Softether Limitation

Post your questions about SoftEther VPN software here. Please answer questions if you can afford.
Post Reply
claudelu
Posts: 28
Joined: Mon Aug 29, 2016 11:42 pm

Softether Limitation

Post by claudelu » Mon Mar 23, 2020 4:01 pm

Hi there!
I have a Client - Server SE VPN environment (Version provided in attach) which runs for some years now.

Until now I didn't need too many VPN Client connections. Lately we have the following problem:

we are using costantly 10+ SE VPN Client Connections.
The problem starts from the 11th connection.
Repro Steps:
- the 11th (or more) connection is incomming;
- connection is established successfully on both SE Client and Server;
- Network Settings (DHCP) are called but not received;
- if the same user starts the connection on the first 10 -> everything is OK;

Can someone please tell me if there is a SE limitation (to 10 concurent connections)?
Or point me to what I need to change if there is a Option active somewhere?

Regards!
You do not have the required permissions to view the files attached to this post.

centeredki69
Posts: 250
Joined: Wed Sep 18, 2013 1:49 pm

Re: Softether Limitation

Post by centeredki69 » Mon Mar 23, 2020 6:56 pm

It sounds like the DHCP server is out of IP address leases to allocate.
If using "SecureNAt/Virtual DHCP" verify the amount allowed under "secureNat settings". If using "localbridge" verify local DHCP server limit.

claudelu
Posts: 28
Joined: Mon Aug 29, 2016 11:42 pm

Re: Softether Limitation

Post by claudelu » Tue Mar 24, 2020 7:43 am

Hi centeredki69,

thank you for your answer.

We are using "local bridge" in combination with the Windows Server DHCP Role.
I must say that your suggestion was also my first thought but I am not 100% sure.

I have looked on the "Adressleases" when the problem occured and not all IP adresses from the DHCP adresspool were ocupied.
Furthermore at that time I have also checked with Wireshark the SE Virtual Adapter on a problem PC: connection to SE VPN Server established; the traffic on the SE Virtual Adapter showed that the Adapter sent and received the correct Network Information like "Who is IP" but in the end it received none. I have looked in the Event Viewer on local PC and DHCP Server for Errors and found none.
I will check again, when the problem occurs and get back to you (Info or screenshots).

But until then is there another place where I can still search for this "limitation"?

Best regards!

claudelu
Posts: 28
Joined: Mon Aug 29, 2016 11:42 pm

Re: Softether Limitation

Post by claudelu » Tue Mar 24, 2020 9:53 am

Hi there!

I come with an extra Info: we do not limit the VPN Sessions on the SE VPN Server.
regards!
You do not have the required permissions to view the files attached to this post.

claudelu
Posts: 28
Joined: Mon Aug 29, 2016 11:42 pm

Re: Softether Limitation

Post by claudelu » Tue Mar 24, 2020 10:46 am

Hi again!

The problem is happening as I type and it does not reside in the DHCP Role:
I can connect without problems with local PCs but on the SE VPN Server the 10 Conections are there and the SE Clients (Conection Nr. 11, 12 and so on) doesn't receive their IPs.

Regards!

mad_gulls
Posts: 3
Joined: Tue Mar 24, 2020 4:51 pm

Re: Softether Limitation

Post by mad_gulls » Tue Mar 24, 2020 5:05 pm

Try stable RTM versions server & clients. Collect wiresharks dumps on client side and DHCP side and figure out if there is a problem. Try to redeploy server it easy do with rehost configuration via config file.

claudelu
Posts: 28
Joined: Mon Aug 29, 2016 11:42 pm

Re: Softether Limitation

Post by claudelu » Wed Mar 25, 2020 8:50 am

Hi mad_gulls!

Thank you for your answer.
I have checked the Version and it seems I use the latest RTM Version (SoftEther VPN 4.25 Build 9656 RTM (January 15, 2018)).

I will go ahead and reinstall/replace the SE VPN Server and all SE Clients with the latest BETA Version (SoftEther VPN 4.34 Build 9744 Beta (March 21, 2020)) and I hope the problem will disapear.

Best regards!

claudelu
Posts: 28
Joined: Mon Aug 29, 2016 11:42 pm

Re: Softether Limitation

Post by claudelu » Wed Mar 25, 2020 12:28 pm

Hi there!

I have reinstalled the VPN Server and Clients like I wrote and that did't helped. The problem is still there.

Can this be related with the fact that we are using both Split and Full Mode on the clients adapters?

Regards!

mad_gulls
Posts: 3
Joined: Tue Mar 24, 2020 4:51 pm

Re: Softether Limitation

Post by mad_gulls » Wed Mar 25, 2020 9:17 pm

What is a Split and Full Mode Can you attach a screenshot with settings?

claudelu
Posts: 28
Joined: Mon Aug 29, 2016 11:42 pm

Re: Softether Limitation

Post by claudelu » Thu Mar 26, 2020 7:35 am

Hi mad_gulls,

Split or Full is how you want the Client traffic to be routed: partially over VPN Server (split) or completly (full).

I am a bit confused of which config you mean. I have posted the VPN Client config as attach.
This config is on all VPN Clients the same and I repeat. It works without problems as long there are max. 10 Clients connected.
When the 11th comes, it gets successfully connected with its Windows Domain Credentials but receive no IP.

