocked entries in the logs (fixed, originally I wasn't able to ping from server to client until I opened ports)
- LCP/Software/Multilink all selected
- Requires encryption, only CHAP v2 selected
- IPv6 unchecked
- Unchecked 'use default gateway on remote network'
- MTU of "Work VPN" set to 1360, as I went through ping tests to server while client was connected to VPN.

---

* So with all that out of the way, my problem is that when I try and download "large enough" files from the VPN LAN to my client PC, I get disconnected very early on. For small files like less than 500KB it's OK. But I try and transfer an 80MB file and not even 10 seconds into it the file transfer stalls because I've been disconnected. I don't get a "you've been disconnected from the VPN" message, everything just stops working. I can no longer even browse. I can provide server RRAS logs but I don't know which files to look at; there are a lot and I can't decipher the meaning of the logs entries in %windir%\tracing. I also have wireshark on both the server and client in case that helps.


HELLFIRE
Premium
join:2009-11-25
kudos:12

If you could post the server-side logs... that would be a start. A general recommendation is to make sure
it's timestamping things with an NTP-synced stamp so as to correlate things better.

Wireshark can also help... are you seeing anything wierd / whacky in it, or you don't have a clue how
to read wireshark captures?

Regards



JakeTheSnake

@74.198.251.x

With Wireshark it's strange...I see a whole bunch of ESP packets being sent/received and the reason why I stop receiving ESP packets is inconsistent and nonsensical to me. One time it was when a local LAN computer sent out a ping request to the client machine, another time there was a 'duplicate packet' or something. I'll just do another test and post it - but it'll be sometime later on tonight. Should I be running Wireshark on the server instead? Is there a way to export an inspection from wireshark so I can post it? As for server-side logs, which files do you need? There's a crap-tonne in the %windir%\tracing folder.

Also, I just switched from Telus mobile internet to Rogers mobile internet and I'm still getting the same issue. I also tried switching from L2TP to PPTP and while the transfer lasted longer before crapping out, it still did.



eibgrad

join:2010-03-15
reply to JakeTheSnake

Hmm, so this is over the cellular network, on both sides. Frankly, I’m not sure I’d fully trust the reliability of ANY cellular network for large file transfers. You can hardly depend on it for voice.

Does the problem happen in both directions? IOW, if the server side becomes the client? Is it possible to test the same file transfer from outside the VPN, say from webserver to a browser? FTP file transfer?

In cases like these, you need to try numerous other tests that help isolate the culprit. That’s why I’m suggesting you go beyond just comparing one VPN to another.



JakeTheSnake

@74.198.251.x

It actually isn't cellular on both ends, just on the server end. The client is using cogeco. I haven't had issues with FTP. We don't allow incoming connections to our web servers because they're all meant for in-house use (point of sale, manager suite). However I have browsed to those websites while logged into the VPN. I don't think there was an issue because generally the file sizes are so small.

So as far as I know right now, it's just direct file transfer (i.e., drag-n-drop) that's causing the connection to drop.



eibgrad

join:2010-03-15
reply to JakeTheSnake

You haven't had problems w/ FTP *outside* the VPN?



JakeTheSnake

@cgocable.net

I just tested the FTP within the VPN (i.e., home network is 192.168.1.x, VPN network is 192.168.0.x, so I FTPed into 192.168.0.20) and the problem occurred again. FTP from outside the VPN works just fine.



JakeTheSnake

@cgocable.net

Also, using Wireshark on the server, after a bunch of ESP packets there's like 10 or so SSDP "NOTIFY" packets being sent by the router. Then the ESP packets stop. There's 1 ESP packet sent long afterwards but by then the file transfer has stopped and the client is dropped.



JakeTheSnake

@cgocable.net

IPRouterManager.LOG:

[3920] 20:09:10: HandleRcvPkt: Rcvd pkt from 192.168.0.20 to 239.255.255.250 on 10
[3920] 20:09:10: Setting MFE: FAFFFFEF, 1400A8C0, In Index 10, Outgoing Number of Interfaces 1

