I am wondering if anyone has seen an issue where Mikrotik 2.8.23 might possibly block PPTP traffic from making a connection.
I have a client who has two servers on our network. He was able to connect to them from the internet using PPTP without a problem. He is running PPTP VPN on W2003 so its not using the PPTP functions in Mikrotik.
Since placing him on the new network behind the Mikrotik, he hasn't been able to VPN to his boxes since and gets an error during the login process 619/628 errors.
I am able to VPN from a remote location into his boxes just fine using PPTP in Windows XP, but for some reason he can't. Yet I have him test our old office that is behind a Cisco 7206 and he is able to vpn into it just fine.
The ISP isn't doing any filtering so I think the Mikrotik is causing the issue somehow for 'some' people.
Any ideas?
-
-
brianlewis
Member Candidate
- Posts: 134
- Joined:
- Location: Irvine, CA
-
-
brianlewis
Member Candidate
- Posts: 134
- Joined:
- Location: Irvine, CA
Two different Windows XP Systems connecting to the same server behind a Mikrotik router. They both send the packet to authenticate,
one receives it a thousandth of a second, the other times out with 'Recv timeout' after 2 seconds of waiting so it resends again. No rhymne or reason but the failing system will continue to fail no matter what to this server, yet has no problem connecting to other VPN servers not behind this Mikrotik. Yet I and one of the customer's clients also have no problem making a pptp connection as well. I am confused why some people would have an issue, some don't. The logs reveal everything identical up to the point of sending the authentication packet.
WORKING SYSTEM: (during authentication phase)
[3620] 11:14:42:447: <PPP packet sent at 02/16/2005 19:14:42:447
[3620] 11:14:42:447: <Protocol = CHAP, Type = Protocol specific, Length = 0x3f, Id = 0x0, Port = 2
[3620] 11:14:42:447: <C2 23 02 00 00 3D 31 5A 7B 14 70 16 6B 37 01 73 |.#...=1Z{.p.k7.s|
[3620] 11:14:42:447: <B1 A6 92 00 62 76 33 00 00 00 00 00 00 00 00 A4 |....bv3.........|
[3620] 11:14:42:447: <EA 66 F2 5D 22 A4 37 95 E3 71 BD 34 E7 41 4C 99 |.f.]".7..q.4.AL.|
[3620] 11:14:42:447: <73 D5 0F 1C D3 12 02 00 6D 72 61 64 6D 69 6E 00 |s.......mradmin.|
[3620] 11:14:42:447:
[3620] 11:14:42:447: InsertInTimerQ called portid=0,Id=0,Protocol=c223,EventType=0,fAuth=0
[2492] 11:14:42:463: Packet received (48 bytes) for hPort 2
[3620] 11:14:42:463: >PPP packet received at 02/16/2005 19:14:42:463
[3620] 11:14:42:463: >Protocol = CHAP, Type = Protocol specific, Length = 0x30, Id = 0x0, Port = 2
[3620] 11:14:42:463: >C2 23 03 00 00 2E 53 3D 31 36 33 34 34 37 30 39 |.#....S=16344709|
[3620] 11:14:42:463: >39 35 30 42 39 31 34 46 45 35 32 41 35 43 36 35 |950B914FE52A5C65|
[3620] 11:14:42:463: >41 34 42 45 44 39 30 31 41 43 34 43 30 46 31 33 |A4BED901AC4C0F13|
NONWORKING SYSTEM: (during authentication phase)
[2320] 11:00:56:187: <PPP packet sent at 02/16/2005 19:00:56:187
[2320] 11:00:56:187: <Protocol = CHAP, Type = Protocol specific, Length = 0x3f, Id = 0x0, Port = 3
[2320] 11:00:56:187: <C2 23 02 00 00 3D 31 23 9A 3F F8 2C D5 FB 90 C1 |.#...=1#.?.,....|
[2320] 11:00:56:187: <BB 29 85 4D C0 31 20 00 00 00 00 00 00 00 00 9A |.).M.1 .........|
[2320] 11:00:56:187: <47 D1 F1 F9 37 52 73 D1 91 DE 12 9D 2E FD 1A CB |G...7Rs.........|
[2320] 11:00:56:187: <16 65 A1 2C 4B CF E8 00 6D 72 61 64 6D 69 6E 00 |.e.,K...mradmin.|
