cancel
Showing results for 
Search instead for 
Did you mean: 
bschorr
Level 7

PPTP Server Not Working? (SG580)

Jump to solution

Since upgrading our SG580 to 4.05(?) Firmware we can't seem to remote to the network anymore with PPTP.

I went to the PPTP server page, enabled it, created a user, make sure it was part of the PPTP Access Group, have checked the encryption required settings (even set them to be VERY relaxed, as a test) and yet every attempt to connect with Windows 7 and PPTP fails.  It worked fine with the previous 3.x firmware on the SG580.

Any suggestions for what I should check?

-B-

0 Kudos
1 Solution

Accepted Solutions
trymes
Level 9

Re: PPTP Server Not Working? (SG580)

Jump to solution

OK, this thread has been dormant for a month or so, but I am experiencing the same problem:

1.) PPTP worked fine from everywhere using Firmware 3.2.2. Never had a problem. Ever. EVER.

2.) Upgrade to 4.0.6 and PPTP now will not work, no matter what settings I try.Ever. EVER.

I have read the various threads here and seen the responses about GRE and about how NAT is the problem, along with the amusing suggestions that I should fix my broken router on the client side and this problem will go away. From what I understand, PPTP is like SIP in that there is a control port and a GRE port (port range?) that needs to associated, etc with that PPTP session.

Having said that, I must reiterate what was said by another user earlier: This worked in 3.2.2, and now it does not work. The only variable here that has changed is the Firmware on the SnapGear Unit. Maybe the default settings in the PPTP files were altered, maybe the chap-secrets file is not being updated properly, maybe the version of pppd or the version of pptpd was changed, and some esoteric change made to those programs has caused this behavior, be it a stricter adherence to standards, a security fix, or who knows what. SOMETHING CHANGED.

No matter what the cause, there has to be an explanation as to when one version acts one way and another acts differently. In the meantime, suggesting to users that they work from a public IP or that their NAT unit is the problem is unhelpful and unrealistic unless there is some explanation as to what has changed, why this change is necessary, and why a different work-around is not available.

This looks to be a (all too common) case of a vendor being "right" but shooting themselves in the foot because end users don't care what the reason is, they just care if it works. Imagine this exchange in my office:

MGMT- "What happened to the VPN? Nobody can connect anymore. Our sales force NEEDS to be able to connect when they are on the road."

IT - "The recent upgrade we performed on the router seems to have broken PPTP. The Vendor says it's a problem that has been there all along with the routers on the other end of the connection and that it's just a coincidence that we are only now noticing it."

M - "That doesn't even pass the sniff test."

I- "I know."

M - "Do they have a suggestion as to how to fix it?"

I - "We could replace the NAT devices at each client location, including every hotel that our salespeople stay at in the entire world."

M - "They actually suggested that? Talk about Cranial Rectosis! My buddy's company isn't having these problems. They use BrandX for their equipment. Replace the McAfee units with BrandX routers."

I - "Sir, Yes Sir."

Was my point sufficiently blunt? Output from the System log is included below. You can see that I disabled the Authenication and encryption settings.

