No simultanious L2TP/IPSEC VPN client connections possible to TMG 2010 Enterprise
-
lunedì 7 giugno 2010 15:31
Hello,
we have an issue after migrating from ISA 2006 to TMG 2010. Previously we could support several client VPN connections for our admins and clients (up to 30 people working simultaniously). We installed a new Windows 2008 R2 Enterprise machine on the same hardware with TMG 2010 Enterprise and did a restore of the ISA config via Enterprise Management System. Now we can't open more than one VPN session to the server from the same network:
- f.e. one of our customers has a network with several clients and can open only 1 L2TP VPN session; the next client gets an error 806 or error 619 when opening the windows-vpn (depending on the windows version).
- at the same time we can connect 1 L2TP session from our own network, but no second
- a home-user can also connect
I've seen about 10 connections at the same time, but all from different locations and never when 2 people are in the same location. All the locations are also different in architecture (clients, suppliers, home users, ...) so it's not related to a specific type of network device on client-side. There are win XP, win Vista and Win 7 pc's, all with the same problem.
Our settings:
vpn ip range from 10.2.250.1 to 10.2.250.50
vpn gateway (TMG) = 10.2.250.1
max concurrent clients = 49
protocol: L2TP/IPSEC with preshared key
server is located in a datacenter with its own public IPs, all client-locations are not related to this datacenter in any way (no site-to-sites etc)
As a workaround we opened PPTP. This seems to work in at least one case (several people can work simultaniously) but we would like to go back to the more secure L2TP of course.
Any help would be greatly appreciated.
Edit: I also found several other people with the same issue, but no solution yet:
f.e. http://forums.isaserver.org/m_2002096562/mpage_1/key_/tm.htm#2002100770
Tnx,
Geert
Tutte le risposte
-
lunedì 7 giugno 2010 19:44PostatoreSo what you are saying is that 2 users on the same remote network behind the same NAT device are not able to connect simultaneously using L2TP? But 2 users from completely different networks can?
-
martedì 8 giugno 2010 05:11Indeed, that's the case
-
martedì 8 giugno 2010 07:51
Geert,
You might have a look at my blog post; I had some similar issues when using VPN on Forefront TMG...
Cheers,
Peter
-
mercoledì 9 giugno 2010 18:13Postatore
This is actually not a TMG issue or even a Windows 2008 RRAS issue. The reason that this occurs is because of the way that L2TP works and specifically IPSec. Please see this blog for a complete explanation
http://blogs.isaserver.org/pouseele/2007/11/24/multiple-l2tpipsec-vpn-clients-behind-a-nat-device/
Also see this.
http://support.microsoft.com/kb/818043/ and http://support.microsoft.com/kb/926179
HTH
Keith
- Proposto come risposta Keith AblutonMicrosoft Employee, Editor mercoledì 9 giugno 2010 20:32
- Contrassegnato come risposta Nick Gu - MSFTMicrosoft Contingent Staff, Moderator sabato 12 giugno 2010 17:01
- Contrassegno come risposta annullato Geert Baeten mercoledì 16 giugno 2010 08:14
-
mercoledì 16 giugno 2010 08:13
Sorry for the late reply, I got a beautifull little daughter last tuesday so I was out a few days...
Back to the issue: I had already found the MS-articles you described and they were unfortunately not of use:
- the first one applies specifically to XP; the problem is also present at all other windows versions. As of SP2 this patch is also automatically included and we are already at SP3.
- we also tried the AssumeUDPEncapsulationContextOnSendRule parameter (even on windows versions that were not mentioned in the "applies to"-list) but with no success.
The blog-post mentiones a malfunctioning NAT-device at the client-side, but we had no problems when using ISA 2006. It only started after shutting down ISA and putting TMG in its place. We've seen the same problem occur with every single firewall / NAT device at our different customers networks so it's no stand-alone incident. After a manual failback to ISA at our datacenter, every L2TP connection from "the cloud" to our datacenter was OK again (without changing any NAT devices).
Unfortunately we had to take TMG offline for now and fall back to ISA, so I need extra time before I can give extra feedback. I'll make sure send an update as soon as we're ready to try again.
Tnx,
Geert
-
mercoledì 16 giugno 2010 08:17
We are working on our staging-environment to create an exact replica of our production ISA/TMG-servers. I'll give it a try and post an update a.s.a.p.
Tnx,
Geert
-
lunedì 21 giugno 2010 13:07
Hi,
Just to let you know that you are not alone.
We had the same problem and had to keep ISA 2006 online to serve L2TP/IPSec connections.
Regards,
Filipe
Filipe Lopes -
lunedì 21 giugno 2010 15:47
Hello,
I am having the same issue. What i can say is that the problem is not TMG related because i already installed a Server 2008 R2 only with RRAS and experienced the exact same problem.
The problem does not happen in all configurations, because i have a customer who is using l2tp with 2008 R2 and TMG installed on a Hyper-V Virtual Machine and having no issues at all.
I my case, all the issues are with HP servers with built-in NICS (Broadcom...) and at the moment i am starting to believe that this can be the problem. I already upgraded firmware and drivers of the NICS with no effect on the resolution of this problem.
What do you think?
Regards,
Nuno Carvalho -
giovedì 5 agosto 2010 10:05
Hi,
I was reading my RSS today and found this blog post from the TMG team regarding this issue: http://blogs.technet.com/b/isablog/archive/2010/08/04/more-than-one-l2tp-vpn-connection-from-behind-a-nat-device-fails-with-error-809-when-tmg-2010-has-been-configured-as-a-vpn-server.aspx
In the post they refer to this KB: http://support.microsoft.com/kb/2028625/en-us and I just wanted to share that i've applied it and it solves the problem for me.
HTH.
Regards.
Filipe Lopes- Proposto come risposta FilipeLopes giovedì 5 agosto 2010 10:05
- Contrassegnato come risposta James KilnerMicrosoft Contingent Staff, Owner martedì 28 settembre 2010 08:04
-
venerdì 17 settembre 2010 00:31
Great!
Thank You Filipe.
Nuno Carvalho
.png)
