VPN Tunnel steht aber trotzdem keine RDP Verbindung

Hallo,

vielleicht kann mir jemand bei folgendem Problem helfen:

Eine Kunde soll eine Site2Site Verbindung mit unser Firewall aufbauen. Der Tunnel wird mit Grün von der Firewall gekennzeichnet. Trotzdem kann der Kunde unseren Terminalserver über den Tunnel nicht erreichen, obwohl eine Regel dieses erlauben würden.
Im Log habe ich nun folgendes gefunden was ich sehr komisch finde, hat jemand eine Idee? Sonst sehen meine Verbindungen zu anderen Site2Site anders aus.


2021-09-10 10:11:25 03[NET] received packet: from 154.14.XXX.XXX[4500] to 217.YYY.YYY.YYY[4500] on Port2_ppp
2021-09-10 10:11:25 03[NET] waiting for data on sockets
2021-09-10 10:11:25 10[NET] <L2TP_Schulzdialog-1|19594> received packet: from 154.14.XXX.XXX[4500] to 217.YYY.YYY.YYY[4500] (476 bytes)
2021-09-10 10:11:25 10[ENC] <L2TP_Schulzdialog-1|19594> parsed QUICK_MODE request 5 [ HASH SA KE No ID ID ]
2021-09-10 10:11:25 10[IKE] <L2TP_Schulzdialog-1|19594> ### process_request invoking quick_mode_create
2021-09-10 10:11:25 10[IKE] <L2TP_Schulzdialog-1|19594> ### quick_mode_create: 0x7f282c008c30 config (nil)
2021-09-10 10:11:25 10[IKE] <L2TP_Schulzdialog-1|19594> ### process_r: 0x7f282c008c30 QM_INIT
2021-09-10 10:11:25 10[CFG] <L2TP_Schulzdialog-1|19594> looking for a child config for 192.0.0.0/24 === 10.48.15.2/32
2021-09-10 10:11:25 10[IKE] <L2TP_Schulzdialog-1|19594> trying other candidates from phase 1
2021-09-10 10:11:25 10[CFG] <L2TP_Schulzdialog-1|19594> looking for a child config for 192.0.0.0/24 === 10.48.15.2/32
2021-09-10 10:11:25 10[CFG] <L2TP_Schulzdialog-1|19594>   candidate "from_nl-1" with prio 5+1
2021-09-10 10:11:25 10[CFG] <L2TP_Schulzdialog-1|19594> found matching child config "from_nl-1" with prio 6
2021-09-10 10:11:25 10[CFG] <L2TP_Schulzdialog-1|19594>  config: 10.48.0.0/12, received: 10.48.15.2/32 => match: 10.48.15.2/32
2021-09-10 10:11:25 10[CFG] <L2TP_Schulzdialog-1|19594>  config: 192.0.0.0/24, received: 192.0.0.0/24 => match: 192.0.0.0/24
2021-09-10 10:11:25 10[CFG] <L2TP_Schulzdialog-1|19594> selecting proposal:
2021-09-10 10:11:25 10[CFG] <L2TP_Schulzdialog-1|19594>   proposal matches
2021-09-10 10:11:25 10[CFG] <L2TP_Schulzdialog-1|19594> received proposals: ESP:AES_CBC_256/HMAC_SHA2_256_128/MODP_2048/NO_EXT_SEQ
2021-09-10 10:11:25 10[CFG] <L2TP_Schulzdialog-1|19594> configured proposals: ESP:AES_CBC_256/HMAC_SHA2_256_128/MODP_2048/NO_EXT_SEQ, ESP:AES_CBC_256/AES_CBC_192/AES_CBC_128/HMAC_SHA2_512_256/HMAC_SHA2_384_192/HMAC_SHA2_256_128/AES_XCBC_96/NO_EXT_SEQ
2021-09-10 10:11:25 10[CFG] <L2TP_Schulzdialog-1|19594> selected proposal: ESP:AES_CBC_256/HMAC_SHA2_256_128/MODP_2048/NO_EXT_SEQ
2021-09-10 10:11:25 10[IKE] <L2TP_Schulzdialog-1|19594> ### build_r: 0x7f282c008c30 QM_INIT
2021-09-10 10:11:25 10[ENC] <L2TP_Schulzdialog-1|19594> generating QUICK_MODE response 5 [ HASH SA No KE ID ID ]
