VPN error 619

nuru · Wed Nov 09, 2005 12:17 pm

Hi all,

I just set up VPN using L2TP on Mikrotik as a VPN server, the Mikrotik is behind a 1:1 NATed Cisco router. I tried connecting to it using windows 2000 client but always get Error 619: The specified port is not connected. I also tried using PPTP but am getting same error. I dissabled IPSec on the windows client.

Dont know if an upgrade of the Mikrotik OS will resolve the issue my free upgrade period has expired so I will need to buy one, I am using router OS 2.9.

Any help will be really apreciated.

Nurudeen

Tonda · Wed Nov 09, 2005 3:47 pm

Is L2TP server enabled?What about firewall filter rules?Are incoming connections to L2TP server enabled?

Eugene · Wed Nov 09, 2005 4:17 pm

Does it work when connected back-to-back?

nuru · Fri Nov 11, 2005 9:47 am

Yes the L2TP server is enable and yes it works back to back, I want to believe it has to do with the NAT on the cisco router.
Does any one know how to tell a cisco router not not NAT for a specific IP, configuration example?

Thanks all

Eugene · Fri Nov 11, 2005 7:03 pm

ask Google. This shouldn't be hard to find.

kchris · Fri Nov 11, 2005 10:53 pm

I had the same problem!

I had a win2k/xp client behind nat and could connect to EXTERNAL VPN server. I had to enable the PPTP/GRE/Protocol47 helpers! To work with VPN, on the server doing the nat the simple NAT is not enough! Nat needs PORTS and ports are on protocol TCP and UDP. VPN uses besides TCP protocol the "protcol 47", the GRE.

so I think to use VPN on the cisco router you have to configure something additional in addition to NAT...

nuru · Tue Nov 15, 2005 11:49 pm

Still cant get this VPN to work.
I set up another Mikrotik L2TP server and place it behind a 1:1 NAT cisco router in my test lab just like the one I have at the my site and it worked, I have compared all the configuration both on cisco and the Mikrotik of my test system with my client config, even though its exactly the same except that I go through the Internet to get to my client VPN, its still gives error 619. Do I need EoIP for the L2TP to work over Internet?

The debug from the Mikrotik l2tp server is below, anyone please help.

