locked
No simultanious L2TP/IPSEC VPN client connections possible to TMG 2010 Enterprise RRS feed

  • Question

  • Hello,

     

    we have an issue after migrating from ISA 2006 to TMG 2010. Previously we could support several client VPN connections for our admins and clients (up to 30 people working simultaniously). We installed a new Windows 2008 R2 Enterprise machine on the same hardware with TMG 2010 Enterprise and did a restore of the ISA config via Enterprise Management System. Now we can't open more than one VPN session to the server from the same network:

    - f.e. one of our customers has a network with several clients and can open only 1 L2TP VPN session; the next client gets an error 806 or error 619 when opening the windows-vpn (depending on the windows version).

    - at the same time we can connect 1 L2TP session from our own network, but no second

    - a home-user can also connect

    I've seen about 10 connections at the same time, but all from different locations and never when 2 people are in the same location. All the locations are also different in architecture (clients, suppliers, home users, ...) so it's not related to a specific type of network device on client-side. There are win XP, win Vista and Win 7 pc's, all with the same problem.

     

    Our settings:

    vpn ip range from 10.2.250.1 to 10.2.250.50

    vpn gateway (TMG) = 10.2.250.1

    max concurrent clients = 49

    protocol: L2TP/IPSEC with preshared key

    server is located in a datacenter with its own public IPs, all client-locations are not related to this datacenter in any way (no site-to-sites etc)

     

    As a workaround we opened PPTP. This seems to work in at least one case (several people can work simultaniously) but we would like to go back to the more secure L2TP of course.

     

    Any help would be greatly appreciated.

     

    Edit: I also found several other people with the same issue, but no solution yet:

    f.e. http://forums.isaserver.org/m_2002096562/mpage_1/key_/tm.htm#2002100770

     

    Tnx,

    Geert

    Monday, June 7, 2010 3:31 PM

Answers

All replies

  • So what you are saying is that 2 users on the same remote network behind the same NAT device are not able to connect simultaneously using L2TP? But 2 users from completely different networks can?
    Monday, June 7, 2010 7:44 PM
    Answerer
  • Indeed, that's the case
    Tuesday, June 8, 2010 5:11 AM
  • Geert,

    You might have a look at my blog post; I had some similar issues when using VPN on Forefront TMG...

    http://trycatch.be/blogs/pdtit/archive/2010/03/16/unsuccessfull-vpn-pptp-connection-after-migrating-to-forefront-tmg-2010.aspx

    Cheers,

    Peter

    Tuesday, June 8, 2010 7:51 AM
  • This is actually not a TMG issue or even a Windows 2008 RRAS issue. The reason that this occurs is because of the way that L2TP works and specifically IPSec. Please see this blog for a complete explanation

    http://blogs.isaserver.org/pouseele/2007/11/24/multiple-l2tpipsec-vpn-clients-behind-a-nat-device/

    Also see this.

    http://support.microsoft.com/kb/818043/ and http://support.microsoft.com/kb/926179

    HTH

    Keith

     

     

    Wednesday, June 9, 2010 6:13 PM
    Answerer
  • Sorry for the late reply, I got a beautifull little daughter last tuesday so I was out a few days...

     

    Back to the issue: I had already found the MS-articles you described and they were unfortunately not of use:

    - the first one applies specifically to XP; the problem is also present at all other windows versions. As of SP2 this patch is also automatically included and we are already at SP3.

    - we also tried the AssumeUDPEncapsulationContextOnSendRule parameter (even on windows versions that were not mentioned in the "applies to"-list) but with no success.

    The blog-post mentiones a malfunctioning NAT-device at the client-side, but we had no problems when using ISA 2006. It only started after shutting down ISA and putting TMG in its place. We've seen the same problem occur with every single firewall / NAT device at our different customers networks so it's no stand-alone incident. After a manual failback to ISA at our datacenter, every L2TP connection from "the cloud" to our datacenter was OK again (without changing any NAT devices).

    Unfortunately we had to take TMG offline for now and fall back to ISA, so I need extra time before I can give extra feedback. I'll make sure send an update as soon as we're ready to try again.

    Tnx,

    Geert

    Wednesday, June 16, 2010 8:13 AM
  • We are working on our staging-environment to create an exact replica of our production ISA/TMG-servers. I'll give it a try and post an update a.s.a.p.

    Tnx,

    Geert

    Wednesday, June 16, 2010 8:17 AM
  • Hi,

    Just to let you know that you are not alone.

    We had the same problem and had to keep ISA 2006 online to serve L2TP/IPSec connections.

    Regards,

    Filipe


    Filipe Lopes
    Monday, June 21, 2010 1:07 PM
  • Hello,

    I am having the same issue. What i can say is that the problem is not TMG related because i already installed a Server 2008 R2 only with RRAS and experienced the exact same problem. 

    The problem does not happen in all configurations, because i have a customer who is using l2tp with 2008 R2 and TMG installed on a Hyper-V Virtual Machine and having no issues at all.

    I my case, all the issues are with HP servers with built-in NICS (Broadcom...) and at the moment i am starting to believe that this can be the problem. I already upgraded firmware and drivers of the NICS with no effect on the resolution of this problem.

    What do you think?

    Regards,


    Nuno Carvalho
    Monday, June 21, 2010 3:47 PM
  • Hi,

    I was reading my RSS today and found this blog post from the TMG team regarding this issue: http://blogs.technet.com/b/isablog/archive/2010/08/04/more-than-one-l2tp-vpn-connection-from-behind-a-nat-device-fails-with-error-809-when-tmg-2010-has-been-configured-as-a-vpn-server.aspx

    In the post they refer to this KB: http://support.microsoft.com/kb/2028625/en-us and I just wanted to share that i've applied it and it solves the problem for me.

    HTH.

    Regards.


    Filipe Lopes
    • Proposed as answer by FilipeLopes Thursday, August 5, 2010 10:05 AM
    • Marked as answer by James Kilner Tuesday, September 28, 2010 8:04 AM
    Thursday, August 5, 2010 10:05 AM
  • Great!

    Thank You Filipe.


    Nuno Carvalho
    Friday, September 17, 2010 12:31 AM