Apr 10 14:27:57 cgix[7135]: config_change[120] by root: set vpn.pptpserver encryption.strength none 
Apr 10 14:27:57 cgix[7135]: config_change[120] by root: set vpn.pptpserver auth none
Apr 10 14:27:57 cgix[7135]: config_change[120] by root: set vpn.pptpserver debug 1
Apr 10 14:27:58 packet[309]: nf_ct_tcp: invalid packet ignored SRC=208.52.152.13 DST=75.147.22.81 LEN=60 TOS=0x00 PREC=0x20 TTL=49 ID=38984 DF PROTO=TCP SPT=51220 DPT=993 WINDOW=5840 SYN URGP=0 
Apr 10 14:27:58 flatfs[7153]: using storage at /dev/flash/config
Apr 10 14:27:59 pptpd[7155]: MGR: Maximum of 100 connections reduced to 16, not enough IP addresses given
Apr 10 14:27:59 pptpd[7155]: MGR: Manager process started
Apr 10 14:27:59 pptpd[7155]: MGR: Maximum of 16 connections available
Apr 10 14:27:59 flatfs[7153]: saving fs to partition 1, tstamp=9626 
Apr 10 14:28:00 packet[309]: Default - dropped: IN=eth1 MAC=00:13:f7:9d:42:d4 SRC=68.87.71.227 DST=75.147.22.81 LEN=72 TOS=0x00 PREC=0x40 TTL=58 ID=0 DF PROTO=UDP SPT=53 DPT=1099 LEN=52 
Apr 10 14:28:02 dnsmasq[301]: reading /etc/config/resolv.dnsmasq
Apr 10 14:28:02 dnsmasq[301]: using nameserver 68.87.73.242#53
Apr 10 14:28:02 dnsmasq[301]: using nameserver 68.87.71.226#53
Apr 10 14:28:02 firewall[7157]: executing firewall rules
Apr 10 14:28:04 packet[309]: nf_ct_tcp: invalid packet ignored SRC=208.52.152.13 DST=75.147.22.81 LEN=60 TOS=0x00 PREC=0x20 TTL=49 ID=38985 DF PROTO=TCP SPT=51220 DPT=993 WINDOW=5840 SYN URGP=0 
Apr 10 14:28:04 flatfs[7153]: Wrote 43494 bytes to flash in 5 seconds
Apr 10 14:28:05 pluto[417]: ERROR: "West_Lebanon_2" #4179: sendto on eth1 to 75.144.180.137:500 failed in ISAKMP notify. Errno 1: Operation not permitted
Apr 10 14:28:05 pluto[417]: ERROR: "Lancaster_3" #4207: sendto on eth1 to 24.213.224.151:500 failed in ISAKMP notify. Errno 1: Operation not permitted
Apr 10 14:28:06 pptpd[7278]: CTRL: Client 208.52.153.81 control connection started
Apr 10 14:28:06 pptpd[7278]: CTRL: Starting call (launching pppd, opening GRE)
Apr 10 14:28:06 pppd[7279]: pppd 2.4.4 started by root, uid 0
Apr 10 14:28:06 pppd[7279]: using channel 5
Apr 10 14:28:07 pppd[7279]: Using interface ppp0
Apr 10 14:28:07 pppd[7279]: Connect: ppp0 <--> /dev/pts/0
Apr 10 14:28:07 pppd[7279]: sent [LCP ConfReq id=0x1 <mru 1400> <asyncmap 0x0> <magic 0x6fb1dfd0> <pcomp> <accomp>]
Apr 10 14:28:08 pluto[417]: "antrim_6" #4224: received Delete SA(0xe212f5b0) payload: deleting IPSEC State #4159
Apr 10 14:28:08 pluto[417]: "antrim_6" #4224: received and ignored informational message
Apr 10 14:28:10 pppd[7279]: sent [LCP ConfReq id=0x1 <mru 1400> <asyncmap 0x0> <magic 0x6fb1dfd0> <pcomp> <accomp>]
Apr 10 14:28:10 pppd[7279]: rcvd [LCP ConfReq id=0x1 <asyncmap 0x0> <magic 0x79717d32> <pcomp> <accomp>]
Apr 10 14:28:10 pppd[7279]: sent [LCP ConfAck id=0x1 <asyncmap 0x0> <magic 0x79717d32> <pcomp> <accomp>]
Apr 10 14:28:10 pppd[7279]: rcvd [LCP ConfAck id=0x1 <mru 1400> <asyncmap 0x0> <magic 0x6fb1dfd0> <pcomp> <accomp>]
Apr 10 14:28:10 pppd[7279]: sent [CCP ConfReq id=0x1 <deflate 15> <deflate(old#) 15> <bsd v1 15>]
Apr 10 14:28:10 pppd[7279]: sent [IPCP ConfReq id=0x1 <compress VJ 0f 01> <addr 192.168.0.1>]
Apr 10 14:28:10 pppd[7279]: rcvd [LCP ConfReq id=0x1 <asyncmap 0x0> <magic 0x79717d32> <pcomp> <accomp>]
Apr 10 14:28:10 pppd[7279]: sent [LCP ConfReq id=0x2 <mru 1400> <asyncmap 0x0> <magic 0x598747b8> <pcomp> <accomp>]
Apr 10 14:28:10 pppd[7279]: sent [LCP ConfAck id=0x1 <asyncmap 0x0> <magic 0x79717d32> <pcomp> <accomp>]
Apr 10 14:28:10 pppd[7279]: rcvd [LCP EchoReq id=0x0 magic=0x79717d32]
Apr 10 14:28:10 pppd[7279]: rcvd [LCP TermReq id=0x2 "MPPE required but not available"]
Apr 10 14:28:10 pppd[7279]: sent [LCP TermAck id=0x2]
Apr 10 14:28:10 pptpd[7278]: CTRL: EOF or bad error reading ctrl packet length.
Apr 10 14:28:10 pptpd[7278]: CTRL: couldn't read packet header (exit)
Apr 10 14:28:10 pptpd[7278]: CTRL: CTRL read failed
Apr 10 14:28:10 pptpd[7278]: CTRL: Reaping child PPP[7279]
Apr 10 14:28:10 pppd[7279]: Modem hangup
Apr 10 14:28:10 pppd[7279]: Connection terminated.
Apr 10 14:28:10 pppd[7279]: Exit.

