AT&T vpn client not abble to connect
-
Here is the tcpdump from the client machine & pfsense in the same time.
-
Hmm, seeing no UDP port 500 or 4500 traffic there at all. However it looks like it's failing before it ever tries to actually connect the VPN:
NetClient +I 05/23 21:41:38.885 1C5C: dbActionSendHTTPInternetProbe: HTTP internet probe is initiated. NetClient +I 05/23 21:41:38.885 29E0: SendHTTPProbeThread: sending probe to '32.112.50.131'. NetClient +I 05/23 21:41:38.893 29E0: SendRequest: HttpSendRequest failed with error 12029\.
You can see that traffic in the packet capture at the client. The response is:
Expert Info (Chat/Sequence): HTTP/1.1 400 Bad Request\r\n
However it looks like that is coming from Squid running in pfSense. Are you filtering that?
I don't know where you took the pfSense pcap but it looks like the WAN side. If that covers the complete connection attempt those http probes are never leaving so it looks like Squid/Squidguard is filtering them.
Steve
-
pfsense pcap is from the wan interface.
yes I use squid + squidguard. I used it before…but i may have some different settings now. -
Ok, then try disabling Squid as a test or add your client to the by-pass list.
Steve
-
problem 50% solved.
It's squid bloking the connection.
Now i need to figure out how to by pass it or allow this connection -
problem solved 100%
thank you for all hints & support -
Great.
Were you able to open only the AT&T connection test servers? Can you post the allowed IPs that worked for you and exactly where you added them?
That will help anyone else hitting this a lot.Steve
-
like always…thinks that look super complicated are very simple :-[
I just added local IP as exception in Squid:
Squid Proxy Server ->ACLs -> Unrestricted Ip's -> Added my AT&T client local ip.
Then everything worked as expected. -
While that is a simple solution to be sure.. That is not the solution normally people would want.. They would want to be able to access the something that doesn't work through the proxy, while using the proxy for everything else. Your solution is pretty much just turning off the proxy for that client.
The proper solution would be to setup the proxy not to proxy connections to that specific destination for the vpn.. the big question is what is the dest, netblock of all the different possible connections are needed.
-
you're right!
this was just a simple & quick sollution. I will try to get more data and identify the real issue.