Version 4.07 Client - Protocol Error (code 2)

[matt.sayers]

I have recently upgraded my SoftEther VPN server to version 4.07 (Build 9448) to take fixes for OpenSSL.

I am able to successfully connect to the VPN from a computer using the 4.04 (Build 9412) client.

If I attempt to also update my vpn client to version 4.07 (Build 9448), I get errors any time I connect. The errors says "Error 2: Protocol Error." This happens on any port I try to connect with. I tried 443, 992 and 5555. And yes, I do have the server listening to those ports.

Here is an error entry from the client log:
2014-06-07 21:20:02.456 VPN Connection Setting "[real server name removed]": The connection has been either disconnected or it failed. Cause: Protocol error occurred. Error was returned from the destination server. (code 2)

I ended up uninstalling the 4.07 client and reinstalling 4.04 client which works.

Is this a known issue or configuration change that I am missing? If not, can you look into this. If you need more details to reproduce this error I will be happy to provide those.

Thanks in advance.

[gavinlee]

matt.sayers wrote:
> I have recently upgraded my SoftEther VPN server to version 4.07 (Build
> 9448) to take fixes for OpenSSL.
>
> I am able to successfully connect to the VPN from a computer using the 4.04
> (Build 9412) client.
>
> If I attempt to also update my vpn client to version 4.07 (Build 9448), I
> get errors any time I connect. The errors says "Error 2: Protocol
> Error." This happens on any port I try to connect with. I tried 443,
> 992 and 5555. And yes, I do have the server listening to those ports.
>
> Here is an error entry from the client log:
> 2014-06-07 21:20:02.456 VPN Connection Setting "[real server name
> removed]": The connection has been either disconnected or it failed.
> Cause: Protocol error occurred. Error was returned from the destination
> server. (code 2)
>
> I ended up uninstalling the 4.07 client and reinstalling 4.04 client which
> works.
>
> Is this a known issue or configuration change that I am missing? If not,
> can you look into this. If you need more details to reproduce this error I
> will be happy to provide those.
>
> Thanks in advance.
95
Hi Matt:
I have met the same problem like you did, I can't able to connect any one of VPN in the list. Even I connected teporary,it will be disconnected in a few minutes.My version is also 4.07(9448). This is the newest version which the official website updated. Did you solve this problem now? or do the old version before 4.07 still work successfully?
thank you
BR

Gavin

[matt.sayers]

Hi Gavin.

I am able to successfully connect to a server on version 4.07 (Build 9488) with the 4.04 client. I had to uninstall the 4.07 Client (Build 9488) then install the older 4.04 Client (Build 9412). This seems to preserve your settings OK between uninstall/reinstall which is nice.

To be clear, I never had an issue with the server versions.
Server is on 4.07.
4.04 client will successfully connect.
4.07 client will throw protocol errors.

I would try downgrading your client version to 4.04 and see if that helps. It did for me. I hope the issue can be fixed in a newer version of the client though because now I have to warn my users not to download the suggested client update.

Matt

[dnobori]

Hi matt.sayers,

I am a developer of SoftEther VPN programs.
To analyze your problem, I need to reproduce the problem.

Could you please give me the IP address and the port number of actual running SoftEther VPN Server which occurs your problem? If so, I am going to check whether there are certainly protocol-error when the connection attempt will be made from the latest version of VPN Client. If that is positive, I will try to identify which VPN Client version begins to cause the problem.
I am going to check whether the "protocol error" occurs or not during the SSL connection phase. This step needs no login attempts because the protocol error occurs before the user authentication phase. No username and login credentials are needed. Please provide us just IP address and port number.

If you are not willing to post your host's IP address and port number, please upload them in the text file via the following uploader, and paste the uploaded URL on this forum so that no one except our staff can read it.
https://www.softether-upload.com/ (PIN: 8931)

Please keep the VPN Server up to date (Ver 4.07).

[matt.sayers]

dnobori,

Thank you for your assistance.

I have uploaded a text file to the URL you provided named "network info.txt" so that you may test. Let me know if you need anything else.

Matt

[matt.sayers]

And here is the URL to the file:
https://www.softether-upload.com/files2 ... b978811b4/

[dnobori]

Thank you. I am going to start the actual check of protocol errors, trying all versions of VPN Client between 4.04 and 4.07.

[matt.sayers]

Thank you for your help!

[dnobori]

I found the problem.
The IP address and the port number (443) which you speficied is occupied by the another program, which might be a LinkSys router.

Please check your router setting to transfer the public TCP port "443" to the internal private IP address of the VPN Server.

openssl s_client -connect *.*.*.*:443
CONNECTED(00000003)
depth=0 /CN=Linksys_RVS4000/OU=RVS4000/O=Linksys/C=US
verify error:num=18:self signed certificate
verify return:1
depth=0 /CN=Linksys_RVS4000/OU=RVS4000/O=Linksys/C=US
verify return:1
---
Certificate chain
0 s:/CN=Linksys_RVS4000/OU=RVS4000/O=Linksys/C=US
i:/CN=Linksys_RVS4000/OU=RVS4000/O=Linksys/C=US
---

[matt.sayers]

dnobori,

Thank you for the update.

