Reply
New Member
Posts: 12
Registered: ‎05-24-2015
Kudos: 1

L2TP outbound is blocked

Hi all,

 

I am experiancing a weird issue. Somehow the USG is blocking L2TP vpn going outbound. I removed almost all rules and removed the firewall settings from the interfaces but it looks like its just not doing anything with the traffic. Wireshark on the client pc shows is trying to initiate the vpn to the remote party. I enabled logging on all firewall rules including default log but nothing is showing up. if i just sent a UDP package on port 500 to the same destination it shows up.

 

Does anybody have an idea if there are default settings in the USG that might block L2TP traffic going in/out? 

 

Thanks!

New Member
Posts: 12
Registered: ‎05-24-2015
Kudos: 1

Re: L2TP outbound is blocked

Is there anybody that might have an idea?

New Member
Posts: 12
Registered: ‎05-24-2015
Kudos: 1

Re: L2TP outbound is blocked

@UBNT-MikeD, do you have an idea?

New Member
Posts: 1
Registered: ‎03-07-2018

Re: L2TP outbound is blocked

Did you ever figure this out? I have the same problem.

New Member
Posts: 12
Registered: ‎05-24-2015
Kudos: 1

Re: L2TP outbound is blocked

No, I did a lot of testing with even custom NAT etc. but it simply stops at this gateway.

 

Any experts her?

New Member
Posts: 23
Registered: ‎10-29-2015
Kudos: 2

Re: L2TP outbound is blocked


@tjmjansen wrote:

No, I did a lot of testing with even custom NAT etc. but it simply stops at this gateway.

 

Any experts her?


 

seems the latest usg update has some how blocked all my outbound vpn's  from all the windows 10 machines on my lan.

 

So on the windows machines I have access to remote client servers setup with ipsec and l2tp couple of different types.  They all did work and now they don't, but interestingly if I have the vpn configured on my tablet or phones they'll still connect just fine its only the windows machiens that are effected!

 

Desperate to try and resovlve this as it currently means I can't work and if I can't work I'm going to throw the USG in the bin at mine and I'll stop recommending it to my clients when they ask me for recommendations.

Veteran Member
Posts: 5,807
Registered: ‎01-04-2017
Kudos: 835
Solutions: 296

Re: L2TP outbound is blocked

How about adding some details for troubleshooting.
Detail #1 firmware
Detail #2 ISP
Detail #3 config
Detail #4 firmware you can roll back to where you don't experience this problem.
New Member
Posts: 12
Registered: ‎05-24-2015
Kudos: 1

Re: L2TP outbound is blocked

I am experiancing this since at least 4.3.x of the USG firmware.

I have the feeling its also related to windows, from ios l2tp out works fine.

But on all different windows machines 7, 8, 10 it all gives error 789

New Member
Posts: 23
Registered: ‎10-29-2015
Kudos: 2

Re: L2TP outbound is blocked


@smyers119 wrote:
How about adding some details for troubleshooting.
Detail #1 firmware
Detail #2 ISP
Detail #3 config
Detail #4 firmware you can roll back to where you don't experience this problem.

 

unfortunately when i wrote that i was at home not at the office now i'm here i can provide a little more detail.

 

1) USG-PRO running firmware 4.4.29.5124212

2) ISP doesn't factor into it the fact it still works on mobile devices on a different vlan makes me think its either a usg config change with an update or its something MS have done with windows only I can't see anything wrong windows wise and all vpn's have stopped working on windows not just one type so i'm leaning to something lan wise causing the issue on the primary lan but not on the wifi lans.

3) config attached

4) i could but then i'd also have to roll back the controller to get back to a known good working state and stuff its not as simple as "oh just roll back"

 

If it helps this is the error windows gives me when trying to connect

 

CoId={9A310BEB-0F8A-4859-B169-BFDFF0FC4CC3}: The user SYSTEM dialed a connection named Office which has failed. The error code returned on failure is 809.

Which as best as I can see means "we're behind a nat that is blocking it" this never used to be the case when I first provisioned the USG so again leading me to think its a network level issue not a windows issue although i could be wrong thats for sure.

Veteran Member
Posts: 5,807
Registered: ‎01-04-2017
Kudos: 835
Solutions: 296

Re: L2TP outbound is blocked

[ Edited ]

@fc-dave wrote:

4) i could but then i'd also have to roll back the controller to get back to a known good working state and stuff its not as simple as "oh just roll back"

If it helps this is the error windows gives me when trying to connect

CoId={9A310BEB-0F8A-4859-B169-BFDFF0FC4CC3}: The user SYSTEM dialed a connection named Office which has failed. The error code returned on failure is 809.

Which as best as I can see means "we're behind a nat that is blocking it" this never used to be the case when I first provisioned the USG so again leading me to think its a network level issue not a windows issue although i could be wrong thats for sure.


Windows 10 has ALOT of VPN issues, so I definately wouldn't rule it out.

 

 

Open up 2 ssh sessions at the same time on the USG

In the one:

sudo tcpdump -i pppoe0 -vv port 500 OR port 1723 and UDP

 

In the second one:

sudo tcpdump -i [LAN INTERFACE HERE] -vv port 500 OR port 1723 and UDP and host x.x.x.x (IP of WIN computer your testing from)

 

If your able to open up a 3rd ssh session into the VPN endpoint device (assuming its a unifi/edgerouter or any debian based box) and do:

sudo swanctl --log

After your done all of that then go ahead and try to iniate a connection and post the output.

 

EDIT: Corrected tcpdump syntax

 

 

Veteran Member
Posts: 5,807
Registered: ‎01-04-2017
Kudos: 835
Solutions: 296

Re: L2TP outbound is blocked


@tjmjansen wrote:

I am experiancing this since at least 4.3.x of the USG firmware.

I have the feeling its also related to windows, from ios l2tp out works fine.

But on all different windows machines 7, 8, 10 it all gives error 789


789 is usually a authentication issue.

New Member
Posts: 23
Registered: ‎10-29-2015
Kudos: 2

Re: L2TP outbound is blocked

i'll try the packet logs later when I get chance the remote end points are 2x usg's and 1x cisco device which unfortunately because I can't vpn into means I can't access  them as their ssh ports are lanside only so we'll have to make do with client side for now.

 

I put usg's in all the client offices and here as at the time it just worked and was nice and simple now i'm basically shut out from all my clients which is pretty bad Man Sad the cisco firewall is in the data centre between me and my servers.

Veteran Member
Posts: 5,807
Registered: ‎01-04-2017
Kudos: 835
Solutions: 296

Re: L2TP outbound is blocked

The only thing I see interesting in the config is that the MTU is not explicitly set for the PPPOE interface, so I would assume the router wouldn't know to fragment, as the only thing in the config telling it to fragment packets is MSS CLAMPING (which is TCP only.)

That's something we should be able to catch in the packet capture though

But if you wanted to specifically test that you could reduce the MTU on the computer to 1400 (When testing I always use a exaggerated number)

Highlighted
New Member
Posts: 12
Registered: ‎05-24-2015
Kudos: 1

Re: L2TP outbound is blocked

@smyers119 Thanks for your help. i see i typed the password correct, i see the 809 now.

 

i will try to do some packetdumps for you, lets see what comes out there!

 

Thanks!

Reply