ssh and rdp session drops when using Access List

Post your questions about SoftEther VPN software here. Please answer questions if you can afford.
Post Reply
mstenz
Posts: 42
Joined: Wed Mar 19, 2014 9:36 pm

ssh and rdp session drops when using Access List

Post by mstenz » Thu Jan 05, 2017 2:13 pm

Hi,

i started to using access lists and since then running RDP and ssh sessions over the vpn tunnel are periodically dropped. I have already added a rule that allow all traffic with "TCP Connection State" is Established. As well allowed port 22 and 3389.
Any idea what that might can be?
thank you for your help.

mstenz
Posts: 42
Joined: Wed Mar 19, 2014 9:36 pm

Re: ssh and rdp session drops when using Access List

Post by mstenz » Fri Jan 06, 2017 1:22 pm

no idea?

moatazelmasry
Posts: 336
Joined: Sat Aug 15, 2015 7:41 pm

Re: ssh and rdp session drops when using Access List

Post by moatazelmasry » Sat Jan 07, 2017 3:07 pm

Please post your server_config

mstenz
Posts: 42
Joined: Wed Mar 19, 2014 9:36 pm

Re: ssh and rdp session drops when using Access List

Post by mstenz » Sat Jan 07, 2017 4:10 pm

i cannot post my whole server config, what are you interested in?

moatazelmasry
Posts: 336
Joined: Sat Aug 15, 2015 7:41 pm

Re: ssh and rdp session drops when using Access List

Post by moatazelmasry » Sat Jan 07, 2017 6:35 pm

The access list, SecureNAT/bridge settings

Also please post the logfile

mstenz
Posts: 42
Joined: Wed Mar 19, 2014 9:36 pm

Re: ssh and rdp session drops when using Access List

Post by mstenz » Sat Jan 07, 2017 6:41 pm

Hi,

this is the requested part of the config:

