Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    PP2T VPN client weirdness

    Scheduled Pinned Locked Moved
    2.0-RC Snapshot Feedback and Problems - RETIRED
    4
    27
    11.4k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • P
      pwnell
      last edited by

      I have a simple pfSense setup, the firewall sits between my LAN and WAN.  When a machine on the LAN wants to make a PPTP connection to a Microsoft VPN server somewhere on the WAN, it works, and for the first minute or two I can transfer data just fine.  But if I leave the connection idle for a minute then suddenly I never receive any packets anymore, the sending of packets still seems to work.  But I do not receive any packets whatsoever, reconnecting the VPN connection works for the next minute or two when it goes down again.

      I have confirmed this is not a server issue as it happens to 3 different VPN connections.  I am not blocking any outbound traffic.  Any ideas?  Also not running any VPN servers on pfSense.

      1 Reply Last reply Reply Quote 0
      • P
        pwnell
        last edited by

        Sorry the title should have been PPTP

        1 Reply Last reply Reply Quote 0
        • P
          pwnell
          last edited by

          I can add that if I have for instance an RDP session open to a machine in the VPN's subnet, the connection stays alive.  The moment I do not send any traffic for about 1-2 minutes the connection dies.  This happens from within a Windows 7 VM as well as from my Mac which are both on the LAN, and to different VPN servers.

          1 Reply Last reply Reply Quote 0
          • E
            eri--
            last edited by

            You need keep-alive for the session activated or increase the state timeout for the PPTP port otherwise the GRE sessions will be dropped.

            1 Reply Last reply Reply Quote 0
            • P
              pwnell
              last edited by

              I assume with keep alives you refer to lcp-echo-interval and lcp-echo-failure?  I do not have access to that on Windows and Mac OS X as far as I know.  And where do I change the state timeout of the PPTP port?  On the server?

              Just asking since pfSense from about 6 months ago worked just fine with these PPTP servers, and since I manage some of them I know they have not changed.  So too did my local configuration not change.  I could leave VPN connected all night without issue.

              1 Reply Last reply Reply Quote 0
              • E
                eri--
                last edited by

                If you want you can allow gre any to any as it was done before in firewall rules.

                1 Reply Last reply Reply Quote 0
                • P
                  pwnell
                  last edited by

                  Both on WAN and LAN interfaces?

                  1 Reply Last reply Reply Quote 0
                  • E
                    eri--
                    last edited by

                    Yes. Or you can tight them down if you know the PPTP vpn ip(s).

                    1 Reply Last reply Reply Quote 0
                    • P
                      pwnell
                      last edited by

                      I now have an allow any to any on GRE on WAN and LAN - still same thing that happens.  Connection is made just fine, leave it for 1 minute then it just sits there, sending packets but never receiving.

                      I do see this in my firewall log - not sure if it is related to VPN traffic though:

                      [Blocked] Dec 9 11:05:10 WAN   205.200.61.10:25749   96.51.181.89:26237 UDP

                      205.200.61.10 is the VPN server (remote), and 96.51.181.89 is the WAN IP on pfSense.

                      1 Reply Last reply Reply Quote 0
                      • E
                        eri--
                        last edited by

                        You should have an option on the client side to enable lcp-echo's
                        and those blocks are udp protocol.

                        1 Reply Last reply Reply Quote 0
                        • P
                          pwnell
                          last edited by

                          I have only ever seen lcp-echo's as configurable in Linux / BSD Unix.  Never in Mac OS X or Windows.  Any pointers?

                          Also why would it have worked perfectly with the pfSense beta from 6 months ago?

                          1 Reply Last reply Reply Quote 0
                          • P
                            pwnell
                            last edited by

                            PS: A Cisco IPSec VPN connection works perfectly - stays online for hours.

                            1 Reply Last reply Reply Quote 0
                            • P
                              pwnell
                              last edited by

                              Under linux I have configured a 30 second lcp echo request, the VPN still dies after a minute or two if I do not actively transfer data.

                              1 Reply Last reply Reply Quote 0
                              • Y
                                yaw
                                last edited by

                                I'm seeing the same thing here on my end. If I leave it without sending packets the firewall starts blocking GRE packets:

                                [blocked] Dec 11 08:08:30 WAN  A.A.A.A    B.B.B.B  GRE
                                Where A is the remote VPN server IP, and B is the pfsense box IP.

                                It ONLY starts blocking these GRE packets if it sits for a little while without sending packets. As long as pfsense keeps sending packets then it'll never start blocking GRE. However, the game is over once it starts.

                                If I add a rule to allow all GRE traffic on the WAN interface then those errors are surpressed. The firewall logs don't show anything being blocked. However, the problem still exists. All VPN traffic stops and I must disconnect and reconnect to fix it.

                                I'm running 2.0-BETA4 (i386) built on Tue Dec 7 06:58:02 EST 2010

                                1 Reply Last reply Reply Quote 0
                                • P
                                  pwnell
                                  last edited by

                                  I agree with yaw - exactly the same behaviour.  Furthermore, if I replace pfSense with my DLink WiFi router, the problem goes away and my PPTP connections stay alive without needing any keep alive traffic.

                                  1 Reply Last reply Reply Quote 0
                                  • Y
                                    yaw
                                    last edited by

                                    Yep.. something odd going on here. I never had this problem with version 1.2.3

                                    1 Reply Last reply Reply Quote 0
                                    • P
                                      pwnell
                                      last edited by

                                      Also not with pfSense 2.0 BETA3 from June this year I think.

                                      1 Reply Last reply Reply Quote 0
                                      • D
                                        Darkk
                                        last edited by

                                        Yes I am seeing this exact same issue with the beta snapshots as of late.  I tried a few things and had to revert back to the 1.2.3 release until it gets sorted out.  This will be a problem for folks who PfSense at home offices and corporations.

                                        So any ideas would be greately apprecaitedl.

                                        Darkk

                                        1 Reply Last reply Reply Quote 0
                                        • P
                                          pwnell
                                          last edited by

                                          Found this: http://forum.pfsense.org/index.php/topic,29427.0.html, and tried adding the two NAT rules for TCP/1732 and GRE.  What do you know - now it works.  But I am confused - I thought this was fixed already? Secondly, obviously the NAT rules are only a temporary solution as I have multiple clients needing PPTP access behind the firewall.

                                          (I say it worked because I managed 17 minutes and counting of idle PPTP traffic without being disconnected).

                                          1 Reply Last reply Reply Quote 0
                                          • Y
                                            yaw
                                            last edited by

                                            Yeah.. I have multiple clients here also.. not going to work.

                                            I wonder if the fix always had this problem. I bet nobody let their connection sit idle long enough to test.

                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.