PPTP VPN Client issues with Windows 7 x64 - Spurious ICMP Protocol Unreachable messages sent to server causing disconnection
I've been having a couple of odd issues with Windows 7 x64's VPN client connecting to a Linux PPTP server.
First of all, Windows sometimes causes the GRE tunnel to collapse. At what appear to be random, but clustered times (i.e. it won't happen for a day's connection, then it will happen several times in a row) Windows sends an ICMP 'Protocol Unreachable' (ICMP Type 3, Code 2) message back to the server, and the PPTP server quite rightly then collapses the tunnel. This manifests itself on the Windows client side as a dropped connection, and on the server side I see errors like:
pptpd: GRE: read(fd=7,buffer=6095a0,len=8260) from network failed: status = -1 error = Protocol not available
At first I thought this was possibly a bug with the Linux PPTP server or GRE connection tracking code, but once I broke out the network sniffer and started watching the traffic in detail, I soon found spurious ICMP Protocol Unreachable messages being sent by the Windows clients:
359062 1237.481525 172.x.x.x 82.y.y.y ICMP Destination unreachable (Protocol unreachable)
Where the 172.x.x.x address is the Windows 7 client machine, and the 82.y.y.y address is the external address of the PPTP server. The Windows client returns the contents of the most recent GRE packet in the ICMP payload. Note that the 172.x.x.x address is an RFC1918 private address because I was testing the VPN from inside the corporate network, but the issue also occurs where the client has a public IP. Note also that when testing with the client on the 172.x.x.x address, there are no other routers between the client and the PPTP server.
I've worked around this by blocking all ICMP Protocol Unreachable messages on the PPTP server's firewall, which seems to do the trick. Once the protocol unreachable message is blocked, the PPTP server no longer collapses the GRE tunnel. Instead, a few GRE packets are lost, but the connection recovers without any indication on the client side.
It also then became obvious why this might have been missed during testing of Windows 7 - the default Windows Firewall settings on Windows Servers (and many other VPN devices) block all these ICMP messages by default, which hides the problem with the Windows PPTP client.
The issue occurs on a variety of hardware, with various different processor configurations and network adapters, and also occurred when I tried in a Win7 x64 VM.
This issue did not occur when I was testing with either the Windows XP or the Linux PPTP client.
Second, while testing this issue, I discovered what appears to be a bug in the Windows 7 x64 PPTP VPN client: if the client fails to connect to the server more than a few times in a row, the underlying PPTP implementation seems to get wedged and refuses to connect at all (immediate RAS error 619) until the client machine is rebooted.
I didn't spot a fix for either issue in any of the hotfixes slated for inclusion in Win7 SP1, so I wanted to make sure this issue was documented somewhere on the web.
Any clues as to why Windows 7 is sending these spurious messages?
Have to agree with You and request support in mentioned case as well.
Im successfully using Windows 7 x86/x64 desktops at work/home since Microsoft released it in 2009.
Few weeks ago switched laptop from old XP machine to new one with 7 x64 and trying to resolve
issues very similar to yours.
Software configurations on both laptops were done by myself from the scratch (OS, drivers, apps etc.)
so Im sure they are similar, drivers/apps are dedicated etc.
my issues are :
-can't establish active client ftp connection (Ms ftp.exe, winscp)
passive mode works well for winscp, sure that sities can handle active ftp.
-can't connect tftp client(cisco IOS) to tftp service running on my W7 laptop (direct connection)
-can't establish PTPP connection (using dedicated drytek vigor client as well as native windows client!)
Tried to stop firewall, tried to create rules for ftp, tftp, pptp..... (in addition to existing rules!)
Tried to modify registry (keys disablestatefulFTP and disablestatefulPPTP)
even tried to create rule for pass ICMP (for me this nothing to do with ftp/pptp) but its Microsoft so...
Obviously tried on different connections and locations.(3G, corp Lan, home DSL)
Have installed Checkpoint VPN and Cisco VPN and bloody Symantec endpoint(no FW!) but Im sure that they not affecting.
Got attempt on clean W7/x64 yesterday and got same story - no PTPP, no Active ftp...
For me it looks like something with Windows FIrewall or any other native windows service.
Very strange for my is that similar configuration works perfect since 2008 on my old windows xp laptop :-/
(with checkpoint, cisco and endpoint installed)
So can someone help ?
Thanks in advance !
Hi "Spannerbanner" James,
Thank you as I just set up VPN connection on two Windows 7 64 bits and I met a lot of 619 error when establishing connection or some minutes after connection. Enabling built in Windows firewall works flawlessly.
You did an amazing bug research, Microsoft should work on this issue and word should be spreaded !
Thank you again, you saved me a lot of time !