This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

error dhcp discover after upgrade from 8.103

after upgrade to 8.202 our pptp vpn clients can not obtain any ip from internal dhcp.

error:

2011:09:23-14:15:32 mail pppd-pptp[15200]: Starting negotiation on /dev/ttyp0
2011:09:23-14:15:32 mail pptpd[15198]: GRE: Bad checksum from pppd.
2011:09:23-14:15:32 mail pptpd[15198]: CTRL: Ignored a SET LINK INFO packet with real ACCMs!
2011:09:23-14:15:35 mail pppd-pptp[15200]: Using interface ppp0
2011:09:23-14:15:35 mail pppd-pptp[15200]: MPPE 128-bit stateless compression enabled
2011:09:23-14:15:35 mail pppd-pptp[15200]: DHCPC: Using relay address of 'xx.xx.xx.xx'
2011:09:23-14:15:35 mail pppd-pptp[15200]: DHCPC: Unicasting to server 'xx.xx.xx.xx' only
2011:09:23-14:15:35 mail pppd-pptp[15200]: DHCPC: Sending discover...
2011:09:23-14:15:37 mail pppd-pptp[15200]: DHCPC: Sending discover...
2011:09:23-14:15:39 mail pppd-pptp[15200]: DHCPC: Sending discover...
2011:09:23-14:15:49 mail pppd-pptp[15200]: DHCPC: No lease, failing.
2011:09:23-14:15:49 mail pppd-pptp[15200]: DHCPC: Failed to obtain an IP address. Terminating connection.

Firewall sends also a warning for

Message........: BACKDOOR netthief runtime detection
Details........: Snort ::
Time...........: 2011:09:23-14:10:15
Packet dropped.: yes
Priority.......: high
Classification.: A Network Trojan was detected IP protocol....: 17 (UDP)

Source IP address: xx.xx.xx.xx (mail)
- Where are my results?
- Database Query
- http://ws.arin.net/cgi-bin/whois.pl?queryinput=xx
- APNIC - Query the APNIC Whois Database
Source port: 67 (bootps)
Destination IP address: xx
- Where are my results?
- Database Query
- http://ws.arin.net/cgi-bin/whois.pl?queryinput=xx
- APNIC - Query the APNIC Whois Database
Destination port: 67 (bootps)

--
System Uptime      : 0 days 0 hours 0 minutes
System Load        : 0.94
System Version     : Astaro Security Gateway 8.202

Please refer to the manual for detailed instructions.

Disabling this rule does not help!

This thread was automatically locked due to age.

Parents

0 BAlfson over 13 years ago

Interesting. I once got bitten by a similar issue... For years, it was possible to configure PPTP and L2TP to assign addresses in a subnet on an Astaro interface without problems. Then, beginning in V7.502, the Astaro stopped answering ARP requests for "internal" IPs in use by PPTP or L2TP, and that "broke" remote access to the internal network of the DHCP server. Apparently, sometime later, that changed again. My guess is that your related issue is something that no one tested in the beta or in Astaro's Quality Control because its use was unexpected.

In any case, I think you'll avoid future problems by changing your configuration to use a different DHCP service or just the standard "VPN Pool (PPTP)" so that remote users don't get assigned IPs in a subnet local to your Astaro. You'll probably need to add a masq rule and a packet filter rule like 'VPN Pool (PPTP) -> Any -> Any : Allow'. The Astaro should take care of any needed routes.

Cheers - Bob
Cancel
Vote Up 0 Vote Down

Cancel
0 BrucekConvergent over 13 years ago in reply to BAlfson

DrGoebel, I recommend you post your observations in this thread: https://community.sophos.com/products/unified-threat-management/astaroorg/f/52/t/28165 so that the Astaro Personell that are monitoring the soft-release of 8.202 can see it and ask you questions if needed.
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 BrucekConvergent over 13 years ago in reply to BAlfson

DrGoebel, I recommend you post your observations in this thread: https://community.sophos.com/products/unified-threat-management/astaroorg/f/52/t/28165 so that the Astaro Personell that are monitoring the soft-release of 8.202 can see it and ask you questions if needed.
Cancel
Vote Up 0 Vote Down

Cancel

Children

No Data