[2320] 11:00:56:187:
[2320] 11:00:56:187: InsertInTimerQ called portid=28,Id=0,Protocol=c223,EventType=0,fAuth=0
[2320] 11:00:58:069: Recv timeout event received for portid=28,Id=0,Protocol=c223,fAuth=0
[2320] 11:00:58:069: <PPP packet sent at 02/16/2005 19:00:58:069
[2320] 11:00:58:069: <Protocol = CHAP, Type = Protocol specific, Length = 0x3f, Id = 0x0, Port = 3
[2320] 11:00:58:069: <C2 23 02 00 00 3D 31 23 9A 3F F8 2C D5 FB 90 C1 |.#...=1#.?.,....|
[2320] 11:00:58:069: <BB 29 85 4D C0 31 20 00 00 00 00 00 00 00 00 9A |.).M.1 .........|
[2320] 11:00:58:069: <47 D1 F1 F9 37 52 73 D1 91 DE 12 9D 2E FD 1A CB |G...7Rs.........|
[2320] 11:00:58:069: <16 65 A1 2C 4B CF E8 00 6D 72 61 64 6D 69 6E 00 |.e.,K...mradmin.|
one receives it a thousandth of a second, the other times out with 'Recv timeout' after 2 seconds of waiting so it resends again. No rhymne or reason but the failing system will continue to fail no matter what to this server, yet has no problem connecting to other VPN servers not behind this Mikrotik. Yet I and one of the customer's clients also have no problem making a pptp connection as well. I am confused why some people would have an issue, some don't. The logs reveal everything identical up to the point of sending the authentication packet.
WORKING SYSTEM: (during authentication phase)
[3620] 11:14:42:447: <PPP packet sent at 02/16/2005 19:14:42:447
[3620] 11:14:42:447: <Protocol = CHAP, Type = Protocol specific, Length = 0x3f, Id = 0x0, Port = 2
[3620] 11:14:42:447: <C2 23 02 00 00 3D 31 5A 7B 14 70 16 6B 37 01 73 |.#...=1Z{.p.k7.s|
[3620] 11:14:42:447: <B1 A6 92 00 62 76 33 00 00 00 00 00 00 00 00 A4 |....bv3.........|
[3620] 11:14:42:447: <EA 66 F2 5D 22 A4 37 95 E3 71 BD 34 E7 41 4C 99 |.f.]".7..q.4.AL.|
[3620] 11:14:42:447: <73 D5 0F 1C D3 12 02 00 6D 72 61 64 6D 69 6E 00 |s.......mradmin.|
[3620] 11:14:42:447:
[3620] 11:14:42:447: InsertInTimerQ called portid=0,Id=0,Protocol=c223,EventType=0,fAuth=0
[2492] 11:14:42:463: Packet received (48 bytes) for hPort 2
[3620] 11:14:42:463: >PPP packet received at 02/16/2005 19:14:42:463
[3620] 11:14:42:463: >Protocol = CHAP, Type = Protocol specific, Length = 0x30, Id = 0x0, Port = 2
[3620] 11:14:42:463: >C2 23 03 00 00 2E 53 3D 31 36 33 34 34 37 30 39 |.#....S=16344709|
[3620] 11:14:42:463: >39 35 30 42 39 31 34 46 45 35 32 41 35 43 36 35 |950B914FE52A5C65|
[3620] 11:14:42:463: >41 34 42 45 44 39 30 31 41 43 34 43 30 46 31 33 |A4BED901AC4C0F13|
NONWORKING SYSTEM: (during authentication phase)
[2320] 11:00:56:187: <PPP packet sent at 02/16/2005 19:00:56:187
[2320] 11:00:56:187: <Protocol = CHAP, Type = Protocol specific, Length = 0x3f, Id = 0x0, Port = 3
[2320] 11:00:56:187: <C2 23 02 00 00 3D 31 23 9A 3F F8 2C D5 FB 90 C1 |.#...=1#.?.,....|
[2320] 11:00:56:187: <BB 29 85 4D C0 31 20 00 00 00 00 00 00 00 00 9A |.).M.1 .........|
[2320] 11:00:56:187: <47 D1 F1 F9 37 52 73 D1 91 DE 12 9D 2E FD 1A CB |G...7Rs.........|
[2320] 11:00:56:187: <16 65 A1 2C 4B CF E8 00 6D 72 61 64 6D 69 6E 00 |.e.,K...mradmin.|
[2320] 11:00:56:187:
[2320] 11:00:56:187: InsertInTimerQ called portid=28,Id=0,Protocol=c223,EventType=0,fAuth=0
[2320] 11:00:58:069: Recv timeout event received for portid=28,Id=0,Protocol=c223,fAuth=0
[2320] 11:00:58:069: <PPP packet sent at 02/16/2005 19:00:58:069
[2320] 11:00:58:069: <Protocol = CHAP, Type = Protocol specific, Length = 0x3f, Id = 0x0, Port = 3