Did something change in version 4.07 which no longer can ignore/bypass this issue as version 4.04 did?

I will give your suggestion a try on Monday when I am back in the office. I will post back next week and let you know how it goes.

Matt

[gavinlee]

dnobori wrote:
> I found the problem.
> The IP address and the port number (443) which you speficied is occupied by
> the another program, which might be a LinkSys router.
>
> Please check your router setting to transfer the public TCP port
> "443" to the internal private IP address of the VPN Server.
>
> openssl s_client -connect *.*.*.*:443
> CONNECTED(00000003)
> depth=0 /CN=Linksys_RVS4000/OU=RVS4000/O=Linksys/C=US
> verify error:num=18:self signed certificate
> verify return:1
> depth=0 /CN=Linksys_RVS4000/OU=RVS4000/O=Linksys/C=US
> verify return:1
> ---
> Certificate chain
> 0 s:/CN=Linksys_RVS4000/OU=RVS4000/O=Linksys/C=US
> i:/CN=Linksys_RVS4000/OU=RVS4000/O=Linksys/C=US
> ---


Dnobori:
Thank you for your help. Could you tell me the detial of how to check the router setting to transfer the public TCP port"443" to the internal private IP address of the VPN Server? Honestly I am not good at computer.
Thank you again

[gavinlee]

matt.sayers wrote:
> Hi Gavin.
>
> I am able to successfully connect to a server on version 4.07 (Build 9488)
> with the 4.04 client. I had to uninstall the 4.07 Client (Build 9488) then
> install the older 4.04 Client (Build 9412). This seems to preserve your
> settings OK between uninstall/reinstall which is nice.
>
> To be clear, I never had an issue with the server versions.
> Server is on 4.07.
> 4.04 client will successfully connect.
> 4.07 client will throw protocol errors.
>
> I would try downgrading your client version to 4.04 and see if that helps.
> It did for me. I hope the issue can be fixed in a newer version of the
> client though because now I have to warn my users not to download the
> suggested client update.
>
> Matt

Hi,Matt:
thank you for your help. I just unist the 4.07 client and reinstall the 4.04 client. Then I am able to connect temporary. but I don't know how long I can maintain this.
hope the developer will fix this soon

BR

Gavin

[dnobori]

Hi matt.sayers,

I wrote a patch to work around the NAT-T issue for the enviroment which is like your network.

http://www.softether.org/5-download/history

** Work around the NAT traversal problem.

Adjusted the priority between TCP/IP Direct Connection and UDP-based NAT-Traversal. On this version (Ver 4.08), NAT-Traversal will always be used if the client program detects that the specified TCP destination port on the destination server is occupied by non-SoftEther VPN Server. Anyone who faces to the connection problem on the VPN Server which is behind the NAT-box should install this update.



In the previous version (Ver 4.07), when the VPN Client attempts to connect to the VPN Server, the client firstly establish the connection via the TCP/IP direct protocol. If the TCP connection establishes successfully (in the layer-3) but the TCP port returns non-VPN protocol data (in the layer-7), the protocol error occurs immediately even if the NAT-Traversal connection attempt is still pending. This phenomenon often occurs when the VPN Server is behind the NAT-box, and the NAT-box has a listening TCP-443 port by itself. In that condition, the VPN Client attempts to connect to that TCP-443 port firstly, and the protocol error occurs immediately NAT-box returns non-VPN protocol (e.g. HTML-based administration page).



In order to work around that, this version (Ver 4.08) of VPN Client changed the behavior. On this version, if the VPN Client detects that the destination TCP Port is occupied by a non-VPN program, then the client will always use NAT-Traversal socket. This minor change will fix the connection problem to VPN servers behind the NATs.



Note: The built-in NAT-Traversal function on SoftEther VPN is for temporary use only. It is not recommended to keep using UDP-based NAT-Traversal connection to beyond the NAT-box when the VPN Server is behind the NAT-box, for long-term use. It is reported that some cheap NAT-boxes disconnect UDP session in regular period (a few minutes) after NAT-Traversal connection has been made. The strongly recommended method to run VPN Server behind the NAT is to make a TCP port mapping on the NAT-box to transfer incoming VPN connection packets (e.g. TCP port 443) to the private IP address of the VPN Server.


Please update to your VPN Client to SoftEther VPN 4.08 Build 9449.
I hope that your error will be fixed, without no setting correction on your NAT-box.
http://www.softether-download.com/

[matt.sayers]

dnobori,

Thank you for all of your help! Version 4.08 seems to have fixed the issues.

Matt

[thisjun]

Did you success to connect to the sever with previous version?
If no, your problem may have another cause.
Please open new topic.