Unable To Access Drives Mapped through GPO over L2TP VPN Connection


This issue is only affecting users connecting to our UTM's L2TP VPN connection on Windows devices. Users are able to establish the connection, but when they do so, they lose access to network drives that have been mapped via Group Policy. This issue only occurs over VPN. When the device connects to the domain on our LAN, the drives maps as expected.

As a workaround, I have remounted the drives and assigned them another letter to be used while using the VPN. Very possible this is a Microsoft issue, but I wanted to check with you all as the issue is only occurring over the VPN.

The error message is 

"An error occurred while reconnecting ":I ......." (path to drive) 
Microsoft Windows Network: 
The local device name is already in use."
The connection has not been restored"
I have taken the troubleshooting steps suggested in this thread, but the issue persists:
Thanks for any guidance you can provide.
  • Hi ,

    Thanks for reaching out to the Community! 

    Have you configured the domain name on the client side? I'd suggest you run a packet capture and review the packet-filter logs while trying to access the mapped drive. 



    Harsh Patel (H_Patel)

    Community Support Engineer | Sophos Technical Support
    Support Videos | Product Documentation | @SophosSupport | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' button.

  • H_Patel: Thank you so much for this idea. I have a couple clarifying questions:

    How might I got about configuring the domain name on the client side? Or confirming that these settings have been set correctly?

    Would establishing a port mirroring session using Wireshark be the best way to perform a packet capture?

    Thanks again for all your assistance.

  • If you're not familiar with tcpdump, you might be interested in looking at A Tcpdump Tutorial and Primer by Daniel Miessler.

    Just to eliminate a Windows firewall issue in your server, experiment with a NAT rule like:

         SNAT : Pool (L2TP) -> {TCP 139&445 & UDP 137&138} -> {server with a share} : from Internal (Address)

    Cheers - Bob

    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Are you sure this isn't a DNS issue?  Can you reach your mapping through IP address of the server instead of host name?  If you can access the same share using IP, then it's a DNS issue and you need to add your VPN Pool to the Allowed Network listing on Sophos.

    try using \\IP_Address\<share name> instead of \\DNS_Name\<share name>

    UTM - 9.706 | Intel i3-4150 4th Gen Processor
    16GB Memory | 500GB SATA HDD | GB Ethernet x5

  • Thank you so much. This looks like an incredible resource and I will certainly be sure to give it a good look through and attempt to do some testing. I will also give that NAT rule a go and to rule out Windows Firewall.

    Almost positive this is not a DNS issue as the same fileshare point mounts when I manually assign the drive path with the DNS share name an alternative drive letter locally on the device i.e GPO mounts the fileshare point at D:\\DNSfilesharename\folder....workaround= I manually assign the fileshare point to Z:\\DNSfilesharename\folder

    This workaround appears to be permanent. It is only the fileshare points that mounts and is assigned a drive letter through GPO that remain disconnected over the VPN connection. Before these GPO mounted fileshare points stay connected just fine over VPN.

  • We are missing something here... Amodin is saying, have you tried with IP or not
    GPO has nothing to do with your problem
    While you are connected with L2TP, ping the "DNSfilesharename" and post only the result

  • I just pinged the "DNSfilesharename" over L2TP and received back a successful reply.

    Pinging *DNSfilesharename* with 32 bytes of data:
    Reply from 10.0.X.X: bytes=32 time=124ms TTL=127
    Reply from 10.0..X.X bytes=32 time=135ms TTL=127
    Reply from 10.0.X.X bytes=32 time=87ms TTL=127
    Reply from 10.0.X.X bytes=32 time=69ms TTL=127

  • I see the dns resolves the hostname. 
    Windows tries to remap the drive i think, i never used map drive from gpo

  • Personally, I've never done that because GPO just works the way it works and that is "not consistent"  Slight smile

    I've just had a users batch file run to map the drives.  This has been an issue I've seen since Y2K at least.  We had to end up running the batch to disconnect all mapped drives, ipconfig /flushdns, then remap the drives.  Sucks, but it worked.

    UTM - 9.706 | Intel i3-4150 4th Gen Processor
    16GB Memory | 500GB SATA HDD | GB Ethernet x5

  • Thank you very much for providing me with this history. I've only been in System Administration for 6 months. I was a technician for 5 years before this. So while I had some working knowledge of GPOs, I wasn't building, deploying, and troubleshooting policy issues.

    It sounds like you are pretty convinced that this is a Windows issue unrelated to the UTM specifically. This makes me feel like I should let the issue go and that I'll just end up chasing red herrings if I start looking deeper into the wireshark/tcpdump logs. Maybe I'm wrong about that, though.

    I was messing around with the netstat commands to resolve the issue at one point. I think, in a fashion similar to what you are suggesting. But it became too complicated once the VPN layer was introduced. And I wasn't convinced the GPO would run consistently enough to push out the .bat file at the exact right time needed to unmount and remount the drives once the connection was broken.

    Manually reassigning the drives a different letter has proved to be a viable workaround. The drive stays mounted whether or not the user is connected over VPN.