[admin@MikroTik] >
(11 messages discarded)
echo: l2tp,debug tunnel 9 entering state: wait-ctl-conn
echo: l2tp,debug,packet sent control message to 70.14.32.13:1701
echo: l2tp,debug,packet tunnel-id=15, session-id=0, ns=0, nr=1
echo: l2tp,debug,packet (M) Message-Type=SCCRP
echo: l2tp,debug,packet (M) Protocol-Version=0x01:00
echo: l2tp,debug,packet (M) Framing-Capabilities=0x1
echo: l2tp,debug,packet (M) Bearer-Capabilities=0x0
echo: l2tp,debug,packet Firmware-Revision=0x1
echo: l2tp,debug,packet (M) Host-Name="MikroTik"
echo: l2tp,debug,packet Vendor-Name="MikroTik"
echo: l2tp,debug,packet (M) Assigned-Tunnel-ID=9
echo: l2tp,debug,packet (M) Receive-Window-Size=4
[admin@MikroTik] >
(31 messages discarded)
echo: l2tp,debug,packet tunnel-id=9, session-id=0, ns=2, nr=1
echo: l2tp,debug,packet (M) Message-Type=ICRQ
echo: l2tp,debug,packet (M) Assigned-Session-ID=1
echo: l2tp,debug,packet (M) Call-Serial-Number=0
echo: l2tp,debug,packet (M) Bearer-Type=0x2
echo: l2tp,debug session 1 entering state: wait-connect
echo: l2tp,debug,packet sent control message to 70.14.32.13:1701
echo: l2tp,debug,packet tunnel-id=15, session-id=1, ns=1, nr=3
echo: l2tp,debug,packet (M) Message-Type=ICRP
echo: l2tp,debug,packet (M) Assigned-Session-ID=1
echo: l2tp,debug,packet rcvd control message (ack) from 70.14.32.13:1701
echo: l2tp,debug,packet tunnel-id=9, session-id=0, ns=3, nr=1
[admin@MikroTik] >
(23 messages discarded)
echo: l2tp,ppp,debug,packet <accomp>
echo: l2tp,ppp,debug,packet <mrru 1614>
echo: l2tp,ppp,debug,packet <ed 0x01 f6 96 60 6a dc de 46 88 b6 16 46 7e 28 e
5 cd 3e 00 00 00 09>
echo: l2tp,ppp,debug,packet <0x0d 03 06><65.14.32.13>: sent LCP ConfReq id=
0x1
echo: l2tp,ppp,debug,packet <mru 1460>
echo: l2tp,ppp,debug,packet <magic 0x519b500d>
echo: l2tp,ppp,debug,packet <auth mschap2>
echo: l2tp,ppp,debug,packet <70.14.32.13>: sent LCP ConfRej id=0x0
echo: l2tp,ppp,debug,packet <pcomp>
echo: l2tp,ppp,debug,packet <accomp>
echo: l2tp,ppp,debug,packet <mrru 1614>
echo: l2tp,ppp,debug,packet <ed 0x01 f6 96 60 6a dc de 46 88 b6 16 46 7e 28 e
5 cd 3e 00 00 00 09>
[admin@MikroTik] >
(8 messages discarded)
echo: l2tp,debug,packet (M) Message-Type=CDN
echo: l2tp,debug,packet (M) Result-Code=1
echo: l2tp,debug,packet (M) Assigned-Session-ID=1
echo: l2tp,debug session 1 entering state: stopping
echo: l2tp,ppp,debug <70.14.32.13>: PPP destroy
echo: l2tp,ppp,debug <70.14.32.13>: PPP destroy
echo: l2tp,ppp,debug <70.14.32.13>: PPP stopped
echo: l2tp,ppp,info <l2tp-0>: disconnected
echo: l2tp,ppp,debug <70.14.32.13>: CCP lowerdown
echo: l2tp,ppp,debug <70.14.32.13>: CCP down event in initial state
echo: l2tp,ppp,debug <70.14.32.13>: IPCP lowerdown
echo: l2tp,ppp,debug <70.14.32.13>: IPCP down event in initial state
[admin@MikroTik] >
(3 messages discarded)
echo: l2tp,debug,packet (M) Result-Code=1
echo: l2tp,debug,packet (M) Assigned-Session-ID=1
echo: l2tp,debug,packet rcvd control message from 70.14.32.13:1701
echo: l2tp,debug,packet tunnel-id=9, session-id=0, ns=4, nr=2
echo: l2tp,debug,packet (M) Message-Type=StopCCN
echo: l2tp,debug,packet (M) Assigned-Tunnel-ID=15
echo: l2tp,debug,packet (M) Result-Code=2
echo: l2tp,debug,packet Error-Code=2
echo: l2tp,debug,packet sent control message (ack) to 70.14.32.13:1701
echo: l2tp,debug,packet tunnel-id=15, session-id=0, ns=3, nr=5
echo: l2tp,debug tunnel 9 entering state: dead
echo: l2tp,debug session 1 entering state: dead

Nurudeen

Eugene · Thu Nov 17, 2005 7:40 pm

echo: l2tp,ppp,debug,packet <0x0d 03 06><65.14.32.13>: sent LCP ConfReq id=
0x1
echo: l2tp,ppp,debug,packet <mru 1460>
echo: l2tp,ppp,debug,packet <magic 0x519b500d>
echo: l2tp,ppp,debug,packet <auth mschap2>
echo: l2tp,ppp,debug,packet <70.14.32.13>: sent LCP ConfRej id=0x0

This means that the server sent CONFREJ at LCP level. Check your MRU/MTU on both ends of the link.

nuru · Mon Nov 21, 2005 12:01 pm

Thank you eugene,

I am using windows client to connect to a Mikrotik VPN L2TP server, how do I compare the MRU/MTU, its presently set to 1460 on the Mikrotik. Where is the setting at in Windows client.

Nurudeen.

Eugene · Tue Nov 22, 2005 3:49 pm

See this:
http://support.microsoft.com/default.as ... duct=winxp
http://support.microsoft.com/default.as ... US;Q314053

nuru · Tue Nov 22, 2005 10:57 pm

Thanks you Eugene,

I finally found that the problem was this command: ip verify unicast reverse-path in my cisco router, from a software I use for debuging I noticed errors on GRE, my guess is that it was seeing the packet as comming from a non routable or spoofed source address. Everything started working fine after I dissable the command.

Thank you for your time and effort.

Nurudeen

squintr · Mon Dec 26, 2005 7:19 am

I'm having the same problem as Nuru but I'm using a Linksys WRT54G router with a modified firmware (http://www.sveasoft.com/). When I bypass my router it connects.

I had no issues when I was using version 2.8. This started happening after upgrading to 2.9

I'm just reading through your posts and there's mention of enabling GRE but I'm not sure what this means or if its necessary.

Is there something I can do on the Mikrotik router that will make it more compatible with my router?

VPN error 619

VPN error 619

Who is online