[3920] 20:09:10: Out IF [0] { 13, 1778428096 }
[3792] 20:09:19: OnRouteChange: Route Deletion Notification
[3792] 20:09:19: INFO: Converted interface Luid 0x17000002000000 to Index 13.
[3792] 20:09:19: ConvertRouteInfoToRtm: pRouteInfo->Flags1 (0x0)
[3792] 20:09:19: ConvertRouteInfoToRtm: Flags: pRouteInfo (0x0), dwRouteFlags (0x0), pRtInfo (0x0)
[3792] 20:09:20: ChangeRouteWithForwarder: Deleting all routes to 192.168.0.106/255.255.255.255
[3792] 20:09:20: GetFirstRouteInfoForDestination returns with 0x0; Index = 1817538989; Dest = 0x6a00a8c0; nexthop = 0x6c56a6d8
[3792] 20:09:20: AllocateAndGetIpAddrTable returns with 0x0
[3792] 20:09:20: IsOnLinkRoute: 0
[3792] 20:09:20: DeleteIpForwardEntry returns with 0x2; Index = 1817538989; Dest = 0x6a00a8c0; nexthop = 0x6c56a6d8
[3792] 20:09:20: SetIpForwardEntry returns with 0x2

[3944] 20:09:21: DeleteInterface: Deleting Administrator,
[3944] 20:09:21: Setting MFE: FAFFFFEF, 1500A8C0, In Index 0, Outgoing Number of Interfaces 0

[3944] 20:09:21: Setting MFE: FAFFFFEF, 1400A8C0, In Index 0, Outgoing Number of Interfaces 0

[3944] 20:09:21: Setting MFE: FAFFFFEF, 100A8C0, In Index 0, Outgoing Number of Interfaces 0

[3944] 20:09:21: DeleteSingleInterface: Freeing memory for interface Administrator of type 1 at 4B01C68
[3944] 20:09:21: DeleteFilterInterface: No context, assuming interface Administrator not added to filter driver
[3944] 20:09:21: DeleteInterface: Deleting Administrator,
[3944] 20:09:21: DeleteSingleInterface: Freeing memory for interface Administrator of type 0 at 4B01B38
[3944] 20:09:21: DeleteFilterInterface: No context, assuming interface Administrator not added to filter driver
[3024] 20:14:21: HandleRcvPkt: Rcvd pkt from 192.168.0.1 to 239.255.255.250 on 10

said by JakeTheSnake :

Also, using Wireshark on the server, after a bunch of ESP packets there's like 10 or so SSDP "NOTIFY" packets being sent by the router. Then the ESP packets stop. There's 1 ESP packet sent long afterwards but by then the file transfer has stopped and the client is dropped.

RASMAN.LOG:

