Security, WIDS/WIPS and Aruba ECS

Reply
MVP
Posts: 517
Registered: ‎05-11-2011

Issue with Microsoft VPN and 3600 controller

Hello,

3600 controller with PEF.

we have two separate cases now where visitors in the authenticated guest profile are unable to connect to their home network through Microsoft VPN client using PPTP. It stops on the "authenticating username and password".

We've added the vpn policy to the guest profile as earlier described in this forum, but no luck. While testing we also added "any any any allow-all", and still no luck.

Any one else had issues with this and can point us in the right direction?

This is pasted in from the Firewall Hits section:


Role Policy Src Dst Service Action Dest/Opcode New Hits Total Hits Index
guest VPN-clients custom any any svc-gre permit 26 6274 10000
guest VPN-clients custom user any svc-ike permit 200 1708 10001
guest VPN-clients custom any any svc-pptp permit 36 162 10002
guest VPN-clients custom user any 6 17-17 permit 0 16 10003
guest VPN-clients custom user any 17 51-51 permit 0 3152 10004
guest VPN-clients custom user any 17 4500-4500 permit 614 614 10005
guest VPN-clients custom user any 6 10000-10001 permit 6 6 10006
guest VPN-clients custom user any 17 10000-10001 permit 44 105 10007
guest VPN-clients custom any any svc-l2tp permit 2 2 10008
guest VPN-clients custom user any svc-esp permit 0 6 10009

Regards
John Solberg

-ACMX #316 :: ACCP-
Intelecom - Norway
----------------------------
Remember to Kudo if a post helped you! || Problem Solved? Click "Accept as Solution" in a post!
Guru Elite
Posts: 21,010
Registered: ‎03-29-2007

Re: Issue with Microsoft VPN and 3600 controller

What version of ArubaOS is this and what device is being used to nat users out to the internet?


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

MVP
Posts: 517
Registered: ‎05-11-2011

Re: Issue with Microsoft VPN and 3600 controller

v. 5.0.3.1
The Aruba Controller does the nat'ing

Regards
John Solberg

-ACMX #316 :: ACCP-
Intelecom - Norway
----------------------------
Remember to Kudo if a post helped you! || Problem Solved? Click "Accept as Solution" in a post!
Guru Elite
Posts: 21,010
Registered: ‎03-29-2007

Re: Issue with Microsoft VPN and 3600 controller

Please open a support case. We might have an issue with pptp on your version of code, when the Aruba controller is doing the natting. To work around it in the short term, you should have another device do the natting, if that is possible.


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

MVP
Posts: 517
Registered: ‎05-11-2011

Re: Issue with Microsoft VPN and 3600 controller

We found a reference to this issue in the release notes for 5.0.3.3 where it said that the controller no longer stops PPTP. So we're upgradeing to 5.0.3.3 to see if that solves our problem.

Regards
John Solberg

-ACMX #316 :: ACCP-
Intelecom - Norway
----------------------------
Remember to Kudo if a post helped you! || Problem Solved? Click "Accept as Solution" in a post!
Occasional Contributor II
Posts: 14
Registered: ‎02-14-2011

Issue with Microsoft VPN and 3600 controller

John,

Possibly related - are the client devices you are running into VPN issues with running Windows 7?

If so, and the ArubaOS code upgrade does not fix your issue, you might want to have the end user check their VPN connection configuration. Locate your "VPN Connection XXXX" and select Properties for the connection. Select the Security tab and under "Type of VPN" review whether it is set up as Automatic or Point-To-Point Tunneling Protocol (PPTP). If it's set to Automatic, have the user attempt changing it to PPTP specifically and try to connect.

I just ran into the symptom you describe (stops at "authenticating username and password") with 2 different PPTP VPNs while attempting access from a Windows 7 host. The problem was unrelated to the underlying infrastructure (Aruba, LAN/wifi, etc) but specifically the issue is with Windows 7's VPN type detection logic, "Automatic" doesn't appear to work all that well, but choosing the specific type cleared up the problem immediately.
MVP
Posts: 517
Registered: ‎05-11-2011

Re: Issue with Microsoft VPN and 3600 controller

Still the same problem. This isn't limited to Windows 7 or Windows XP - we now have clients with this issue on Mac. We've tried automatic and chosen Type VPN to PPTP.

We have upgraded to 5.0.3.3, but that didn't help.

It's about to blow up in our face, and Aruba TAC isn't very helpful..

Regards
John Solberg

-ACMX #316 :: ACCP-
Intelecom - Norway
----------------------------
Remember to Kudo if a post helped you! || Problem Solved? Click "Accept as Solution" in a post!
Guru Elite
Posts: 21,010
Registered: ‎03-29-2007

Re: Issue with Microsoft VPN and 3600 controller

At any time you can certainly have the case escalated if you feel TAC is not being helpful.


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Aruba Employee
Posts: 5
Registered: ‎09-28-2009

Re: Issue with Microsoft VPN and 3600 controller

This will work if we downgrade to 5.0.2.1. We have seen similar issue and reported to Engineering team.This is going to be fixed in 6.0.2.0. Patch requests has been raised for 5.x and 6.x streams.

Regards
Sathyan
Regular Contributor I
Posts: 190
Registered: ‎04-27-2009

Re: Issue with Microsoft VPN and 3600 controller

Groovy, got same issue here, MC800 , the controller normally does the nat'ing i wondered why SSLVPN or IPSEC is working fine outside. but no pptp, not xp also not win7 , also not changing to direct PPTP setting instead of "automatic".

so we are on 5.0.3.3 , anyone solved this in 5.0.3.3, well i had plan to let some other appliance does the NAT job instead of the aruba controller.

regards
Search Airheads
Showing results for 
Search instead for 
Did you mean: