VPN RDP not working any more after upgrading to 7.502

RaimundG · #1 (**permalink**) 01-30-2010, 03:55 PM

Dear Forum users,

i upgraded my ASP 110 to Firmware 7.502 and since then, RDP for VPN users ist not working any more for Server 192.168.0.11.

After dial into the Astaro, a VPN user can only reach the astaro (192.168.0.1) and the DHCP server (192.168.0.10), but no other ip is reachable for the VPN users. Also, no ping for other ips is possible (printers etc)

Packet filters are set to enable ping and terminal serivces, the log says for RDPing 192.168.0.11:

Packet filter rule #3 TCP
192.168.0.40 (VPN user):61982→192.168.0.11(RDP server): 3389 [SYN] len=52 ttl=127 tos=0x00 srcmac=-------- dstmac=----

Furthermore, i am able to ping the VPN Client 192.168.0.40 from 192.168.0.10, but not from .0.11.

Does anyone have a clue about this?

BAlfson · #2 (**permalink**) 01-31-2010, 02:52 PM

Your VPN subnet shouldn't overlap with any other net; in particular, it shouldn't overlap with 'Internal (Network)'. Prior to V7.5, a bug allowed this setup to work. Before the upgrade, you could have confirmed the problem by trying to VPN in simultaneously with two different devices under the same username - both would have been assigned the same IP by your DHCP.

The solution is to use the appropriate VPN Pool instead of the DHCP service for the devices in your 'Internal (Network)'. You likely will need to configure the 'Advanced' tab. Probably also add 'VPN Pool (PPTP/L2TP)' to 'Allowed networks' for DNS, NTP, HTTP/S and FTP Proxies. And IM/P2P. Probably add packet filter rules.

Cheers - Bob

RaimundG · #3 (**permalink**) 02-01-2010, 12:31 PM

Thanks for your answer!

I found out what the problem was: a missing NAT-rule for VPN-Users -> Internal Network.

Somehow this rule, if it existed before upgrading to 7.502, must have been deleted or it worked before without it. Dont know why, but now it works.

Whity · #4 (**permalink**) 02-01-2010, 12:52 PM

Never had to create NAT rule for the VPN network myself.

That anyway has not to be NAT'ed because both nets are attached to the same Firewall (The VPN net and the internal net)

BAlfson · #5 (**permalink**) 02-01-2010, 03:15 PM

Raimund, Apparently, you have only a very few users (ASG110), so you probably can get away with this workaround to the problem I tried to explain in my post above.

In your situation, the only downside would be that all traffic through the VPN to devices in 'Internal (Network)' will appear to originate from 'Internal (Address)' instead of from the IP assigned by your DHCP.

I wouldn't recommend this solution to anyone with a larger installation.

Cheers - Bob

madifor · #6 (**permalink**) 02-08-2010, 11:38 AM

Raymund,
When you check your Internal Network devices , is their default-gateway pointing to the ASG or to a different gateway.
If the default-gateway is not pointing to the ASG, perhaps a solution is to make a static route for your VPN pool pointing to the LAN address of your ASG.

regards