Page 1 of 2 12 LastLast
Results 1 to 10 of 11
  1. #1
    Untangle Ninja jcoehoorn's Avatar
    Join Date
    Mar 2010
    Location
    York, NE
    Posts
    1,669

    Default IPSec connection causes UVM restart, maybe physical server restart

    I have a Lenovo RD330 Untangle server (as per my current signature) handling internet traffic for about 500 users at a small college. A handful of staff (currently 4, including myself) have laptops with IPSec VPN connections setup.

    We don't use these connections much. One of the users doesn't even know he has it; it's only there for troubleshooting and I'll walk him through the connection over the phone. Another one is me, and if I need it I have other ways I'm more likely to use. Another only uses it when she travels, if she needs it, which only happens a handful of times per year. In short, the VPN service spends the vast majority of it's time idle.

    Recently, whenever some does try to connect, they will have access for a minute or so, before they lose internet access and the connection drops. A few minutes later, I'll get an alert that our WAN connection was offline. Some detective work has shown me the UVM has restarted, along with some other things consistent with an server or OS reboot (I think maybe just the OS; the IMM module on this server takes about 5 minutes to load, so a real server reboot would create a longer outage).

    In short, connecting to the VPN service causes our server to not be available at all to process traffic for about 2 minutes, and all internet access on campus is down during that time.

    vpn drop.png

    What could be going on here?

    I did create a ticket with Untangle a few weeks back, but we came to a place where I needed to recreate the event so they could watch it... and it's not okay for me to take down our whole internet connection on demand, so the ticket is closed for now. I may open a new one over the summer, when I can get away with that kind of thing. But in the meantime I do have a user wanting to connect.

    Some IPSec options:
    Unique IDs: Yes
    Bypass: Yes
    Tunnels: No tunnels configured; this is for end users, rather than between sites/branches.
    Enable L2TP/XAuth/IKEv2: Yes
    L2TP Pool: 10.81.0.0/16
    XAuth Poo: 10.82.0.0/16
    Custom DNS: 10.1.1.11,10.1.1.27 ( our internal DNS servers )
    IPsec Secret: yeah, right
    Allow concurrent Logins: Yes
    Using RADIUS auth, which I can test and see good authentications
    Listen address: NOT our usual public IP, but is set for one we control and is routed properly.

    I'll edit the post after saving to attach some logs... or not. The ipsec log, even pruned to the relevant section, exceeds my 19.5Kb upload limit (it's 37Kb). The l2tp log is attached, though. I'll come back after lunch and try to find a way to include the ipsec portion.

    One additional note: these are all domain joined laptops connect over wifi causing the problem. My personal home desktop, not joined to the domain and connected at home via a wired link, does not seem to cause the problem. The VPN can stay up and stable for hours.

    l2tp.txt
    Last edited by jcoehoorn; 02-20-2019 at 07:10 PM. Reason: attach logs
    Five time Microsoft ASP.Net MVP managing a Lenovo RD330 / E5-2420 / 16GB with Untangle 14.1.1 to protect 500Mbits for ~400 residential college students and associated staff and faculty

  2. #2
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    23,276

    Default

    Do you have directory connector enabled? The domain joined machines will attempt to authenticate via domain credentials automatically, even if others are specified in the client configuration. This repeated authentication might be conflicting with something if the VPN usernames are the same as domain usernames. I've had issues in the past where this results in AD locking out accounts.

    I'm just grasping at straws here, I have no idea why that would cause a crash. The only other thing I can think of is to have you verify your L2TP and IKE address pools, those have to be unique IP ranges and duplication there could cause a routing problem.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  3. #3
    Untangle Ninja jcoehoorn's Avatar
    Join Date
    Mar 2010
    Location
    York, NE
    Posts
    1,669

    Default

    We do have directory connector, and radius is also configured to talk to AD such that usernames are the same, but I don't see this causing a crash. It's set this way because I don't want to manually manage VPN accounts or clients. I want to be able to pull a roaming laptop off the shelf to hand to a random faculty member travelling to a conference and know that the VPN client and account for that person are already correct.