[3388] 01-09 20:09:02:595: Cleaning up process 3724
[3388] 01-09 20:09:02:595: CleanUpEventQueue:
[3388] 01-09 20:09:02:595: Freeing handle for 3724
[3388] 01-09 20:09:02:595: Rasman RefCount = 1
[2852] 01-09 20:09:08:446: BackGoundCleanUp
[2852] 01-09 20:09:08:446: OVEVT_RASMAN_ADJUST_TIMER
[2852] 01-09 20:09:18:498: BackGoundCleanUp
[2852] 01-09 20:09:18:498: OVEVT_RASMAN_ADJUST_TIMER
[2852] 01-09 20:09:19:034: WorkerThread: Disconnect event signaled on port: VPN1-11
[2852] 01-09 20:09:19:034: OVEVT_DEV_STATECHANGE. pOverlapped = 0x1f5b58
[2852] 01-09 20:09:19:034: d:\rtm\net\rras\ras\rasman\rasman\worker.c, 2020: Disconnecting port 12, connection 0x0, reason 1
[2852] 01-09 20:09:19:034: Disconnecting Port 0xVPN1-11, reason 1
[2852] 01-09 20:09:19:034: DisconnectPort: Saving Bundle stats for port VPN1-11
[2852] 01-09 20:09:19:034: 10. Throwing away handle 0x0!
[2852] 01-09 20:09:19:034: d:\rtm\net\rras\ras\rasman\rasman\util.c 2358: Disconnected Port 12, reason 1. rc=0x0
[2852] 01-09 20:09:19:034: d:\rtm\net\rras\ras\rasman\rasman\util.c: 2468: port 12 state chg: prev=2, new=3
[2852] 01-09 20:09:19:034: d:\rtm\net\rras\ras\rasman\rasman\util.c: 2484: port 12 state chg: prev=3, new=4
[2852] 01-09 20:09:19:034: 5. Notifying of disconnect on port 12
[2852] 01-09 20:09:19:034: d:\rtm\net\rras\ras\rasman\rasman\util.c: 2598: port 12 async reqtype chg: prev=26, new=0
[2852] 01-09 20:09:19:034: ***** DisconnectType=1,DisconnectReason=4,pConn=0x0,cbports=0,signaled=0,hEvent=0xffffffff,fRedial=0
[2852] 01-09 20:09:19:034: DisconnectPort Complete
[2852] 01-09 20:09:19:034: d:\rtm\net\rras\ras\rasman\rasman\worker.c: 2066: port 12 state chg: prev=4, new=4
[2852] 01-09 20:09:19:034: d:\rtm\net\rras\ras\rasman\rasman\worker.c: 2070: port 12 async reqtype chg: prev=0, new=0
[2944] 01-09 20:09:19:058: DeallocateRouteRequestCommon: pBundle=0x106600c0, type=0x800
[2944] 01-09 20:09:19:058: DeActivated Route , bundlehandle 0x6, prottype = 2048
[2944] 01-09 20:09:19:058: DeAllocateRoute: PI_Type=0x800, PI_AdapterName=\DEVICE\{6E06F030-7526-11D2-BAF4-00600815A4BD}, PI_Allocated=-1
[2944] 01-09 20:09:19:058: FreeBundle: freeing pBundle=0x106600c0
[3944] 01-09 20:09:21:042: SendNotificationRequest
[3944] 01-09 20:09:21:044: DwSendNotification: IRasEventNotify::RasEvent returned S_FALSE
[3944] 01-09 20:09:21:044: DwSendNotification returned 0x0
[3944] 01-09 20:09:21:045: AddIpSecFilter, port=12, fServer=1, encryption=4
[3944] 01-09 20:09:21:045: DwInitializeIpSec: fOnFailure set to 0
[3944] 01-09 20:09:21:045: Port 12 already has a plumbed filter
[3944] 01-09 20:09:21:045: EnableIpSec: port=VPN1-11, fServer=1, fEnable = 1, rc=0x0
[3944] 01-09 20:09:21:045: DeviceListenRequest: Clearing Autoclose flag on port VPN1-11
[3944] 01-09 20:09:21:045: d:\rtm\net\rras\ras\rasman\rasman\util.c: 2805: port 12 state chg: prev=4, new=1
[3944] 01-09 20:09:21:045: d:\rtm\net\rras\ras\rasman\rasman\util.c: 2836: port 12 async reqtype chg: prev=0, new=27
[3944] 01-09 20:09:21:045: Listen posted on port: VPN1-11, error code 600
[2852] 01-09 20:09:28:503: BackGoundCleanUp
said by JakeTheSnake :

Also, using Wireshark on the server, after a bunch of ESP packets there's like 10 or so SSDP "NOTIFY" packets being sent by the router. Then the ESP packets stop. There's 1 ESP packet sent long afterwards but by then the file transfer has stopped and the client is dropped.

PPP.LOG:

[2944] 01-09 20:06:39:759: PPP packet sent at 01/10/2014 01:06:39:759
[2944] 01-09 20:06:39:759: Protocol = IPCP, Type = Configure-Ack, Length = 0x18, Id = 0x7, Port = 12
[2944] 20:06:39:759: 80 21 02 07 00 16 03 06 C0 A8 00 6A 81 06 C0 A8 |.!.........j....|
[2944] 20:06:39:759: 00 03 83 06 C0 A8 00 01 00 00 00 00 00 00 00 00 |................|
[2944] 01-09 20:06:39:759:
[2944] 01-09 20:06:39:759: FsmThisLayerUp called for protocol = 8021, port = 12
[2944] 01-09 20:06:39:769: Notifying IPCP of projection notification
[2944] 01-09 20:06:39:769: Server: Ipv4 successful for Guid {25F0B0BC-B681-4416-9884-F547F16EB5DC}
[2944] 01-09 20:06:39:769: RemoveFromTimerQ called portid=10,Id=0,Protocol=0,EventType=3,fAuth=0
[2944] 01-09 20:06:39:769: NotifyCaller(hPort=12, dwMsgId=13)
[2852] 01-09 20:09:19:034: PPPEMSG_LineDown recvd, hPort=12