declare AccessList
{
declare 1
{
bool Active true
bool CheckDstMac false
bool CheckSrcMac false
bool CheckTcpState true
uint Delay 0
string DestIpAddress 0.0.0.0
uint DestPortEnd 0
uint DestPortStart 0
string DestSubnetMask 0.0.0.0
string DestUsername $
bool Discard false
bool Established true
bool IsIPv6 false
uint Jitter 0
uint Loss 0
string Note allow_established
uint Priority 1
uint Protocol 6
string RedirectUrl $
string SrcIpAddress 0.0.0.0
uint SrcPortEnd 0
uint SrcPortStart 0
string SrcSubnetMask 0.0.0.0
string SrcUsername $
}
declare 2
{
bool Active true
bool CheckDstMac false
bool CheckSrcMac false
bool CheckTcpState false
uint Delay 0
string DestIpAddress 0.0.0.0
uint DestPortEnd 0
uint DestPortStart 0
string DestSubnetMask 0.0.0.0
string DestUsername $
bool Discard false
bool Established false
bool IsIPv6 false
uint Jitter 0
uint Loss 0
string Note allow_ping
uint Priority 2
uint Protocol 1
string RedirectUrl $
string SrcIpAddress 0.0.0.0
uint SrcPortEnd 0
uint SrcPortStart 0
string SrcSubnetMask 0.0.0.0
string SrcUsername $
}
declare 3
{
bool Active true
bool CheckDstMac false
bool CheckSrcMac false
bool CheckTcpState false
uint Delay 0
string DestIpAddress 0.0.0.0
uint DestPortEnd 0
uint DestPortStart 0
string DestSubnetMask 0.0.0.0
string DestUsername $
bool Discard false
bool Established false
bool IsIPv6 false
uint Jitter 0
uint Loss 0
string Note allow$20all$20from$20VPNGW
uint Priority 3
uint Protocol 0
string RedirectUrl $
string SrcIpAddress x.x.x.x
uint SrcPortEnd 0
uint SrcPortStart 0
string SrcSubnetMask 255.255.255.255
string SrcUsername $
}
declare 4
{
bool Active true
bool CheckDstMac false
bool CheckSrcMac false
bool CheckTcpState false
uint Delay 0
string DestIpAddress 255.255.255.255
uint DestPortEnd 68
uint DestPortStart 67
string DestSubnetMask 255.255.255.255
string DestUsername $
bool Discard false
bool Established false
bool IsIPv6 false
uint Jitter 0
uint Loss 0
string Note dhcp
uint Priority 4
uint Protocol 17
string RedirectUrl $
string SrcIpAddress 0.0.0.0
uint SrcPortEnd 0
uint SrcPortStart 0
string SrcSubnetMask 0.0.0.0
string SrcUsername $
}
declare 5
{
bool Active true
bool CheckDstMac false
bool CheckSrcMac false
bool CheckTcpState false
uint Delay 0
string DestIpAddress 0.0.0.0
uint DestPortEnd 22
uint DestPortStart 22
string DestSubnetMask 0.0.0.0
string DestUsername $
bool Discard false
bool Established false
bool IsIPv6 false
uint Jitter 0
uint Loss 0
string Note only$20Port$2022
uint Priority 100
uint Protocol 6
string RedirectUrl $
string SrcIpAddress 0.0.0.0
uint SrcPortEnd 0
uint SrcPortStart 0
string SrcSubnetMask 0.0.0.0
string SrcUsername $
}
declare 6
{
bool Active true
bool CheckDstMac false
bool CheckSrcMac false
bool CheckTcpState false
uint Delay 0
string DestIpAddress 0.0.0.0
uint DestPortEnd 3389
uint DestPortStart 3389
string DestSubnetMask 0.0.0.0
string DestUsername $
bool Discard false
bool Established false
bool IsIPv6 false
uint Jitter 0
uint Loss 0
string Note 3389$20RDP
uint Priority 101
uint Protocol 6
string RedirectUrl $
string SrcIpAddress 0.0.0.0
uint SrcPortEnd 0
uint SrcPortStart 0
string SrcSubnetMask 0.0.0.0
string SrcUsername $
}
declare 7
{
bool Active true
bool CheckDstMac false
bool CheckSrcMac false
bool CheckTcpState false
uint Delay 0
string DestIpAddress 0.0.0.0
uint DestPortEnd 80
uint DestPortStart 80
string DestSubnetMask 0.0.0.0
string DestUsername $
bool Discard false
bool Established false
bool IsIPv6 false
uint Jitter 0
uint Loss 0
string Note HTTP$20(80)
uint Priority 102
uint Protocol 6
string RedirectUrl $
string SrcIpAddress 0.0.0.0
uint SrcPortEnd 0
uint SrcPortStart 0
string SrcSubnetMask 0.0.0.0
string SrcUsername $
}
declare 8
{
bool Active true
bool CheckDstMac false
bool CheckSrcMac false
bool CheckTcpState false
uint Delay 0
string DestIpAddress 0.0.0.0
uint DestPortEnd 443
uint DestPortStart 443
string DestSubnetMask 0.0.0.0
string DestUsername $
bool Discard false
bool Established false
bool IsIPv6 false
uint Jitter 0
uint Loss 0
string Note HTTPS$20(443)
uint Priority 103
uint Protocol 6
string RedirectUrl $
string SrcIpAddress 0.0.0.0
uint SrcPortEnd 0
uint SrcPortStart 0
string SrcSubnetMask 0.0.0.0
string SrcUsername $
}
declare 9
{
bool Active true
bool CheckDstMac false
bool CheckSrcMac false
bool CheckTcpState false
uint Delay 0
string DestIpAddress 0.0.0.0
uint DestPortEnd 0
uint DestPortStart 0
string DestSubnetMask 0.0.0.0
string DestUsername $
bool Discard true
bool Established false
bool IsIPv6 false
uint Jitter 0
uint Loss 0
string Note deny_all
uint Priority 999999999
uint Protocol 0
string RedirectUrl $
string SrcIpAddress x.x.x.0
uint SrcPortEnd 0
uint SrcPortStart 0
string SrcSubnetMask 255.255.255.0
string SrcUsername $
}
}
declare AdminOption
{
uint allow_hub_admin_change_option 0
uint deny_bridge 1
uint deny_change_user_password 0
uint deny_empty_password 0
uint deny_hub_admin_change_ext_option 0
uint deny_qos 0
uint deny_routing 0
uint max_accesslists 0
uint max_bitrates_download 0
uint max_bitrates_upload 0
uint max_groups 0
uint max_multilogins_per_user 1
uint max_sessions 0
uint max_sessions_bridge 0
uint max_sessions_client 0
uint max_sessions_client_bridge_apply 0
uint max_users 0
uint no_access_list_include_file 0
uint no_cascade 0
uint no_change_access_control_list 0
uint no_change_access_list 0
uint no_change_admin_password 0
uint no_change_cert_list 0
uint no_change_crl_list 0
uint no_change_groups 0
uint no_change_log_config 0
uint no_change_log_switch_type 0
uint no_change_msg 0
uint no_change_users 0
uint no_delay_jitter_packet_loss 0
uint no_delete_iptable 0
uint no_delete_mactable 0
uint no_disconnect_session 0
uint no_enum_session 0
uint no_offline 0
uint no_online 0
uint no_query_session 0
uint no_read_log_file 0
uint no_securenat 0
uint no_securenat_enabledhcp 0
uint no_securenat_enablenat 0
}
declare CascadeList
{
}
declare LogSetting
{
uint PacketLogSwitchType 4
uint PACKET_LOG_ARP 0
uint PACKET_LOG_DHCP 1
uint PACKET_LOG_ETHERNET 0
uint PACKET_LOG_ICMP 0
uint PACKET_LOG_IP 0
uint PACKET_LOG_TCP 0
uint PACKET_LOG_TCP_CONN 1
uint PACKET_LOG_UDP 0
bool SavePacketLog true
bool SaveSecurityLog true
uint SecurityLogSwitchType 4
}

