Issue connecting to VPN

travis_tmbtravis_tmb
in Technical Discussion

Good Morning,

We offer L2TP Connections to our customers and I have a particular customers who is trying to connect using a Windows 10 machine and it is throwing a connection error and in the logs I see this:

2021-11-28 11:29:56 Deny 192.168.115.55 198.38.98.157 https/tcp 60149 443 ppp1 Firebox tcp syn checking failed (expecting SYN packet for new TCP connection, but received ACK, FIN, or RST instead). 40 64 (Internal Policy) proc_id="firewall" rc="101" msg_id="3000-0148" tcp_info="offset 5 R 2582166836 win 0" src_user=""

He can connect just fine on his iOS devices.

Any ideas?

Comments

  • travis_tmbtravis_tmb

    So I found some documentation that recommended going to Global Settings and unchecking the "Enable TCP SYN packet and connection state verification". I will try that and let everyone know!

  • james.carsonjames.carson Moderator, WatchGuard Representative

    Hi @travis_tmb

    Unchecking will stop the firewall from dropping this traffic, but if it's being detected as this, it usually means a piece of the traffic is/was missing to begin with.

    You can read more here:
    https://techsearch.watchguard.com/KB?type=Article&SFDCID=kA16S000000XeLhSAK&lang=en_US

    I would suggest having the customer check their home router to see if there's anything that might not be allowing VPNs, or checking any option that says to allow VPN pass-thru.

    -James Carson
    WatchGuard Customer Support

  • DaveDaveDaveDave
    edited December 2021

    Hi Travis,

    Ive found that Mac/iOS devices have been fine with L2TP whereas Windows devices need a bit more prodding to get going to the point now where we have standardised on setting this regkey before doing any other troubleshooting.

    Windows 10/8.1/Vista and Windows Server 2016/2012R2/2008R2 — HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PolicyAgent

    Windows XP/Windows Server 2003 — HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IPSec

    Create a DWORD parameter with the name AssumeUDPEncapsulationContextOnSendRule and the value 2

    You will need to do a reboot after this.

    0 – (a default value) suggests that the server is connected to the Internet without NAT;
    1 – the VPN server is behind a NAT device ;
    2 — both VPN server and client are behind a NAT.

    See how you go with this.

    Dave.

  • travis_tmbtravis_tmb

    Hi Dave!

    Thanks for your response. The customer was able to get it working after a driver reinstall I believe. All is working!

Sign In to comment.