denningsrogue

Q: Post Mavericks (server) upgrade, vpn has stopped working.  Any suggestions?

I upgraded by Mac mini server to Mavericks (including the server update). Now the VPN has stopped working.  Pre update I used the vpn for my MacBook Air, iPad and iPhone.  Now nothing works.  I've checked my router (Apple) and it appears to be set up appropriately to pass VPN traffic. Any ideas?

Mac Mini Server, Mac OS X (10.6.3)

Posted on Oct 23, 2013 12:52 AM

Close

Q: Post Mavericks (server) upgrade, vpn has stopped working.  Any suggestions?

  • All replies
  • Helpful answers

first Previous Page 3 of 8 last Next
  • by kellentat,

    kellentat kellentat Oct 26, 2013 7:08 PM in response to denningsrogue
    Level 1 (5 points)
    Oct 26, 2013 7:08 PM in response to denningsrogue

    I spent 4 hours on the phone with Apple Enterprise Support (kept getting transferred up the support person chain). At one point we created a new account for the support person and they tried the VPN, which worked. At that point he told me if must be my connections on the other devices I was trying and that was all support could do- he also told me that when pinging my server he was seeing a lot of packet loss. After this I requested that he guide me through completely uninstalling the server, since every time I do this it carries over settings (right down to the shared secret) when reinstalling. He wanted to verify that we were doing it correctly so he put me on hold- at this point I ran a web based ping and traceroute (to rule out my local network) coming from Europe NO packet loss. We did a complete uninstall of the server portion and reinstall and the shared secret came back- which he could not explain. I then showed him the ping/traceroute- which he insisted since he could connect (which we could see in the logs) that it was my local networks for the other machines I was testing on, also that this was as far as support could go. For instance trying my iPhone on AT&T's LTE network and a work laptop- VPN into the work network THEN trying to come back to my VPN network. I informed him that I was going to completely nuke the machine and start over- he advised that I try the VPN from a Starbucks first, still insisting that it was my local cell/work networks being spotty.

     

    I erased the main drive, re-installed Mavericks, then re-installed server 3 annnnnnnnd I am back to the same place. Currently I am testing from another location and still cannot get past the IKE Phase 1 portion of racoon's auth via hostname HOWEVER if I use Logmein to get back to another machine on the same network and use the IP I can use the VPN.

     

    Here's the log:

     

    Oct 23 08:22:10 hostname racoon[224]: Connecting.

    Oct 23 08:22:10 hostname racoon[224]: IPSec Phase 1 started (Initiated by peer).

    Oct 23 08:22:10 hostname racoon[224]: IKE Packet: receive success. (Responder, Main-Mode message 1).

    Oct 23 08:22:10 hostname racoon[224]: >>>>> phase change status = Phase 1 started by us

    Oct 23 08:22:10 hostname racoon[224]: IKE Packet: transmit success. (Responder, Main-Mode message 2).

    Oct 23 08:22:10 hostname racoon[224]: IKE Packet: receive success. (Responder, Main-Mode message 3).

    Oct 23 08:22:10 hostname racoon[224]: IKE Packet: transmit success. (Responder, Main-Mode message 4).

    Oct 23 08:22:10 hostname racoon[224]: Connecting.

    Oct 23 08:22:14 hostname racoon[224]: IKE Packet: transmit success. (Phase 1 Retransmit).

    Oct 23 08:22:47 --- last message repeated 3 times ---

    Oct 23 08:22:50 hostname racoon[224]: IKE Packet: transmit success. (Phase 1 Retransmit).

    Oct 23 08:23:10 hostname racoon[224]: IKE Packet: transmit success. (Phase 1 Retransmit).

    Oct 23 08:23:59 --- last message repeated 1 time ---

    Oct 23 08:23:59 hostname racoon[224]: IKE Packet: transmit success. (Phase 1 Retransmit).

    Oct 23 08:24:56 --- last message repeated 1 time ---

    Oct 23 08:24:59 hostname racoon[224]: IKEv1 Phase 1: maximum retransmits. (Phase 1 Maximum Retransmits).

    Oct 23 08:24:59 hostname racoon[224]: Phase 1 negotiation failed due to time up. 2194c11c97819d97:a29d73f04fe7e67f

     

    The L2TP-VPN server did not respond. Try reconnecting. If the problem continues, verify your settings and contact your Administrator.

     

    Here’s the network topology- Internet > Modem > Airport Extreme > Mac Mini via ethernet.

     

    For the hostname DNS we are using a dynamic DNS service, which I have verified is resolving to the machine through the router ect.

     

    I have tried deleting the Server App and /Library/Server as well as any pref files I could find, then rebooting, after downloading the Server App again I found all of my settings are back. Also I’ve tried removing the Server Setup Done file as well in conjunction as well as independently with no luck.