2021-09-10 10:11:25 10[NET] <L2TP_Schulzdialog-1|19594> sending packet: from 217.YYY.YYY.YYY[4500] to 154.14.XXX.XXX[4500] (460 bytes)
2021-09-10 10:11:25 04[NET] sending packet: from 217.YYY.YYY.YYY[4500] to 154.14.XXX.XXX[4500]
2021-09-10 10:11:25 03[NET] received packet: from 154.14.XXX.XXX[4500] to 217.YYY.YYY.YYY[4500] on Port2_ppp
2021-09-10 10:11:25 03[NET] waiting for data on sockets
2021-09-10 10:11:25 16[NET] <L2TP_Schulzdialog-1|19594> received packet: from 154.14.XXX.XXX[4500] to 217.YYY.YYY.YYY[4500] (76 bytes)
2021-09-10 10:11:25 16[ENC] <L2TP_Schulzdialog-1|19594> parsed QUICK_MODE request 5 [ HASH ]
2021-09-10 10:11:25 16[IKE] <L2TP_Schulzdialog-1|19594> ### process_r: 0x7f282c008c30 QM_NEGOTIATED
2021-09-10 10:11:25 16[CHD] <L2TP_Schulzdialog-1|19594> CHILD_SA from_nl-1{34785} state change: CREATED => INSTALLING
2021-09-10 10:11:25 16[APP] <L2TP_Schulzdialog-1|19594> [COP-UPDOWN] (may_handle_request) L2TP_Schulzdialog-1: 0 work queue items, 1024 max work queue items,  returning 1
2021-09-10 10:11:25 16[APP] <L2TP_Schulzdialog-1|19594> [COP-UPDOWN] (child_cop_updown_ready) L2TP_Schulzdialog-1: child from_nl-1{34785} UP: verdict 1
2021-09-10 10:11:25 16[CHD] <L2TP_Schulzdialog-1|19594>   using AES_CBC for encryption
2021-09-10 10:11:25 16[CHD] <L2TP_Schulzdialog-1|19594>   using HMAC_SHA2_256_128 for integrity
2021-09-10 10:11:25 16[CHD] <L2TP_Schulzdialog-1|19594> adding inbound ESP SA
2021-09-10 10:11:25 16[CHD] <L2TP_Schulzdialog-1|19594>   SPI 0xce6bfb8a, src 154.14.XXX.XXX dst 217.YYY.YYY.YYY
2021-09-10 10:11:25 16[CHD] <L2TP_Schulzdialog-1|19594>   using HMAC_SHA2_256_128 with 96-bit truncation
2021-09-10 10:11:25 16[CHD] <L2TP_Schulzdialog-1|19594> adding outbound ESP SA
2021-09-10 10:11:25 16[CHD] <L2TP_Schulzdialog-1|19594>   SPI 0x279f0fb6, src 217.YYY.YYY.YYY dst 154.14.XXX.XXX
2021-09-10 10:11:25 16[CHD] <L2TP_Schulzdialog-1|19594>   using HMAC_SHA2_256_128 with 96-bit truncation
2021-09-10 10:11:25 16[CHD] <L2TP_Schulzdialog-1|19594> CHILD_SA from_nl-1{34785} state change: INSTALLING => INSTALLED
2021-09-10 10:11:25 16[IKE] <L2TP_Schulzdialog-1|19594> CHILD_SA from_nl-1{34785} established with SPIs ce6bfb8a_i 279f0fb6_o and TS 192.0.0.0/24 === 10.48.15.2/32
2021-09-10 10:11:25 16[APP] <L2TP_Schulzdialog-1|19594> [SSO] (get_cfg) [CFG] sso: 0
2021-09-10 10:11:25 16[APP] <L2TP_Schulzdialog-1|19594> [SSO] (sso_invoke_once) SSO is disabled.
2021-09-10 10:11:25 16[APP] <L2TP_Schulzdialog-1|19594> [COP-UPDOWN] (cop_updown_invoke_once) no user identification is provided!
2021-09-10 10:11:25 16[APP] <L2TP_Schulzdialog-1|19594> [COP-UPDOWN] (ref_counting) ref_count: 0 to 1 ++ up ++ (192.0.0.0/24#10.48.15.2/32)
2021-09-10 10:11:25 16[APP] <L2TP_Schulzdialog-1|19594> [COP-UPDOWN] (ref_counting_remote) ref_count_remote: 0 to 1 ++ up ++ (217.YYY.YYY.YYY#154.14.XXX.XXX)