[2944] 01-09 20:09:19:034: Line down event occurred on port 12
[2944] 01-09 20:09:19:034: FsmDown event received for protocol c021 on port 12
[2944] 01-09 20:09:19:034: RemoveFromTimerQ called portid=10,Id=2,Protocol=c021,EventType=0,fAuth=0
[2944] 01-09 20:09:19:034: FsmThisLayerDown called for protocol = c021, port = 12
[2944] 01-09 20:09:19:035: FsmDown event received for protocol 80fd on port 12
[2944] 01-09 20:09:19:035: RemoveFromTimerQ called portid=10,Id=4,Protocol=80fd,EventType=0,fAuth=0
[2944] 01-09 20:09:19:035: FsmThisLayerDown called for protocol = 80fd, port = 12
[2944] 01-09 20:09:19:035: FsmReset called for protocol = 80fd, port = 12
[2944] 01-09 20:09:19:035: FsmDown event received for protocol 8021 on port 12
[2944] 01-09 20:09:19:035: RemoveFromTimerQ called portid=10,Id=5,Protocol=8021,EventType=0,fAuth=0
[2944] 01-09 20:09:19:035: FsmThisLayerDown called for protocol = 8021, port = 12
[2944] 01-09 20:09:19:035: FsmReset called for protocol = 8021, port = 12
[2944] 01-09 20:09:19:035: FsmReset called for protocol = c021, port = 12
[2944] 01-09 20:09:19:035: RemoveFromTimerQ called portid=10,Id=0,Protocol=0,EventType=3,fAuth=0
[2944] 01-09 20:09:19:035: RemoveFromTimerQ called portid=10,Id=0,Protocol=0,EventType=7,fAuth=0
[2944] 01-09 20:09:19:035: RemoveFromTimerQ called portid=10,Id=0,Protocol=0,EventType=2,fAuth=0
[2944] 01-09 20:09:19:035: RemoveFromTimerQ called portid=10,Id=0,Protocol=0,EventType=1,fAuth=0
[2944] 01-09 20:09:19:035: RemoveFromTimerQ called portid=10,Id=0,Protocol=0,EventType=4,fAuth=0
[2944] 01-09 20:09:19:035: RemoveFromTimerQ called portid=10,Id=0,Protocol=0,EventType=6,fAuth=0
[3920] 01-09 20:09:19:039: Stopping Accounting for port 12
[2944] 01-09 20:09:19:058: LcpEnd
[2944] 01-09 20:09:21:041: Post line down event occurred on port 12
[2944] 01-09 20:09:21:041: NotifyCaller(hPort=12, dwMsgId=23)
said by JakeTheSnake :

Also, using Wireshark on the server, after a bunch of ESP packets there's like 10 or so SSDP "NOTIFY" packets being sent by the router. Then the ESP packets stop. There's 1 ESP packet sent long afterwards but by then the file transfer has stopped and the client is dropped.


HELLFIRE
Premium
join:2009-11-25
kudos:12
reply to JakeTheSnake

said by JakeTheSnake :

I see a whole bunch of ESP packets being sent/received and the reason why I stop receiving ESP packets is inconsistent and nonsensical to me.

ESP is for encrypted traffic... so you won't be able to tell WHAT is being transmitted, but at least you
can tell SOMEthing is being sent.

You'll also likely want to do captures on both ends for side by side comparisons.

said by JakeTheSnake :

there's like 10 or so SSDP "NOTIFY" packets being sent by the router.

SSDP aka UPNP traffic... ignore it.

said by JakeTheSnake :

There's 1 ESP packet sent long afterwards but by then the file transfer has stopped and the client is dropped.

...be interested to see said capture... you do know you can attach files to your threads, right?
Of course, don't do it if said capture is a Gigbyte in size...

Can't make heads or tails of your logs, about the only thing that MAY point you in a direction is the following :

[2852] 01-09 20:09:19:034: d:\rtm\net\rras\ras\rasman\rasman\worker.c, 2020: Disconnecting port 12, connection 0x0, reason 
 
1
 

[3944] 01-09 20:09:21:045: Listen posted on port: VPN1-11, error code 600
 

Regards


JakeTheSnake

@cgocable.net

I didn't want to post the captured packets directly because they expose my IP address, so I exported to .txt file.

»www.sendspace.com/file/do45xl

HELLFIRE
Premium
join:2009-11-25
kudos:12
reply to JakeTheSnake

Unfortunately, without the original PCAP files -- and by extension revealing your IP address -- a) I can't open
10MB text files, and b) I kind of need wireshark's features to be able to look at those files...

...your choice, OP.

Regards

Expand your moderator at work