     

    I have tried killing raccoon via the activity monitor as well as via the command line.

     

    I am able to reach the machine locally via ssh and screen share, and externally via logmein.

     

    I have tried an iPhone 5s locally and externally, and two MacBook Airs internally and externally as well.

     

     

    Tried messing with racoon's access to private keys still no luck. Currently trying to restore a TM back in a VM to run on the machine.

     

    I have deleted the VPN port forwarding entry in the Airport, tried putting it back manually as well as via the Server App and the drop down menu in the Airport.

     

    I am 99% sure the traffic is reaching the server as I can see the following when I try to authenticate to the VPN, please note this is always the same for each VPN client

     

    So at this point I am stuck either rolling back to ML or getting on the phone again with Enterprise Support who is convinced that it's not on them.

     

     

    I erased the main drive, re-installed Mavericks, then re-installed server 3 annnnnnnnd I am back to the same place. Currently I am testing from another location and still cannot get past the IKE Phase 1 portion of racoon's auth via hostname HOWEVER if I use Logmein to get back to another machine on the same network and use the IP I can use the VPN.

     

     

    I have another call with support tomorrow morning as I am starting to see message boards and App Store reviews saying the same thing- Server 3.0 seems to have broke the already fragile OS X VPN Server...

  • by GregoryGearGuy,

    GregoryGearGuy GregoryGearGuy Oct 26, 2013 8:22 PM in response to denningsrogue
    Level 1 (0 points)
    Oct 26, 2013 8:22 PM in response to denningsrogue

    If you are having this issue, If you have not already - I suggest leving a review in the app store as it will save others the trouble and puts more pressure on Apple to fix the issue.

  • by formerlyknownas,

    formerlyknownas formerlyknownas Oct 27, 2013 9:32 AM in response to GregoryGearGuy
    Level 1 (0 points)
    Oct 27, 2013 9:32 AM in response to GregoryGearGuy

    nice to see a mod' has changed my last post where I refer to apple as CRAPPLE !!

     

     

    Will do GegoryGearGuy !

  • by cq_,

    cq_ cq_ Oct 27, 2013 7:43 PM in response to denningsrogue
    Level 1 (0 points)
    Oct 27, 2013 7:43 PM in response to denningsrogue

    Here is how I got it working:

     

    1. Turn on "Open Directory" and set it up.

    2. Add a new user - where it says "Local Only" change it to "None- Services Only"

    Thats it...

     

    To complete client VPN setup the easy way

    3. Goto VPN and click "Save Configuration Profile"

    4. Open the VPN configuration file you just saved on the client and then enter in the new username

     

    This worked for me on the LT2P+PPTP settings...

  • by kellentat,

    kellentat kellentat Oct 27, 2013 8:48 PM in response to cq_
    Level 1 (5 points)
    Oct 27, 2013 8:48 PM in response to cq_

    I got my hopes up but now I just have this error in addition to the Phase 1 retransmit BS:

     

    Finder[1116]: Error enumerating (null): The file \u201cBackups.backupdb\u201d couldn\u2019t be opened because you don\u2019t have permission to view it.

     

    Thanks for the suggestions though- it drives me insane to know that someone has this working but I cannot get it working even after a clean install. I wonder what I am doing wrong here...

  • by Mike Lee7,

    Mike Lee7 Mike Lee7 Oct 28, 2013 7:27 AM in response to cq_
    Level 1 (44 points)
    iPhone
    Oct 28, 2013 7:27 AM in response to cq_

    cq_ wrote:

     

    Here is how I got it working:

     

    1. Turn on "Open Directory" and set it up.

    2. Add a new user - where it says "Local Only" change it to "None- Services Only"

    Thats it...

     

    To complete client VPN setup the easy way

    3. Goto VPN and click "Save Configuration Profile"

    4. Open the VPN configuration file you just saved on the client and then enter in the new username

     

    This worked for me on the LT2P+PPTP settings...

    Can you please detail how you did this?

    Thanks.

  • by Choddy1,

    Choddy1 Choddy1 Oct 28, 2013 8:58 AM in response to Mike Lee7
    Level 1 (0 points)
    Oct 28, 2013 8:58 AM in response to Mike Lee7

    Hi Guys,

     

    I just wanted to weigh in. Having similar problems to everyone else.

     

    Cannot connect to L2TP from outside. BTMM is disabled everywhere. At this point I assume it is something Apple needs to fix.

     

    However, another issue I have is that on the internal network, when i try to connect to my VPN using L2TP and the credentials of a "Local User" it connects and works fine.

     

    If i connect with a "Local Network User" i get the error in my logs:

    : sent [CHAP Failure id=0xfc ""]

    : CHAP peer authentication failed for <user here>

     

    Under open directory in Console i get the following error:

    Node: /LDAPv3/127.0.0.1, Module: AppleODClientPWS - unable to open connection to Password Server - unable to connect to server "127.0.0.1"

     

    All other services work fine (ical, mail, address book, etc).