[2320] 11:00:58:069: <C2 23 02 00 00 3D 31 23 9A 3F F8 2C D5 FB 90 C1 |.#...=1#.?.,....|
[2320] 11:00:58:069: <BB 29 85 4D C0 31 20 00 00 00 00 00 00 00 00 9A |.).M.1 .........|
[2320] 11:00:58:069: <47 D1 F1 F9 37 52 73 D1 91 DE 12 9D 2E FD 1A CB |G...7Rs.........|
[2320] 11:00:58:069: <16 65 A1 2C 4B CF E8 00 6D 72 61 64 6D 69 6E 00 |.e.,K...mradmin.|
-
-
wildbill442
Forum Guru
- Posts: 1055
- Joined:
- Location: Sacramento, CA
It'd help to get a little background on how your network is setup behind the mikrotik.. are you using NAT? are you firewalling at all?
I have a network with 200+ users up and running with multiple mickrotiks deployed throughout the WAN and the majority of our users VPN into work. None have had any real problems, a few glitches here and there most likely due to my firewall setup. What I did to correct that was I allowed ALL traffic to his specific IP address, bypassing all my filters.
I have a network with 200+ users up and running with multiple mickrotiks deployed throughout the WAN and the majority of our users VPN into work. None have had any real problems, a few glitches here and there most likely due to my firewall setup. What I did to correct that was I allowed ALL traffic to his specific IP address, bypassing all my filters.
-
-
brianlewis
Member Candidate
- Posts: 134
- Joined:
- Location: Irvine, CA
A problem with many PPTP implementations have been the session id number which should be unique for each session, is not on many implementations (ie. it's always zero or other static number).
PPTP "helper" (/ ip firewall service-port) requires a unique session id per session (and should be enabled when NAT'ing).
I don't know if this could explain your problems specifically.
PPTP "helper" (/ ip firewall service-port) requires a unique session id per session (and should be enabled when NAT'ing).
I don't know if this could explain your problems specifically.
-
-
brianlewis
Member Candidate
- Posts: 134
- Joined:
- Location: Irvine, CA
The router is setup with internet IPs on both sides, a WAN ip on the outside, and Internet ips on the inside, it just routes a /21 network of IPs on the internet, there is no NAT enabled so there shouldn't need to be any additional settings on the Mikrotik since its just routing the traffic with no NAT
-
-
brianlewis
Member Candidate
- Posts: 134
- Joined:
- Location: Irvine, CA
We are having the same problem brian has...
Recently we had to migrate some of ours behind a MT box and they no longer can VPN into their servers, inside the MT network.
For wildbill442, i think that you're speaking of users inside your MT networks that can succesfuly VPN to servers outside, while brianlewis and i have problems with VPN connections inwards.
It's as if MT can't recognize the packet isn't destined for itself, and does not route the packet to the correct destination.
I'll try to post more details later.
Regards.
Recently we had to migrate some of ours behind a MT box and they no longer can VPN into their servers, inside the MT network.
For wildbill442, i think that you're speaking of users inside your MT networks that can succesfuly VPN to servers outside, while brianlewis and i have problems with VPN connections inwards.
It's as if MT can't recognize the packet isn't destined for itself, and does not route the packet to the correct destination.
I'll try to post more details later.
Regards.
Who is online
Users browsing this forum: jaclaz and 81 guests