Topic: Problem with multiple simultaneous PPTP connections SME7

[Jarkor]

Hi everybody, I´m having a problem with a recently installed SME 7.0,
the only changes are the updates apply to it through software installer,
so it´s running kernel version 2.6.9-42.0.2.EL. I try booting with the
stock kernel 2.6.9-34 but happens the same.
The connection is a static IP. There are 3 contribs installed, userpanel, vacation and sarg.

The problem happens with different client machines, inside the LAN,
with OS Win2k/WinXP, while connecting to PPTP Vpns located in the
internet. Only one machine at the time can be connected, to the same
destination host. For example, 1 PC connects to one host, then the
other PCs in the LAN can't connect to the same host, but can connect
perfectly to another vpn host.
It's not a problem with the internet connection because I check the same
scenario with a Linksys hardware router, and it works perfect, without
limitations.

I try to figure out the problem but I can't find so much. I check the
iptables rules, nothing found, also changing FORWARD policy to ACCEPT
doesn't solve the problem.

Here is the tcpdump of the unsucessful connection:

listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
14:57:11.505348 IP 200.51.197.239.1723 > 192.168.0.53.2349: S 2073123557:2073123557(0) ack 21681169 win 16560 <mss 1380,nop,nop,sackOK>
14:57:11.513112 IP 200.51.197.239.1723 > 192.168.0.53.2349: P 1:157(156) ack 157 win 16404: pptp CTRL_MSGTYPE=SCCRP PROTO_VER(1.0) RESULT_CODE(1) ERR_CODE(0) FRAME_CAP(S) BEARER_CAP(DA) MAX_CHAN(0) FIRM_REV(2195) [|pptp]
14:57:11.523983 IP 200.51.197.239.1723 > 192.168.0.53.2349: P 157:189(32) ack 325 win 16236: pptp CTRL_MSGTYPE=OCRP CALL_ID(865) PEER_CALL_ID(49152) RESULT_CODE(1) ERR_CODE(0) CAUSE_CODE(0) CONN_SPEED(549240320) RECV_WIN(16384) PROC_DELAY(0) PHY_CHAN_ID(0)
14:57:11.704254 IP 200.51.197.239.1723 > 192.168.0.53.2349: . ack 349 win 16212
14:57:48.522719 IP 200.51.197.239.1723 > 192.168.0.53.2349: P 189:337(148) ack 365 win 16196: pptp CTRL_MSGTYPE=CDN CALL_ID(865) RESULT_CODE(0) ERR_CODE(0) CAUSE_CODE(0) [|pptp]
14:57:48.526016 IP 200.51.197.239.1723 > 192.168.0.53.2349: P 337:353(16) ack 381 win 16180: pptp CTRL_MSGTYPE=StopCCRP RESULT_CODE(1) ERR_CODE(0)
14:57:48.530019 IP 200.51.197.239.1723 > 192.168.0.53.2349: F 353:353(0) ack 382 win 16180

eth0 is LAN
eth1 is WAN

Any help will be really appreciated. Things to test also, I can do
any test with the server.

Thanks in advance,
Jarkor

[CharlieBrady]

The problem happens with different client machines, inside the LAN,
with OS Win2k/WinXP, while connecting to PPTP Vpns located in the
internet. Only one machine at the time can be connected, to the same
destination host. For example, 1 PC connects to one host, then the
other PCs in the LAN can't connect to the same host, but can connect
perfectly to another vpn host.

This is a known limitation of the NAT functionality of the RedHat kernel used in the SME server. Please post details of your problem to the bug tracker, and someone might be able to have a go at fixing the problem via a software update.

[Boris]

This is a known limitation of the NAT functionality of the RedHat kernel used in the SME server.

The same limitation is also present in many (most?) higher end NAT/PAT based firewalls including some Cisco PIXes.

[Jarkor]

Thanks a lot, for the [fast!] response.

Two more things:

- Anyone knows if sme 6.0.1 has the same limitation ? I have installed
and working several of this production servers, but none of them uses
multiple pptp connections, so I can't check it now.

- Any idea on where resides the limitation in the kernel ? I can try to
recompile the kernel myself to check if it works. (unless some code
patch is required).

Thanks a lot!
regards,
Jarkor

[CharlieBrady]

- Anyone knows if sme 6.0.1 has the same limitation ?

It does.

- Any idea on where resides the limitation in the kernel ? I can try to
recompile the kernel myself to check if it works. (unless some code
patch is required).

Netfilter connection tracking doesn't handle multiple sessions. Patching would certainly be required - and you'd need to create the patch.

[Jarkor]

Thanks CharlieBrady.

But, what about pptp-conntrack-nat ? Do you know if this patch
works? I know it's in testing state, but maybe somebody already tested it.

[CharlieBrady]

But, what about pptp-conntrack-nat ? Do you know if this patch
works?

No, I don't know.

I know it's in testing state, but maybe somebody already tested it.

I haven't had any feedback on it.

Please take this discussion to the bug tracker.