     

    Something i am missing? Have you guys encountered this?

  • by JoshuaOchs,

    JoshuaOchs JoshuaOchs Oct 28, 2013 10:01 PM in response to denningsrogue
    Level 1 (0 points)
    Oct 28, 2013 10:01 PM in response to denningsrogue

    A bit of a "me too" post. Seeing the same things; however from what I've researched, authentication problems might cause an IKE Phase 1 failure, so I wonder if the PTPP auth errors and L2TP connection errors aren't going back to the same root cause.

     

    Whatever the case is, Apple needs to fix it already. I wonder sometimes if Apple tests such edge functionality sufficiently before releasing - I didn't see anything about it during the Mavericks beta phase, which is worrisome. Very basic regression testing would have caught this.

  • by Choddy1,

    Choddy1 Choddy1 Oct 28, 2013 10:34 PM in response to Choddy1
    Level 1 (0 points)
    Oct 28, 2013 10:34 PM in response to Choddy1

    Hey again,

     

    Just wanted to share what i did to fix my issue (not the outside l2tp vpn issue, but the authentication failures on l2tp). The problem was my password server for open directory was not started.

     

    http://support.apple.com/kb/TS3036

     

    All I needed to do was start it:

     

    sudo launchctl load -w /System/Library/LaunchDaemons/com.apple.PasswordService.plist

     

    And instantly my network users are now being authenticated via l2tp logins and all is well in the world.

     

    Except of course the outside access via l2tp.

  • by kellentat,

    kellentat kellentat Oct 28, 2013 10:47 PM in response to denningsrogue
    Level 1 (5 points)
    Oct 28, 2013 10:47 PM in response to denningsrogue

    Spoke to Apple Enterprise Support this morning and they are aware of the issue now. We spent about 2 hours troubleshooting and trying everything the tech could think of, in the end he gathered logs from my server. At this point they are leaning towards an issues with NAT and Mavericks Server. They're working on it, most likely be addressed in an update to the Server app. Just wanted to share.

  • by Pascal Heijnen,

    Pascal Heijnen Pascal Heijnen Oct 28, 2013 11:31 PM in response to Pascal Heijnen
    Level 1 (70 points)
    Oct 28, 2013 11:31 PM in response to Pascal Heijnen

    I did restart VPN several times to no avail. However, after a fews days of not checking. It now works, without me chang

     

    pascaling anything

  • by kerryfung,

    kerryfung kerryfung Oct 29, 2013 12:56 PM in response to denningsrogue
    Level 1 (0 points)
    Oct 29, 2013 12:56 PM in response to denningsrogue

    Reading from you guys let me know that I am not alone!  I have exactly the same issue about the VPN server after upgrading to Mavericks so I am not going to repeat. 

     

    However, now I am on business trip in China (Ningbo, Zhejiang) and despite of having no luck to connect to the VPN server in Hong Kong, I suddenly were able to connect to the VPN server (which was left running when I left yesterday) from time to time.  Connection is not 100% as there are only at times when I can connect with my MBP and iPhone 5. 

     

    So I am very puzzled about the current status of the VPN server flaws now.  I am very frustrated with CrApple, too, especially that I did also have my Mail app keep crashing after the upgrade that I still have to look for a solution.

     

    Just to much trouble to upgrade from ML to Mavericks!  I am lossing trust in CrApple, despite my latest investment in another MBA a few days ago.... :-(

  • by Pascal Heijnen,

    Pascal Heijnen Pascal Heijnen Oct 29, 2013 2:11 PM in response to Pascal Heijnen
    Level 1 (70 points)
    Oct 29, 2013 2:11 PM in response to Pascal Heijnen

    Found out that it works when I am away from home. that is using VPN from an outside network, either mobile data or from a public hotspot in town. It does NOT work when I use the external DNS name to reach the VPN server while at home. This DID work before. Strange...

  • by JoshuaOchs,

    JoshuaOchs JoshuaOchs Oct 29, 2013 11:36 PM in response to Pascal Heijnen
    Level 1 (0 points)
    Oct 29, 2013 11:36 PM in response to Pascal Heijnen

    Sadly, no such luck for me. Still won't connect regardless (although I'm quite intrigued as to what changed for you!).

  • by Choddy1,

    Choddy1 Choddy1 Oct 30, 2013 2:03 AM in response to JoshuaOchs
    Level 1 (0 points)
    Oct 30, 2013 2:03 AM in response to JoshuaOchs

    Nor me, i tried multiple times from multiple locations, from multiple devices.

     

    It never connected.

     

    Internally, everything hunky dory.

first Previous Page 3 of 8 last Next