Now again, but this time after enabling MSCHAPv2 and setting to Strong Encryption:

Apr 10 15:07:41 cgix[9388]: config_change[121] by root: unset vpn.pptpserver encryption.strength
Apr 10 15:07:41 cgix[9388]: config_change[121] by root: unset vpn.pptpserver auth
Apr 10 15:07:42 flatfs[9392]: using storage at /dev/flash/config
Apr 10 15:07:44 pptpd[9395]: MGR: Maximum of 100 connections reduced to 16, not enough IP addresses given
Apr 10 15:07:44 pptpd[9395]: MGR: Manager process started
Apr 10 15:07:44 pptpd[9395]: MGR: Maximum of 16 connections available
Apr 10 15:07:44 flatfs[9392]: saving fs to partition 0, tstamp=9627 
Apr 10 15:07:47 dnsmasq[301]: reading /etc/config/resolv.dnsmasq
Apr 10 15:07:47 dnsmasq[301]: using nameserver 68.87.73.242#53
Apr 10 15:07:47 dnsmasq[301]: using nameserver 68.87.71.226#53
Apr 10 15:07:47 firewall[9397]: executing firewall rules
Apr 10 15:07:48 flatfs[9392]: Wrote 43504 bytes to flash in 5 seconds
Apr 10 15:07:49 pptpd[9471]: CTRL: Client 208.52.153.81 control connection started
Apr 10 15:07:49 pptpd[9471]: CTRL: Starting call (launching pppd, opening GRE)
Apr 10 15:07:50 pppd[9473]: The remote system is required to authenticate itself
Apr 10 15:07:50 pppd[9473]: but I couldn't find any suitable secret (password) for it to use to do so.
Apr 10 15:07:50 pptpd[9471]: GRE: read(fd=7,buffer=1fb10,len=8196) from PTY failed: status = -1 error = Input/output error, usually caused by unexpected termination of pppd, check option syntax and pppd logs
Apr 10 15:07:50 pptpd[9471]: CTRL: PTY read or GRE write failed (pty,gre)=(7,8)
Apr 10 15:07:50 pptpd[9471]: CTRL: Reaping child PPP[9473]
Apr 10 15:07:50 pptpd[9471]: CTRL: Client 208.52.153.81 control connection finished
Apr 10 15:07:50 pptpd[9471]: CTRL: Couldn't write packet to client.
Apr 10 15:07:50 last message repeated 1 time(s)
Apr 10 15:07:50 packet[309]: nf_ct_tcp: invalid packet ignored SRC=41.140.33.172 DST=75.147.22.81 LEN=48 TOS=0x00 PREC=0x20 TTL=108 ID=3459 DF PROTO=TCP SPT=25337 DPT=25 WINDOW=64380 SYN URGP=0 
Apr 10 15:07:51 packet[309]: Default - dropped: IN=eth1 MAC=00:13:f7:9d:42:d4 SRC=208.52.153.81 DST=75.147.22.81 LEN=60 TOS=0x00 PREC=0x20 TTL=240 ID=54910 PROTO=47 
Apr 10 15:07:56 packet[309]: nf_ct_tcp: invalid packet ignored SRC=41.140.33.172 DST=75.147.22.81 LEN=48 TOS=0x00 PREC=0x20 TTL=108 ID=4773 DF PROTO=TCP SPT=25337 DPT=25 WINDOW=64380 SYN URGP=0 