Which logsfiles do you need? I have different ones. Pleae note that I run ~100 Virtual Hubs on that server. I have only on one hub the access list enabled.

mstenz
Posts: 42
Joined: Wed Mar 19, 2014 9:36 pm

Re: ssh and rdp session drops when using Access List

Post by mstenz » Sat Jan 07, 2017 6:43 pm

Here the part of secureNAT

declare Option
{
uint AccessListIncludeFileCacheLifetime 30
uint AdjustTcpMssValue 0
bool ApplyIPv4AccessListOnArpPacket false
bool BroadcastLimiterStrictMode false
uint BroadcastStormDetectionThreshold 0
uint ClientMinimumRequiredBuild 0
bool DisableAdjustTcpMss false
bool DisableCheckMacOnLocalBridge false
bool DisableCorrectIpOffloadChecksum false
bool DisableHttpParsing false
bool DisableIPParsing false
bool DisableKernelModeSecureNAT false
bool DisableUdpAcceleration true
bool DisableUdpFilterForLocalBridgeNic false
bool DisableUserModeSecureNAT false
bool DoNotSaveHeavySecurityLogs false
bool DropArpInPrivacyFilterMode true
bool DropBroadcastsInPrivacyFilterMode true
bool FilterBPDU false
bool FilterIPv4 false
bool FilterIPv6 false
bool FilterNonIP false
bool FilterOSPF false
bool FilterPPPoE false
bool ManageOnlyLocalUnicastIPv6 true
bool ManageOnlyPrivateIP true
uint MaxLoggedPacketsPerMinute 0
uint MaxSession 0
bool NoArpPolling false
bool NoDhcpPacketLogOutsideHub true
bool NoEnum true
bool NoIpTable false
bool NoIPv4PacketLog false
bool NoIPv6AddrPolling false
bool NoIPv6DefaultRouterInRAWhenIPv6 true
bool NoIPv6PacketLog false
bool NoLookBPDUBridgeId false
bool NoMacAddressLog true
bool NoManageVlanId false
bool NoSpinLockForPacketDelay false
bool RemoveDefGwOnDhcpForLocalhost true
uint RequiredClientId 0
uint SecureNAT_MaxDnsSessionsPerIp 0
uint SecureNAT_MaxIcmpSessionsPerIp 0
uint SecureNAT_MaxTcpSessionsPerIp 0
uint SecureNAT_MaxTcpSynSentPerIp 0
uint SecureNAT_MaxUdpSessionsPerIp 0
string VlanTypeId 0x8100
bool YieldAfterStorePacket false
}
declare SecureNAT
{
bool Disabled false
bool SaveLog true