    I'm extremely sure the address ranges are unique. All our VLANS here are /16's in the form 10.x.0.0 (or will be soon), where the x is the vlan id. Yes, this limits me to 256 vlans rather than the normal 4094, but I'm only actually using about 20 right now. Nothing else comes close to 81, 82, or 83.
    Last edited by jcoehoorn; 02-20-2019 at 01:36 PM.
    Five time Microsoft ASP.Net MVP managing a Lenovo RD330 / E5-2420 / 16GB with Untangle 14.1.1 to protect 500Mbits for ~400 residential college students and associated staff and faculty

  4. #4
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    23,276

    Default

    Given your history, I assumed as much just covering the basics. Other than support's involvement I'm not sure what to suggest, other than perhaps a nuke and pave of Untangle to remove potential upgrade corruption.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  5. #5
    Newbie
    Join Date
    Jun 2016
    Posts
    10

    Default

    Just for kicks and grins have you considered trying Open VPN instead of IPSec? I use both on my networks, and in most cases have found OpenVPN to be faster and more stable. It does require installing a client on your road warriors laptops, but aside from that it is pretty easy to configure and use. May be worth a shot.

  6. #6
    Untangle Ninja jcoehoorn's Avatar
    Join Date
    Mar 2010
    Location
    York, NE
    Posts
    1,669

    Default

    I used OpenVPN several years back, but given our use patterns I got tired of needing to re-issue the client for my users after UT upgrades, needing to have separate user accounts for those people rather than letting them use their AD credentials (and controlling access via RADIUS and AD group memberships), finding an out-of-date client on a laptop when I really needed it, etc.

    Basically, OpenVPN was just too much admin busy-work, where IPSec until recently was setup-and-forget. It'd be nice to hear those things are better now for OpenVPN.
    Five time Microsoft ASP.Net MVP managing a Lenovo RD330 / E5-2420 / 16GB with Untangle 14.1.1 to protect 500Mbits for ~400 residential college students and associated staff and faculty

  7. #7
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    23,276

    Default

    OpenVPN doesn't have as much iteration on the certificate side, but you do still have client version upgrade issues and configuration issues. The latter two can be managed pretty well via an RMM tool, but it's still more work than just letting Microsoft update you with Windows.

    Honestly, if you have AD running I'm sorting of wondering why you haven't just deployed SSTP. Slap a certificate in IIS somewhere and move on, TCP 443 VPN that's more secure and robust than L2TP will ever be.
    Last edited by sky-knight; 02-20-2019 at 07:43 PM.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  8. #8
    Untangle Ninja jcoehoorn's Avatar
    Join Date
    Mar 2010
    Location
    York, NE
    Posts
    1,669

    Default

    Quote Originally Posted by sky-knight View Post
    if you have AD running I'm sorting of wondering why you haven't just deployed SSTP.
    I may try this. Our use of Untangle for VPN goes back to when Server 2003 was still current here. SSTP wasn't a good option then.
    Five time Microsoft ASP.Net MVP managing a Lenovo RD330 / E5-2420 / 16GB with Untangle 14.1.1 to protect 500Mbits for ~400 residential college students and associated staff and faculty

  9. #9
    Untangle Ninja jcoehoorn's Avatar
    Join Date
    Mar 2010
    Location
    York, NE
    Posts
    1,669

    Default

    The plot thickens.

    I wanted to verify my home desktop really was as stable as I believed, so I went back to test it. Connect to the VPN: fine. Play about 20 minutes of Counter-strike: Source over the link. Fine, except for the extra latency. Remote desktop to a server, do some work work there. Fine. I even updated the original post with the interface image showing downtime from a VPN drop and added my other recent reply to the thread, while connected through the VPN link.

    Then I try to copy a 40Mb file over the link. BOOM: connection drops. Oops: I didn't really expect that, but it's done, time to move on. I disconnect, see this trying to load the Untangle interface (I live across the street from work, can sometimes get campus wifi from my porch):

    vpn restart.png

    My normal use of the VPN is for remote desktop, from my desktop. But my other users only want it for opening network files. So that's likely the real difference rather than joined to the domain or not or wired vs wireless: some SMB weirdness, or maybe even just throughput.
    Last edited by jcoehoorn; 02-20-2019 at 07:57 PM.
    Five time Microsoft ASP.Net MVP managing a Lenovo RD330 / E5-2420 / 16GB with Untangle 14.1.1 to protect 500Mbits for ~400 residential college students and associated staff and faculty

  10. #10
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    23,276

    Default

    That sure looks like a UVM crash.

    If you look in /var/log/uvm, you should see .crash files. These things are usually indicators of hardware issues...
    Last edited by sky-knight; 02-20-2019 at 07:46 PM.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

Page 1 of 2 12 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2