2021-09-10 10:11:25 16[APP] <L2TP_Schulzdialog-1|19594> [COP-UPDOWN] (get_cfg) [CFG] IPtables: 1
2021-09-10 10:11:25 16[APP] <L2TP_Schulzdialog-1|19594> [COP-UPDOWN] (get_cfg) [CFG] route: 1
2021-09-10 10:11:25 16[APP] <L2TP_Schulzdialog-1|19594> [COP-UPDOWN] (get_cfg) [CFG] vti: 0
2021-09-10 10:11:25 16[APP] <L2TP_Schulzdialog-1|19594> [COP-UPDOWN] (get_cfg) [CFG] ipsec0: 1
2021-09-10 10:11:25 16[APP] <L2TP_Schulzdialog-1|19594> [COP-UPDOWN] (cop_updown_invoke_once) UID: 19594 Net: Local 217.YYY.YYY.YYY Remote 154.14.XXX.XXX Connection: from_certis_nl Fullname: L2TP_Schulzdialog-1
2021-09-10 10:11:25 16[APP] <L2TP_Schulzdialog-1|19594> [COP-UPDOWN] (cop_updown_invoke_once) Tunnel: User '' Peer-IP '' my-IP '' up-client
2021-09-10 10:11:25 16[APP] <L2TP_Schulzdialog-1|19594> [COP-UPDOWN] (put_updown_work) Creating new worklist and worker job for L2TP_Schulzdialog-1
2021-09-10 10:11:25 16[APP] <L2TP_Schulzdialog-1|19594> [COP-UPDOWN] (put_updown_work) Starting job as worker 0
2021-09-10 10:11:25 11[APP] [COP-UPDOWN] (process_updown_work) [0] beginning work
2021-09-10 10:11:25 16[IKE] <L2TP_Schulzdialog-1|19594> ### destroy: 0x7f282c008c30
2021-09-10 10:11:25 11[APP] [COP-UPDOWN] (process_updown_work) [0] begin work on item 1, 0 remaining items
2021-09-10 10:11:25 11[APP] [COP-UPDOWN][DB] (db_conn_info) db_conn_info
2021-09-10 10:11:25 11[APP] [COP-UPDOWN][DB] (db_conn_info) hostname: 'from_certis_nl' result --> id: '9', mode: 'ntn', tunnel_type: '0', subnet_family:'0'
2021-09-10 10:11:25 11[APP] [COP-UPDOWN] (do_cop_updown_invoke_once) ---- exec remote updown ++ up ++
2021-09-10 10:11:25 11[APP] [COP-UPDOWN][SHELL] (run_shell) '/bin/service fwm:vpn_gateway_chains -t json -s nosync -b '{"local_server":"217.YYY.YYY.YYY","remote_server":"154.14.XXX.XXX","action":"enable","family":"0","conntype":"ntn","compress":"0"}'': success 0
2021-09-10 10:11:25 11[APP] [COP-UPDOWN] (do_cop_updown_invoke_once) ---- exec subnet updown ++ up ++
2021-09-10 10:11:25 11[APP] [COP-UPDOWN] (do_cop_updown_invoke_once) [NTN] NTN get actual...
2021-09-10 10:11:25 11[APP] [COP-UPDOWN][DB] (db_query) No data retrieved from query: 'SELECT ( nath.netid  || '/'  || nath.netmask ) AS natedlan FROM   tblvpnconnhostrel AS rel    JOIN tblhost AS h  ON h.hostid = rel.hostid    JOIN tblhost AS nath  ON rel .natedhost = nath.hostid WHERE  rel.connectionid = $1    AND rel.hostlocation = 'L'    AND h.netid = $2    AND h.netmask = $3 LIMIT  1;' status: 2 rows: 0
2021-09-10 10:11:25 11[APP]  
2021-09-10 10:11:25 11[APP] [COP-UPDOWN] (do_cop_updown_invoke_once) [NTN] No NAT configured for 192.0.0.0/24
2021-09-10 10:11:25 11[APP] [COP-UPDOWN] (do_cop_updown_invoke_once) [IPSEC0] using ipsec dummy interface 'ipsec0'
2021-09-10 10:11:25 11[APP] [COP-UPDOWN][NET] (get_src_ip) dest_str: 192.0.0.0
2021-09-10 10:11:25 11[APP] [COP-UPDOWN][NET] (get_src_ip) source address for 192.0.0.0 is IP: 192.0.0.10
