I hate gremlins, especially VPN ones.

Markverhyden

Markverhyden

Well-Known Member
Reaction score
10,805
Location
Raleigh, NC
Customer of mine contacted me several days ago, remote employee in the Philippines suddenly lost the ability to connect to the USG-3 VPN. Her W10 Pro gives the error “The L2TP connection attempt failed because the security layer encountered a processing error during the initial negotiations with the remote computer” when trying to launch the connection. Worked fine on both my iMac and on my W10 Pro Lenovo so I'm thinking it's a problem with her machine. Unfortunately she's got really slow speeds, as in 2mb up/down with high latency which complicates things. Then the owner tries to create a VPN connection from his wife's laptop at home, W10 Home. She gets the same error speed though VPN was never setup on her laptop before. And I've confirmed this.

Everything's up to date, including firmware, tried new accounts. Searching that error gives suggestions of restarting IKE and IPSec services, enable LCP connections, enabling MSCHAP 2, removing and re-installing NIC, cretaing AssumeUDPEncapsulation regkey. All of which have been done with no change. At the moment I'm in the process of rolling back updates. Next I'll have them hardwire the laptop so I can run Tweaking AIO.

Was just wondering if someone has run into this particular error before. Personally I've never had this error.
 
Yes, I have... many MANY times.

What's the problem? WHO KNOWS! That's why I stopped relying on L2TP. The protocol is ancient, questionably secure, and utterly intolerant of issues with NAT, and all sorts of other issues on the Internet that come and go as the web does its thing.

To compound the error, the USG you're using is known to just do this at random to people connected too. As you've discovered, the services are "working", but not for this one user. So what's the problem?

Does that user have one of the January updates that causes VPN issues? Did they apply the mitigation update? Are they trying to connect via a connection that has any frame loss?

The reality is the Windows VPN client sucks, it's sucked for decades and relying on it results in the above happening. Use that VPN client for SSTP only, move all workloads off L2TP and onto something that actually works.
 
I've seen some reports that a recent Windows Update broke the Windows 10 VPN client. MS released an out of band update to fix it a few days ago.
 
www.bleepingcomputer.com

New Windows KB5009543, KB5009566 updates break L2TP VPN connections

Windows 10 users and administrators report problems making L2TP VPN connections after installing the recent Windows 10 KB5009543 and Windows 11 KB5009566 cumulative updates.
www.bleepingcomputer.com www.bleepingcomputer.com

And on the 17th out of band updates were provided, so just update your stuff. That's why I didn't list the KB number, removing it is no longer appropriate. Installing KB5010793 is the appropriate action here: https://support.microsoft.com/en-us...-of-band-f2d4f178-5b36-49cb-a6fd-4bf9857574f9

And you'd get that if you just click the update windows button.

And NONE of the above excuses using L2TP in production anyway, it's a horrible protocol that's fault prone for a horde of reasons. Upgrade to better tech, or forever be chasing stuff like this that makes your hair fall out.
 
Sky-Knight said:
And NONE of the above excuses using L2TP in production anyway, it's a horrible protocol that's fault prone for a horde of reasons. Upgrade to better tech, or forever be chasing stuff like this that makes your hair fall out.
Click to expand...
I've got customers who have Meraki and UniFi equipment and a handful of them use the Windows client VPN that uses L2TP and has been affected by this. I believe the client VPN instructions from both companies specify L2TP. What do you recommend as a replacement (keeping the current Meraki or UniFi equipment)?
 
timeshifter said:
I've got customers who have Meraki and UniFi equipment and a handful of them use the Windows client VPN that uses L2TP and has been affected by this. I believe the client VPN instructions from both companies specify L2TP. What do you recommend as a replacement (keeping the current Meraki or UniFi equipment)?
Click to expand...
Meraki users can use Cisco Anyconnect VPN client, which is vastly more stable than Windows's VPN client.

Unifi is out in the weeds, never should be used for VPN lifting ever, too unstable, too many problems.

A real UTM with actual VPN options is what should be deployed, OR you do SDLAN (ZeroTier, Todyl etc)and install an agent on all machines to mesh them that way. I really think the latter is probably the best option these days in terms of ease.

The problem is all of this new age stuff while "easy", and "ticks the boxes" of security doesn't actually secure anything. History is quite clear in that we know we cannot ever trust software running on a device a user has control over, triply so if that user has admin rights. UTMs are about making safer bastions, and they do that by monitoring traffic as a neutral 3rd party observer. This latter process is frustrated by TLS and the nature of the modern web but it doesn't change that fact.

Which is why the distant future aims to eliminate VPN entirely. When you've got SSO properly deployed, and appropriately hardened cloud services doing all the lifting, the entirety of the Internet may as well be your LAN. Because once again, the problem isn't encryption the problem is authentication. SSO addresses this need is a much more cohesive way than VPN does typically. And if your VPN does SSO too, that's great but that's also a duplication of effort.

I prefer OpenVPN or Wireguard when I need VPN as protocols. If I want something that's truly independent, these are the tools I reach for. I use my RMM to manage the VPN clients themselves.

Windows VPN client works well if you deploy an SSTP server when you need it, but that requires a Windows Server somewhere. Perhaps in Azure? Then the Unifi / whatever can IPSec into Azure to build the final bridge. Or again... you Zeroteir it.

There are 1000 ways to slice this up.
 
Bummer:

From https://documentation.meraki.com/MX/AnyConnect_on_the_MX_Appliance

There are certain caveats to keep in mind before enabling AnyConnect:

Supported MX models: MX600, 450, 400, 250, 105, 100, 95, 85, 84, 75, 68, 67, Z3, vMX

Not supported: MX64, MX65, MX80, 90, 60, Z1 - (the AnyConnect Settings page will not be visible on Dashboard for these models)
Click to expand...
None of my sites use a supported model.
 
You must log in or register to reply here.

Similar threads

thecomputerguy
Unify L2TP VPN issues ... please help.
Replies
8
Views
1K
Sky-Knight
Sky-Knight
Back
Top