Client cannot connect to VPN server - others can

01-26-2007, 11:36 AM

Hello Group,

we are running Windows 2003 Server Enterprise Edition with Active Directory
and Remote Access Service. We setup RAS to allow only L2TP-EAP connections.

This is working! Many clients can connect without any problems.

But, some clients cannot. These clients are often behind a router (but there
a clients behind routers, which can connect without any problems!). In
oakley.log I notice:

-----
1-26: 03:23:47:496:8b4 Receive: (get) SA = 0x04ac8c70 from CLIENTIP.57589
1-26: 03:23:47:496:8b4 ISAKMP Header: (V1.0), len = 544
1-26: 03:23:47:496:8b4 I-COOKIE 38dad3f194afb3b3
1-26: 03:23:47:496:8b4 R-COOKIE b7818d1c12e1e471
1-26: 03:23:47:496:8b4 exchange: Oakley Main Mode
1-26: 03:23:47:496:8b4 flags: 0
1-26: 03:23:47:496:8b4 next payload: FRAG
1-26: 03:23:47:496:8b4 message ID: 00000000
1-26: 03:23:47:496:8b4 processing payload FRAG
1-26: 03:23:47:496:8b4
1-26: 03:23:47:496:8b4 Receive: (get) SA = 0x04ac8c70 from CLIENTIP.57589
1-26: 03:23:47:496:8b4 ISAKMP Header: (V1.0), len = 544
1-26: 03:23:47:496:8b4 I-COOKIE 38dad3f194afb3b3
1-26: 03:23:47:496:8b4 R-COOKIE b7818d1c12e1e471
1-26: 03:23:47:496:8b4 exchange: Oakley Main Mode
1-26: 03:23:47:496:8b4 flags: 0
1-26: 03:23:47:496:8b4 next payload: FRAG
1-26: 03:23:47:496:8b4 message ID: 00000000
1-26: 03:23:47:496:8b4 processing payload FRAG
1-26: 03:23:47:496:8b4
1-26: 03:23:47:496:8b4 Receive: (get) SA = 0x04ac8c70 from CLIENTIP.57589
1-26: 03:23:47:496:8b4 ISAKMP Header: (V1.0), len = 544
1-26: 03:23:47:496:8b4 I-COOKIE 38dad3f194afb3b3
1-26: 03:23:47:496:8b4 R-COOKIE b7818d1c12e1e471
1-26: 03:23:47:496:8b4 exchange: Oakley Main Mode
1-26: 03:23:47:496:8b4 flags: 0
1-26: 03:23:47:496:8b4 next payload: FRAG
1-26: 03:23:47:496:8b4 message ID: 00000000
1-26: 03:23:47:496:8b4 processing payload FRAG
1-26: 03:23:47:512:8b4
1-26: 03:23:47:512:8b4 Receive: (get) SA = 0x04ac8c70 from CLIENTIP.57589
1-26: 03:23:47:512:8b4 ISAKMP Header: (V1.0), len = 544
1-26: 03:23:47:512:8b4 I-COOKIE 38dad3f194afb3b3
1-26: 03:23:47:512:8b4 R-COOKIE b7818d1c12e1e471
1-26: 03:23:47:512:8b4 exchange: Oakley Main Mode
1-26: 03:23:47:512:8b4 flags: 0
1-26: 03:23:47:512:8b4 next payload: FRAG
1-26: 03:23:47:512:8b4 message ID: 00000000
1-26: 03:23:47:512:8b4 processing payload FRAG
1-26: 03:23:47:512:8b4
1-26: 03:23:47:512:8b4 Receive: (get) SA = 0x04ac8c70 from CLIENTIP.57589
1-26: 03:23:47:512:8b4 ISAKMP Header: (V1.0), len = 136
1-26: 03:23:47:512:8b4 I-COOKIE 38dad3f194afb3b3
1-26: 03:23:47:512:8b4 R-COOKIE b7818d1c12e1e471
1-26: 03:23:47:512:8b4 exchange: Oakley Main Mode
1-26: 03:23:47:512:8b4 flags: 0
1-26: 03:23:47:512:8b4 next payload: FRAG
1-26: 03:23:47:512:8b4 message ID: 00000000
1-26: 03:23:47:512:8b4 processing payload FRAG
1-26: 03:23:47:512:8b4 ReceivedFullPacket
1-26: 03:23:47:512:8b4 ClearFragList
1-26: 03:23:47:512:8b4
1-26: 03:23:47:512:8b4 Receive: (get) SA = 0x04ac8c70 from CLIENTIP.57589
1-26: 03:23:47:512:8b4 ISAKMP Header: (V1.0), len = 2132
1-26: 03:23:47:512:8b4 I-COOKIE 38dad3f194afb3b3
1-26: 03:23:47:512:8b4 R-COOKIE b7818d1c12e1e471
1-26: 03:23:47:512:8b4 exchange: Oakley Main Mode
1-26: 03:23:47:512:8b4 flags: 1 ( encrypted )
1-26: 03:23:47:512:8b4 next payload: ID
1-26: 03:23:47:512:8b4 message ID: 00000000
1-26: 03:23:47:512:8b4 Dropping SA processing because SA status set. SA
04AC8C70 Centry 00000000 Status 3618
----

This get logged, while client says "Connecting with...", which ends up in
error "Error 792: The L2TP connection attempt failed because security
negotiation timed out."

01-26-2007, 11:47 AM

Something I forgot to say:
We also tried to set "AssumeUDPEncapsulationContextOnSendRule" to 1 or 2 on
both site (client/server). It didn't solve the problem.

01-27-2007, 10:47 PM

Look at the router's manual. It should support "VPN passthru". Sometimes
this feature must be enabled even if supported.
In other words, the router must allow to the traffic generated by the
RAS server to get back to the client.
Bye,
-Pietro.

Thomas D. ha scritto:
> Hello Group,
>
> we are running Windows 2003 Server Enterprise Edition with Active Directory
> and Remote Access Service. We setup RAS to allow only L2TP-EAP connections.
>
> This is working! Many clients can connect without any problems.
>
> But, some clients cannot. These clients are often behind a router (but there
> a clients behind routers, which can connect without any problems!). In
> oakley.log I notice:
[CUT]
> This get logged, while client says "Connecting with...", which ends up in
> error "Error 792: The L2TP connection attempt failed because security
> negotiation timed out."

--
http://store.webmad.it/ http://www.linkedin.com/in/pietrolicata

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
ssh client gets to server, but doesn't connect...?	/usr/ceo	Linux Networking	4	10-06-2006 09:46 PM
Connect client to server	Rajani	Windows Networking	4	01-09-2006 09:55 PM
Can't connect to 2k3 server from mac osx smb client	Ben	Windows Networking	2	04-13-2004 11:48 PM
98se client cannot connect to nt 4 server	Michael Streijl	Windows Networking	0	10-21-2003 10:16 AM
Cannot connect Linux FTP server with Win client	Ivan	Linux Networking	1	10-11-2003 06:37 PM