Thread Info
  • State Not Answered
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 8 replies
  • Subscribers 6 subscribers
  • Views 17885 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

L2TP VPN fails since 9.5 update

Aoffield

Since the last update to UTM9.5, my VPN clients (Windows 10) are being disconnected post successful login.  Nothing has changed other than UTM updates.

 

Log is reporting :

2017:06:25-09:22:47 FWALL pppd-l2tp[24747]: DHCPC: plugin initialized
2017:06:25-09:22:47 FWALL openl2tpd[30298]: PROTO: tunl 59129/24434: sending CDN to peer 7/1
2017:06:25-09:22:47 FWALL openl2tpd[30298]: PROTO: tunl 59129: STOPCCN received
2017:06:25-09:22:47 FWALL openl2tpd[30298]: PROTO: tunl 59129: STOPCCN error 6/0: Requester is being shut down
 
Tried numerous clients and all giving the same error, I've reset all passwords and passkeys but as soon as I logon, the status changes to 'verifying user' then fails.
 
 
Has something changed in openvpn for windows clients?
 
Any insight appreciated.
 
Thanks


This thread was automatically locked due to age.
  • 0

    So it would seem to be related to my external DHCP Server configured for administering the remote users IP's, if I change this to VPN pool, the connection completes.  Nothing has changed on the DHCP server (other than latest MS patches), it is still servicing the IPs for the LAN, and is on the same LAN/Server IP.  Has 9.5 enforced a firewall rule that I'm not aware of?

    What would prevent VPN from successfully receiving an DHCP IP address?

     

    Looking at DHCP logs on DHCP server but can't find any smoking gun :(?

     

    Any ideas?

     

    Thanks

  • 0 in reply to Aoffield

    I've found a solution but not sure why I've had to make the changes.  Using only the default VPN pool (10.242.x) was preventing me from accessing the local LAN (192.168.137.x) through VPN as the default gateway of the remote network (192.168.17.x) which the VPN client is on, was trying to resolve the local LAN ips.

    Left the VPN pool as is but assigned static IP to the user, an IP in the same range as the local LAN, now I can access local resources and resolve FQDN.  Had to exclude the static IP from the local DHCP server so no conflicts.

    Considering I didn't have this issue two weeks ago, I'm surprised at the hacks I've had to do to get back to where I was.  Why give an option for DHCP Server if it isn't supposed to work?

    Would like to get UTM9.5 to use my local DHCP server rather than assigning static ips, any ideas?

     

    Thanks

  • 0 in reply to Aoffield

    Same Problem which I have too, your idea changing dhcp Server to adress range seems to be a Workaround.

    Strange behaviour, hope Sophos can Change this behaviour for us

     

  • 0

    We are also having this issue since as of 2 weeks ago.

     

    Narrowed it down to DHCP before finding this thread. Tested everything from the UTM right through to our DHCP server and nothing has changed in nearly a month.

  • 0 in reply to Matt Thompson1

    See my comment on Dave's thread.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0

    are there any official informations from sophos?

     

    at the moment we're on version 9.413 and don't update cause l2tp is highly used in my company.

    for this we have an extra interface with a public ip, autentication via preshared key and RADIUS. The users assigned to an ip by a address pool. Not the default, (10.0.249.0/24)

  • 0 in reply to logan517

    Hello logan,

     

    no we have no News from our Partner who opened a Sophos case for this problem...

    I also created a new ip pool as quick and dirty solution, our problem is that you cannot use the internal dhcp Server since update...

  • 0 in reply to dave m1

    Guys, This is one of the vagaries of this package.  When you use L2TP/IPsec, you cannot count on every Up2Date to be able to deal correctly with "VPN Pool (L2TP)" IPs in the same subnet as a LAN.  By the same token, using the internal DHCP server for L2TP/IPsec Remote Access is not a good idea.  This is why I called using the default "VPN Pool (L2TP)" a best practice.  Over the last 10 years, I've only seen brief periods where what you've been doing doesn't cause routing problems.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Unfiltered HTML