2021-09-10 10:11:25 11[APP]
2021-09-10 10:11:25 11[APP] [COP-UPDOWN][SHELL] (run_shell) 'ip route add 10.48.15.2/32 dev ipsec0 src 192.0.0.10 table 220': success 0
2021-09-10 10:11:25 11[APP] [COP-UPDOWN] (add_routes) no routes to add for from_certis_nl on interface ipsec0
2021-09-10 10:11:25 11[APP] [COP-UPDOWN][SHELL] (run_shell) 'ip route flush cache': success 0
2021-09-10 10:11:25 11[APP] [COP-UPDOWN][SHELL] (run_shell) 'ip route flush cache': success 0
2021-09-10 10:11:25 23[IKE] <TGB_IKE2-1|19597> keeping statically configured path 217.YYY.YYY.YYY - 94.31.103.170
2021-09-10 10:11:26 11[APP] [COP-UPDOWN][SHELL] (run_shell) '/bin/service fwm:vpn_connection_chains -t json -s nosync -b '{"me":"217.YYY.YYY.YYY","peer":"154.14.XXX.XXX","mynet":"192.0.0.0/24","peernet":"10.48.15.2/32","connop":"1","iface":"Port2_ppp","myproto":"0","myport":"0","peerproto":"0","peerport":"0","conntype":"ntn","actnet":"","compress":"0","conn_id":"9"}'': success 0
2021-09-10 10:11:26 11[APP] [COP-UPDOWN][SHELL] (run_shell) 'conntrack -D --not-protonum=6 --inzone-outzone=2': conntrack v1.4.5 (conntrack-tools): 1 flow entries have been deleted.
2021-09-10 10:11:26 11[APP] [COP-UPDOWN][SHELL] (run_shell) 'conntrack -D --not-protonum=6 --inzone-outzone=2': proto=udp      proto-no=17 timeout=15 orig-src=192.0.0.51 orig-dst=213.172.105.106 orig-sport=38185 orig-dport=123 packets=1 bytes=76 reply-src=213.172.105.106 reply-dst=217.YYY.YYY.YYY reply-sport=123 reply-dport=38185 packets=1 bytes=76 mark=0x8001 use=1 id=177969088 masterid=0 devin=Port1 devout=Port2_ppp nseid=0 ips=3 sslvpnid=0 webfltid=0 appfltid=0 icapid=0 policytype=1 fwid=5 natid=3 fw_action=1 bwid=0 appid=0 appcatid=0 hbappid=0 hbappcatid=0 dpioffload=0xc sigoffload=0 inzone=1 outzone=2 devinindex
2021-09-10 10:11:26 11[APP] [COP-UPDOWN][SHELL] (run_shell) 'conntrack -D --not-protonum=6 --inzone-outzone=2': =9 devoutindex=43 hb_src=0 hb_dst=0 flags0=0x10000a080020000a flags1=0x52020800000 flagvalues=1,3,21,35,41,43,60,87,93,101,104,106 catid=0 user=0 luserid=0 usergp=0 hotspotuserid=0 hotspotid=0 dst_mac=7c:5a:1c:9d:29:22 src_mac=ac:cc:8e:73:1e:49 startstamp=1631261471 microflowid[0]=2249700 microflowrev[0]=2 microflow[1]=INVALID hostrev[0]=1 hostrev[1]=0 ipspid=0 diffserv=0 loindex=43 tlsruleid=0 ips_nfqueue=2 sess_verdict=0 gwoff=0 cluster_node=0 current_state[0]=4425 current_state[1]=4425 vlan_id=0 inmark=
2021-09-10 10:11:26 11[APP] [COP-UPDOWN][SHELL] (run_shell) 'conntrack -D --not-protonum=6 --inzone-outzone=2': 0x0 brinindex=33 sessionid=1785 sessionidrev=9015 session_update_rev=1 dnat_done=0 upclass=0:0 dnclass=0:0 pbrid_dir0=0 pbrid_dir1=0 nhop_id[0]=65535 nhop_id[1]=65535 nhop_rev[0]=0 nhop_rev[1]=0 conn_fp_id=NOT_OFFLOADED
2021-09-10 10:11:26 11[APP] [COP-UPDOWN][SHELL] (run_shell) 'conntrack -D --not-protonum=6 --inzone-outzone=2': success 0