declare VirtualDhcpServer
{
string DhcpDnsServerAddress 0.0.0.0
string DhcpDnsServerAddress2 0.0.0.0
string DhcpDomainName $
bool DhcpEnabled true
uint DhcpExpireTimeSpan 7200
string DhcpGatewayAddress 0.0.0.0
string DhcpLeaseIPEnd x.x.x.200
string DhcpLeaseIPStart x.x.x.50
string DhcpPushRoutes <deleted>
string DhcpSubnetMask 255.255.255.0
}
declare VirtualHost
{
string VirtualHostIp x.x.x.250
string VirtualHostIpSubnetMask 255.255.255.0
string VirtualHostMacAddress 00-AC-45-A7-92-A9
}
declare VirtualRouter
{
bool NatEnabled false
uint NatMtu 1500
uint NatTcpTimeout 1800
uint NatUdpTimeout 60
}
}

thisjun
Posts: 2458
Joined: Mon Feb 24, 2014 11:03 am

Re: ssh and rdp session drops when using Access List

Post by thisjun » Thu Feb 02, 2017 5:03 am

If the discarding rule is deleted, is the communication stable?

mstenz
Posts: 42
Joined: Wed Mar 19, 2014 9:36 pm

Re: ssh and rdp session drops when using Access List

Post by mstenz » Thu Feb 02, 2017 9:46 am

yes.

thisjun
Posts: 2458
Joined: Mon Feb 24, 2014 11:03 am

Re: ssh and rdp session drops when using Access List

Post by thisjun » Thu Feb 23, 2017 5:47 am

Is the SecureNAT used for unstable RDP communication?

mstenz
Posts: 42
Joined: Wed Mar 19, 2014 9:36 pm

Re: ssh and rdp session drops when using Access List

Post by mstenz » Thu Feb 23, 2017 8:03 am

What do you mean with "unstable RDP"? SecureNAT is used only at one Virtual Hub (the one users dial in). Then there is a L3-Switch that connect together other Virtual Hubs.

cedar
Site Admin
Posts: 2070
Joined: Sat Mar 09, 2013 5:37 am

Re: ssh and rdp session drops when using Access List

Post by cedar » Thu Feb 23, 2017 9:08 am

When the connection dropped, the connection is from a VPN client to another client on another hub via virtual L3 switch?

mstenz
Posts: 42
Joined: Wed Mar 19, 2014 9:36 pm

Re: ssh and rdp session drops when using Access List

Post by mstenz » Thu Feb 23, 2017 9:10 am

The connection is from a VPN-Client dialed in at VirtualHubA, From there is a L3 connection to a Server in VirtualHubB.
The RDP connection is from the Client to the Server. If i configure my access list as described in VirtualHubA then there are connection drops after some time. If the access list is fully allowed in VirtualHubA there are no connection drops.

cedar
Site Admin
Posts: 2070
Joined: Sat Mar 09, 2013 5:37 am

Re: ssh and rdp session drops when using Access List

Post by cedar » Thu Feb 23, 2017 9:17 am

Did the RDP server connect to the VirtualHubB as a VPN client?
Or VirtualHubB is localbridged to LAN which connected to RDP server?

mstenz
Posts: 42
Joined: Wed Mar 19, 2014 9:36 pm

Re: ssh and rdp session drops when using Access List

Post by mstenz » Thu Feb 23, 2017 9:21 am

VirtualHubB is bridged.
I have one VirtualHub where Users dial in (VirtualHubA) and about 100 other VirtualHubs all in Bridged Mode where Servers are sitting in and all are connected with L3 (Virtual Switches)
As written i don't have any issue with that setup. It runs since more than 2 years that way. Only when I enable Rules in the Access List after some time the RDP connection get disconnected and it manually needs reconnect. The VPN tunnels itself from all VirtualHubs itself are stable all the time (there are no network disconnects or similar)

thisjun
Posts: 2458
Joined: Mon Feb 24, 2014 11:03 am

Re: ssh and rdp session drops when using Access List

Post by thisjun » Wed Mar 08, 2017 6:26 am

I think failing of DHCP renewing is cause of the problem.
So, please allow DHCP packets not only broadcast.

mstenz
Posts: 42
Joined: Wed Mar 19, 2014 9:36 pm

Re: ssh and rdp session drops when using Access List

Post by mstenz » Wed Mar 08, 2017 4:51 pm

Hi,

I have changed the DHCP rule to "apply to all destination addresses" instead of 255.255.255.255/255.255.255.255
It seems this fixed the issue.
I will monitor this for a while but looks good for now.
thx.
rgds.
Michael

Post Reply