Forwarding VPN (PPTP) traffic through RV042 with dual WAN ports.

Unanswered Question
Aug 13th, 2010
User Badges:

Hi,


A long post, so brace yourselves...


We have recently purchased a Cisco RV042 (latest firmware), and there seems to be a problem with forwarding VPN PPTP traffic through the router.



We have two ISP’s – One ADSL and one fiber connection. We have customers connecting through both Internet connections (HTTP, HTTPS etc.); hence the router is set to “Load Balance” mode. (Otherwise the port forwarding doesn’t work through both Internet connections at the same time.)


Everything is working fine, port forwarding and all.



There is only one problem:


We have one VPN PPTP server (Mac OS X 10.5.8) located on the LAN.


I have set port forwarding to forward all PPTP traffic (1723) to the VPN server.


And here comes the weird part:


Depending on where you connect from the outside (i.e. from your home ISP) there is always only one of the WAN ports that works for VPN. Never both. I.e. from my home ISP, I can always connect (with VPN) through the WAN1, and others can only connect through WAN2. Always.


All other forwarded traffic (such as HTTP, HTTPS etc.) is reachable from both WAN ports. Always. It is just the VPN that only randomly works through one of the WAN ports.



I’ve checked the VPN logs on the VPN server, and I can see exactly where things go wrong. When a client “phones home”, the incoming call reaches the server:


* Incoming call... Address given to client = 192.168.x.xxx
* Directory Services Authentication plugin initialized
* Directory Services Authorization plugin initialized
* PPTP incoming call in progress from 'XXX.XXX.XXX.XXX'...
[...]


And the server responds, sending an LCP negotiation request, but the client never confirms the request. More accurately, it seems as if the LCP request never reaches the client:


[...]
* sent [LCP ConfReq id=0x1 <asyncmap 0x0> ...
* PPTP hangup
* Connection terminated.
[...]


BTW, a successful connection should look like this (from the LCP):


[...]
* sent [LCP ConfReq id=0x1 <asyncmap 0x0> ...
* rcvd [LCP ConfReq id=0x0 <mru 1400> <magic 0x247832ff> ...
* lcp_reqci: rcvd unknown option 13
* lcp_reqci: returning CONFREJ.
[...]



I’ve tried everything. From protocol binding to bandwidth management, MTU-size, switching WAN ports on the router, resetting the router, allowing ICMP messages (Block WAN requests), and many other things I could think of.


But I just can’t force the router to always send the LCP session out the same WAN port as the incoming VPN call, unless I unplug one of the WAN cables or switch to “Smart Link Backup”. (But that will void the usage of both WAN ports at the same time, which we absolutely need.)




Any suggestions? Please help!



TIA
/ Cathrine


ps. Before this, we had a Netgear FVX 538 (which unfortunately died), and this worked flawlessly on that router, using both WAN ports simultaneously.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Calin Chiorean Wed, 08/18/2010 - 05:25
User Badges:
  • Silver, 250 points or more

Hello!


It seems this is a well-known issue with RV series and there isn't a solution that works 100% (or I could not find it).

The reason for this behavior is that your PPTP client is receiving packets from 2 sources, due to the fact that load-balancing is enabled on your RV router.

A possible solution that I saw is to try to bind PPTP traffic to only one interface (WAN1). You'll still have traffic load-balance for other protocols, but not for PPTP.

You can see more about this issue here:

https://supportforums.cisco.com/thread/2022464

I see no reason to copy / paste everything what is in the post above.


Just a personal question, why would you like to load-balance the traffic over this 2 lines? I saw one is ADSL and one fiber. Do they have the same capacity? What about latency?


If the lines are not having aprox. the same values, then you may run into problems.


Let me know if this helps!


Calin

CathrineMilton Wed, 08/18/2010 - 06:45
User Badges:

Hi Calin!



Thanks for your reply!


Yes, there seems to be a problem with traffic re-direction and the RV042, RV082 etc. :-P



The reason why the router is set to load balance mode is that we are in a transition period where our clients are starting to use the new(er) fiber connection, whereas most of them still use the ADSL. The only reason why I’ve set the router to Load Balance is that it is the only setting that will allow usage of both WAN ports at the same time.


I’ve already tested the Protocol Binding, forcing PPTP traffic (or all traffic) out one specific WAN port, but that does not change the behavior. The problem persists.



My conclusion is also that the outgoing VPN traffic is seemingly load balanced between the two WAN ports. In my case, it seems as if the (LCP) negotiation is sent out the wrong WAN port.


Though the thing that differs from the thread you posted is that in my case, the connection is never even established, (the LCP negotiation fails according to the VPN server log), or it works all the time. But only through one WAN port from a certain location. (Depending on from where on the outside you connect, it only works through one specific WAN port.)



On many posts there are suggestions that the GRE protocol must be allowed. Problem is, that the protocol binding only binds ports and protocols TCP/IP or UDP. There is no setting to allow GRE or re-direct GRE out one WAN port. (The GRE protocol is only present in the bandwidth management section, which seemingly does nothing in terms of forcing a certain type of traffic out one WAN port.)



Regards
/ Cathrine

filipkohout Tue, 11/11/2014 - 02:32
User Badges:

Any news? i have same problem. 

 

Load Balance mode - crash pptp connection to internal server. (1723 port binded to wan1)

Actions

This Discussion

Related Content