2021-09-10 10:11:26 11[APP] [COP-UPDOWN][SHELL] (run_shell) 'conntrack -D --not-protonum=6 --inzone-outzone=5': conntrack v1.4.5 (conntrack-tools): 1 flow entries have been deleted.
2021-09-10 10:11:26 11[APP] [COP-UPDOWN][SHELL] (run_shell) 'conntrack -D --not-protonum=6 --inzone-outzone=5': proto=udp      proto-no=17 timeout=17 orig-src=192.168.3.5 orig-dst=192.0.0.111 orig-sport=57827 orig-dport=3389 packets=1 bytes=40 [UNREPLIED] reply-src=192.0.0.111 reply-dst=192.0.0.10 reply-sport=3389 reply-dport=57827 packets=0 bytes=0 mark=0x0 use=1 id=1430124480 masterid=0 devin=ipsec0 devout=br0 nseid=0 ips=0 sslvpnid=0 webfltid=0 appfltid=0 icapid=0 policytype=1 fwid=12 natid=5 fw_action=1 bwid=0 appid=0 appcatid=0 hbappid=0 hbappcatid=0 dpioffload=0xd sigoffload=0 inzone=5 outzone=1 devinindex=2 d
2021-09-10 10:11:26 11[APP] [COP-UPDOWN][SHELL] (run_shell) 'conntrack -D --not-protonum=6 --inzone-outzone=5': evoutindex=33 hb_src=0 hb_dst=0 flags0=0xa0000200008 flags1=0x52800800000 flagvalues=3,21,41,43,87,99,101,104,106 catid=0 user=0 luserid=0 usergp=0 hotspotuserid=0 hotspotid=0 dst_mac=45:00:00:28:35:d7 src_mac=00:00:80:11:80:d1 startstamp=1631261473 microflow[0]=INVALID microflow[1]=INVALID hostrev[0]=0 hostrev[1]=0 ipspid=0 diffserv=0 loindex=33 tlsruleid=0 ips_nfqueue=1 sess_verdict=0 gwoff=0 cluster_node=0 current_state[0]=4425 current_state[1]=0 vlan_id=0 inmark=0x200 brinindex=0 sessionid=2641 session
2021-09-10 10:11:26 11[APP] [COP-UPDOWN][SHELL] (run_shell) 'conntrack -D --not-protonum=6 --inzone-outzone=5': idrev=49645 session_update_rev=1 dnat_done=0 upclass=0:0 dnclass=0:0 pbrid_dir0=0 pbrid_dir1=0 nhop_id[0]=65535 nhop_id[1]=65535 nhop_rev[0]=0 nhop_rev[1]=0 conn_fp_id=NOT_OFFLOADED
2021-09-10 10:11:26 11[APP] [COP-UPDOWN][SHELL] (run_shell) 'conntrack -D --not-protonum=6 --inzone-outzone=5': success 0
2021-09-10 10:11:26 11[APP] [COP-UPDOWN][SHELL] (run_shell) 'conntrack -D --protonum=50': conntrack v1.4.5 (conntrack-tools): 0 flow entries have been deleted.
2021-09-10 10:11:26 11[APP] [COP-UPDOWN][SHELL] (run_shell) 'conntrack -D --protonum=50': error returned 1
2021-09-10 10:11:26 11[APP] [COP-UPDOWN][STATUS] (db_status_update) conn_name: from_certis_nl count: 1
2021-09-10 10:11:26 11[APP] [COP-UPDOWN][SHELL] (run_shell) '/bin/opcode set_timer_mail_updown -s nosync -t json -b '{"event":"up","conn":"from_certis_nl","local_net":"192.0.0.0/24","remote_net":"10.48.15.2/32","reason":"0"}'': success 0
2021-09-10 10:11:26 11[APP] [COP-UPDOWN] (remove_gre_conntracks) GRE conntrack removal of connection from_certis_nl: 0 GRE tunnels configured
2021-09-10 10:11:26 11[APP] [COP-UPDOWN] (process_updown_work) [0] end work on item 1
2021-09-10 10:11:26 11[APP] [COP-UPDOWN] (process_updown_work) [0] finished after processing 1 items
2021-09-10 10:11:26 11[APP] [COP-UPDOWN] (updown_job_destroy) [0] updown job destroy