Apr 10 14:28:10 pptpd[7278]: CTRL: Client 208.52.153.81 control connection finished
Apr 10 14:28:10 pptpd[7278]: CTRL: Couldn't write packet to client.
Apr 10 14:28:24 last message repeated 1 time(s)

Also, I note that there is a warning on the PPTP configuration page about adding a user. I have added a user to the system (I was using RADIUS on 3.2.2, but I eliminated that until I can make this work with local users. No point in introducing more variables here.) Maybe this is the system saying that something is wrong with the user setup. If so, again, SOMETHING HAS CHANGED in the user setup, maybe. Maybe it's just a generic warning.  See the screen shots below:

Screen shot 2010-04-10 at 3.12.22 PM.png

Screen shot 2010-04-10 at 3.16.21 PM.png

Hopefully we can get some sort of solution here.

Tom

0 Kudos
63 Replies
bschorr
Level 7

Re: PPTP Server Not Working? (SG580)

Jump to solution

Just as an update the error I get is the 691 error on the workstation side.  I've tried setting the account password to a simple "1" even to make sure I wasn't mistyping it, but still no joy.  Nothing I've tried will let me successfully connect my Windows 7 PPTP client to the SG580 PPTP server running 4.05 firmware.

-B-

0 Kudos
rcamm
Level 13

Re: PPTP Server Not Working? (SG580)

Jump to solution

Make sure you are using 4.0.5 firware as it does resolve PPTP server issues in previous versions.

If issues persist, check the syslog for messages which may indicate what the issue is.

0 Kudos
bschorr
Level 7

Re: PPTP Server Not Working? (SG580)

Jump to solution

Yes, we are running 4.0.5.

My associate looked at the SysLog on the SG580 today, while I was trying (failing) to connect to it and she didn't see anything diagnostically useful there but it may be that she just didn't know what to look for.  I will try to go to the site tomorrow to take a look for myself.

Any common issues that cause this that I should be on the lookout for?

-B-

0 Kudos
Highlighted
rcamm
Level 13

Re: PPTP Server Not Working? (SG580)

Jump to solution

The PPTP server config page has a debug option under 'advanced' which will populate the syslogs with additional info.

Also, if you are using a RADIUS server, check that local authentication works first to see if you can narrow down the problem to the RADIUS server if applicable.

0 Kudos
bschorr
Level 7

Re: PPTP Server Not Working? (SG580)

Jump to solution

Unfortunately I'm a 25 minute drive from the site and so when I try to test it by the time I get there the syslogs may have been overwritten with further messages.  I have to try and figure out a way to have somebody else try it while I look at the logs I guess.

Now I've tried disabling the SG580's PPTP server entirely and forwarding port 1723 to one of our Windows servers that has the RRAS server running...still can't connect. Everything just fails with a 619 error.

I'll see if I can find anything off the log files that is helpful.  Any other ideas?

0 Kudos
rcamm
Level 13

Re: PPTP Server Not Working? (SG580)

Jump to solution

If you have any NAT devices in the path it can be useful to reboot them due to the issues discussed in KB62307

0 Kudos
bschorr
Level 7

Re: PPTP Server Not Working? (SG580)

Jump to solution

I have a NAT device on the client end - it rebooted last night (power failure) but just to be safe I just rebooted it now.  No joy - same result.

0 Kudos
rcamm
Level 13

Re: PPTP Server Not Working? (SG580)

Jump to solution

I think you are at the point of contact support and sending in TSR.

http://community.mcafee.com/docs/DOC-1061

From there we can usualy spot the issue.

0 Kudos
bschorr
Level 7

Re: PPTP Server Not Working? (SG580)

Jump to solution

O.K., I'll collect a TSR in the next few days and go from there.

Thanks!

0 Kudos