Regards!
You do not have the required permissions to view the files attached to this post.

mad_gulls
Posts: 3
Joined: Tue Mar 24, 2020 4:51 pm

Re: Softether Limitation

Post by mad_gulls » Thu Mar 26, 2020 8:56 am

Hmm, I would check is it a dhcp issue only, are you tried to assign a static ip addresses to 10th, 11th VPN connections? What shows VPN servers logs and logs from DHCP server?

claudelu
Posts: 28
Joined: Mon Aug 29, 2016 11:42 pm

Re: Softether Limitation

Post by claudelu » Fri Mar 27, 2020 8:51 am

Hi mad_gulls!

As requested I have attached the logs in two parts - I have hided the sensitive infos - this is part 1.
My understandins everythings look OK and I see no error.

That is why I don't understand why the first 10 VPN Clients receive their IPs from DHCP Server and the others are not.
You do not have the required permissions to view the files attached to this post.

claudelu
Posts: 28
Joined: Mon Aug 29, 2016 11:42 pm

Re: Softether Limitation

Post by claudelu » Fri Mar 27, 2020 8:52 am

Hi mad_gulls!
here is the part 2.

Regards!
You do not have the required permissions to view the files attached to this post.

claudelu
Posts: 28
Joined: Mon Aug 29, 2016 11:42 pm

Re: Softether Limitation

Post by claudelu » Fri Mar 27, 2020 9:54 am

Hi there again!

Here I post my Windows DHCP Infos:
- Addresspool: 100
- Leasetime: it was set to 4 h -> now I have changed it to 30 Min.
- Failover: Hot Standby, see attach

Regards!
You do not have the required permissions to view the files attached to this post.

claudelu
Posts: 28
Joined: Mon Aug 29, 2016 11:42 pm

Re: Softether Limitation

Post by claudelu » Fri Mar 27, 2020 10:11 am

Hi !
and here is the DHCP Log.
Best regards!
You do not have the required permissions to view the files attached to this post.

claudelu
Posts: 28
Joined: Mon Aug 29, 2016 11:42 pm

Re: Softether Limitation

Post by claudelu » Fri Mar 27, 2020 10:18 am

Hi again!

And here is what the Log on the other DHCP Server looks like.

Regards!
You do not have the required permissions to view the files attached to this post.

claudelu
Posts: 28
Joined: Mon Aug 29, 2016 11:42 pm

Re: Softether Limitation

Post by claudelu » Fri Mar 27, 2020 11:00 am

Hi there again!

I must come with explanations. I have hided the sensitive informations, but I can confirm that the Remote PC Name (with VPN Client) is not logged in the DHCP Log File.
So that means that the Remote PC is not receiving an IP, but on Wireshark i see the Ping/Pong traffic "Who has IP?" and again the authentication on AD works fine. Furthermore the AD and DHCP are bothon the same Servers: DC1 <-> DC2

Regards!

claudelu
Posts: 28
Joined: Mon Aug 29, 2016 11:42 pm

Re: Softether Limitation

Post by claudelu » Mon Mar 30, 2020 7:47 am

Hi everyone,

can someone at least please confirm that he/she has a SE VPN Server that trully runs with more than 10 concurent connections.
Because my problem sounds like a DHCP problem but then again: why does the DHCP Server works for any other LAN component and the first 10 VPN connections?

centeredki69
Posts: 250
Joined: Wed Sep 18, 2013 1:49 pm

Re: Softether Limitation

Post by centeredki69 » Mon Mar 30, 2020 10:51 pm

This DHCP server is on a router not a Window server.
11 connections.jpg
Do you have a dedicated Physical NIC with all protocols removed for the " Local Bridge". Not sure if that would cause your issue See link
https://www.softether.org/4-docs/1-manu ... rk_adapter
https://www.softether.org/4-docs/1-manu ... rk_Adapter
You do not have the required permissions to view the files attached to this post.

claudelu
Posts: 28
Joined: Mon Aug 29, 2016 11:42 pm

Re: Softether Limitation

Post by claudelu » Tue Mar 31, 2020 9:56 am

Hi centeredki69,

thank you for your answer.
I would gladly try the "Local Bridge" suggestion from the manual 3.6.3 but I don'quite understand it.
On my SE VPN Server I have 2 network cards (the second is currently disabled) and I know/can (how to) bridge them.

The Problem is I don't know on which Network card should I connect my network cable afterwards. Or better yet: as the manual describes I should put the internet cable direct in the first Network card and the cable for the LAN in the second.

But my SE VPN server runs behind a firewall and he is inside the LAN. So if I have understood the manual right I can not use this option in my environment. Please correct me if I am wrong and please advise further.

I am open for other suggestions, which could work better for me (I am the admin of the whole environement).

(I have attached the currently konfig of my environment as explanation.)

Regards!
You do not have the required permissions to view the files attached to this post.

centeredki69
Posts: 250
Joined: Wed Sep 18, 2013 1:49 pm

Re: Softether Limitation

Post by centeredki69 » Tue Mar 31, 2020 10:38 am

Claudelu,
On the "Network 2" NIC 2 remove all checks from all protocols but enable the "softether lightweight network protocol" and then enable the NIC. Plug "Network 2" NIC 2 into the same "Main Switch" (Based on your diagram). "NIC 1" & "NIC 2" connect to the same switch & same local network. In the SE server manager you now need to create a new "local Bridge" between your Virtual HUB and "NIC2" and DELETE the old "local bridge". My understanding is that "NIC 1" connects the server to the local network on layer 3 (TCP/IP) like any normal computer. "NIC 2" connects to the SAME local network at a Layer 2 level. A single NIC will work but can become overloaded with multiple connections. An extra dedicated "local Bridge" NIC is preferred. NOTE: I'm still not sure this will fix your DHCP issue.
NIC no protocols.jpg
NIC 2 connection.jpg
You do not have the required permissions to view the files attached to this post.

Post Reply