  • Hallo Wolfgang,

    Herzlich willkommen hier in der UTM Community !

    (Sorry, my German-speaking brain isn't creating thoughts at the moment. Frowning2)

    I note that your earlier posts are in the XG Community and that this doesn't look like a log from UTM.  Should one of us mods move this thread to the German Forum in the XG Community?

    MfG - Bob (Bitte auf Deutsch weiterhin.)

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hi, thank you for your answer. Please move it into then XG Community.

  • Was an dem Log kommt dir ungewöhnlich vor? 

    Ist es vielleicht ein einfaches Routing Problem? Was sagt der Packet-Capture, wenn man via RDP3389 zugreift? 

    PS: Wenn du RDP via TCP oder UDP ausprobierst, funktioniert es mit TCP? 

    __________________________________________________________________________________________________________________

  • Hallo Wolfgang,

    ich kenne das Problem bei Usern, die einen IPv6 Anschluss haben, der die IPv4 Verbindung tunnelt. Da kommen bestimmte Verbindungen nicht zu Stande, obwohl der Tunnel aufgebaut ist. Bei uns hat es geholfen die MTU auf den Windows L2TP Adapter auf 1300 herunterzustellen. Dazu als administrativer User auf dem PC bei aktiven Tunnel in einer Shell diesen Befehl absetzen und anschließend den Tunnel neustarten: 

    netsh interface ipv4 set subinterface "My_Tunnel_Name" mtu=1300 store=persistent

    Anschauen kannst Du dir das mit:

    netsh interface ipv4 show subinterfaces

    Gruß

    Ben