Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 5 replies
  • Subscribers 1 subscriber
  • Views 2246 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Windows Phone L2TP over IPsec cannot download apps or connect to live.com

UserOrange
I'm having a rather odd issue with the L2TP over IPsec VPN connection from a phone running Windows Phone 8.1.

I can browse apps in the Windows Phone store, but attempting to download an app results in a message stating "The Microsoft Account service is unavailable right now."

If I open the Microsoft OneDrive app, I get a "The folder can't be displayed" message and none of my files hosted on OneDrive appear. If I try to download offline maps for the Maps app, I get the message "We can't reach the maps library right now."

If I try to check for updates to the phone's operating system, "Checking for updates …" displays for a while, and then it displays the message "There was a temporary issue with the server or your Internet connection during the update."

Now, general web surfing in the Internet Explorer app seems to work fine; I can even watch videos on YouTube. However, trying to load the live.com site (used for Microsoft account hosting) times out, though the URL is first redirected to the login.live.com domain first.

However, the microsoft.com and windowsphone.com domains load just fine.

If I disable the VPN connection on the phone all these issues disappear.

I have tried disabling virus scanning and Country Blocking on the UTM to see if that would fix the VPN, with no results.

I'm currently running UTM version 9.209-8.

The L2TP over IPsec setup in the UTM is as follows.

Interface: External (WAN)

Authentication mode: Preshared key

Assign IP addresses by: IP address Pool
Pool Network: VPN Pool (L2TP)

Access control: Authentication via: RADIUS

iOS devices (Enabled)

I have checked the Firewall, Web Filtering, IPS, and IPsec VPN logs, but nothing stands out. I don't see connections that are denied or timed out coming from or to the IP address of the phone, aside from a number like these from the Web Filtering log:

2014:10:24-03:40:58 remote ulogd[31173]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60003" outitf="ppp0" mark="0x103b" app="59" srcmac="0:0:4d:b8[:D]4:5d" srcip="204.79.197.200" dstip="10.242.3.2" proto="6" length="40" tos="0x00" prec="0x00" ttl="64" srcport="80" dstport="49715" tcpflags="ACK PSH FIN"


Running nslookup on 204.79.197.200 returns the domain a-0001.a-msedge.net, but since these are dropped connections for ACK PSH FIN entries I don't know that it matters anyway.

I'm not sure what else to do at this point. Any suggestions would certainly be appreciated.


This thread was automatically locked due to age.
  • 0
    Here's a section of the IPsec log, in case that helps.

    2014:10:24-03:19:01 remote pluto[5979]: "L_REF_IpsL2t1_0"[1] 192.168.2.38 #102: responding to Main Mode from unknown peer 192.168.2.38
    2014:10:24-03:19:01 remote pluto[5979]: "L_REF_IpsL2t1_0"[1] 192.168.2.38 #102: ECP_384 is not supported.  Attribute OAKLEY_GROUP_DESCRIPTION
    2014:10:24-03:19:01 remote pluto[5979]: "L_REF_IpsL2t1_0"[1] 192.168.2.38 #102: ECP_256 is not supported.  Attribute OAKLEY_GROUP_DESCRIPTION
    2014:10:24-03:19:02 remote pluto[5979]: "L_REF_IpsL2t1_0"[1] 192.168.2.38 #102: NAT-Traversal: Result using RFC 3947: no NAT detected
    2014:10:24-03:19:02 remote pluto[5979]: "L_REF_IpsL2t1_0"[1] 192.168.2.38 #102: Peer ID is ID_IPV4_ADDR: '192.168.2.38'
    2014:10:24-03:19:02 remote pluto[5979]: "L_REF_IpsL2t1_0"[1] 192.168.2.38 #102: sent MR3, ISAKMP SA established
    2014:10:24-03:19:02 remote pluto[5979]: "L_REF_IpsL2t1_0"[1] 192.168.2.38 #103: responding to Quick Mode
    2014:10:24-03:19:02 remote pluto[5979]: "L_REF_IpsL2t1_0"[1] 192.168.2.38 #103: IPsec SA established {ESP=>0x34af2720 0xa91c9856  
    2014:10:24-03:24:09 remote pppd-l2tp[506]: Overriding mtu 1500 to 1380
    2014:10:24-03:24:09 remote pppd-l2tp[506]: Overriding mru 1500 to mtu value 1380
    2014:10:24-03:24:12 remote pppd-l2tp[506]: Overriding mtu 1400 to 1380
    2014:10:24-03:24:12 remote pppd-l2tp[506]: Cannot determine ethernet address for proxy ARP
    2014:10:24-03:24:12 remote pppd-l2tp[506]: local  IP address 10.242.3.1
    2014:10:24-03:24:12 remote pppd-l2tp[506]: remote IP address 10.242.3.2
    2014:10:24-03:24:13 remote pppd-l2tp[506]: id="2201" severity="info" sys="SecureNet" sub="vpn" event="Connection started" username="[USER_REDACTED]" variant="l2tp" srcip="192.168.2.38" virtual_ip="10.242.3.2"
    2014:10:24-03:24:59 remote pluto[5979]: "L_REF_IpsL2t1_0"[1] 192.168.2.38 #106: responding to Quick Mode
    2014:10:24-03:24:59 remote pluto[5979]: "L_REF_IpsL2t1_0"[1] 192.168.2.38 #106: IPsec SA established {ESP=>0x8fe1ab90 0xd735412c 0xb863eb7a 0x5260e120 0xbce1e3ba  
    2014:10:24-03:31:11 remote pppd-l2tp[886]: Overriding mtu 1500 to 1380
    2014:10:24-03:31:11 remote pppd-l2tp[886]: Overriding mru 1500 to mtu value 1380
    2014:10:24-03:31:14 remote pppd-l2tp[886]: Overriding mtu 1400 to 1380
    2014:10:24-03:31:14 remote pppd-l2tp[886]: Cannot determine ethernet address for proxy ARP
    2014:10:24-03:31:14 remote pppd-l2tp[886]: local  IP address 10.242.3.1
    2014:10:24-03:31:14 remote pppd-l2tp[886]: remote IP address 10.242.3.2
    2014:10:24-03:31:14 remote pppd-l2tp[886]: id="2201" severity="info" sys="SecureNet" sub="vpn" event="Connection started" username="[USER_REDACTED]" variant="l2tp" srcip="192.168.2.38" virtual_ip="10.242.3.2"
    2014:10:24-03:31:57 remote pluto[5979]: "L_REF_IpsL2t1_0"[1] 192.168.2.38 #112: responding to Quick Mode
    2014:10:24-03:31:57 remote pluto[5979]: "L_REF_IpsL2t1_0"[1] 192.168.2.38 #112: IPsec SA established {ESP=>0xc0befe48 0x1267fcfe 0xc1a0a2da 0xa48a6540 0x97f7265c 0x774cfee4 0x050c642c 
  • 0 in reply to UserOrange
    A few entries from the Web Filtering log:

    2014:10:24-03:24:16 remote httpproxy[5320]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="HEAD" srcip="10.242.3.2" dstip="157.55.60.56" user="" ad_domain="" statuscode="200" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="0" request="0x10316450" url="http://fe1.update.microsoft.com/wp8/MicrosoftUpdate/Redir/duredir.cab" exceptions="av,ssl,fileextension,size" error="" authtime="0" dnstime="107" cattime="77536" avscantime="0" fullreqtime="356003" device="0" auth="0" country="United States" category="105,175" reputation="trusted" categoryname="Business,Software/Hardware" content-type="application/octet-stream"

    2014:10:24-03:24:16 remote httpproxy[5320]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="HEAD" srcip="10.242.3.2" dstip="157.55.60.56" user="" ad_domain="" statuscode="200" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="0" request="0x12430bf0" url="http://fe1.update.microsoft.com/wp8/MicrosoftUpdate/Redir/duredir.cab" exceptions="av,ssl,fileextension,size" error="" authtime="0" dnstime="801" cattime="73019" avscantime="0" fullreqtime="122900" device="0" auth="0" country="United States" category="105,175" reputation="trusted" categoryname="Business,Software/Hardware" content-type="application/octet-stream"

    2014:10:24-03:27:08 remote httpproxy[5320]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="HEAD" srcip="10.242.3.2" dstip="157.55.60.56" user="" ad_domain="" statuscode="200" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="0" request="0x12431040" url="http://fe1.update.microsoft.com/wp8/MicrosoftUpdate/Redir/duredir.cab" exceptions="av,ssl,fileextension,size" error="" authtime="0" dnstime="177" cattime="68854" avscantime="0" fullreqtime="128439" device="0" auth="0" country="United States" category="105,175" reputation="trusted" categoryname="Business,Software/Hardware" content-type="application/octet-stream"

    2014:10:24-03:27:08 remote httpproxy[5320]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="POST" srcip="10.242.3.2" dstip="134.170.115.58" user="" ad_domain="" statuscode="200" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="406" request="0x124316b8" url="http://statsfe2.update.microsoft.com/ReportingWebService/ReportingWebService.asmx" exceptions="av,ssl,fileextension,size" error="" authtime="0" dnstime="176" cattime="73794" avscantime="0" fullreqtime="272947" device="0" auth="0" country="United States" reputation="trusted" category="105,175" reputation="trusted" categoryname="Business,Software/Hardware" content-type="text/xml"


    2014:10:24-03:40:35 remote httpproxy[5320]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="10.242.3.2" dstip="134.170.104.218" user="" ad_domain="" statuscode="301" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="143" request="0x132c6698" url="http://onedrive.live.com/" exceptions="" error="" authtime="0" dnstime="146" cattime="72746" avscantime="0" fullreqtime="20031174" device="0" auth="0" country="United States" category="170" reputation="neutral" categoryname="Personal Network Storage" application="winlive" app-id="534"
  • 0
    fullreqtime="20031174"

    Try adding an Exception for Anti-Virus for ^https?://onedrive\.live\.com.  Any luck with that? If not, then try skipping the proxy altogether for onedrive.live.com.

    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson
    Thanks for the reply! I tried adding the Exception as you suggested. Unfortunately, it didn't fix the issue with OneDrive.

    To skip the proxy do I need to add the OneDrive domain in the Transparent mode skiplist section under Web Protection > Filtering Options > Misc?
  • 0
    It's been awhile, but I wanted to follow up with the solution I discovered. It seems the issue was solved by adding a Masquerading rule for this VPN's service out to the External WAN. Strange as I've never needed to add such a rule for SSL VPN access, but regardless, that turned out to be the solution.
Unfiltered HTML