Server VPN issue when a second VPN user connects it drops the first user

Question

Level 1

5 points

Server VPN issue when a second VPN user connects it drops the first user

I have setup several Mac OS Servers from 10.6 through 10.9 and I seem to have this issue on all versions. I setup the VPN connection to use both PPTP and L2TP. I can connect a single user from outside the network just fine using L2TP, username, password and shared secret and they connect just fine, but when I have second user try to connect in the same way they can connect just fine but it will kick the first user off the VPN. This is the error message I get from the first user "You were disconnected because the PPP server is not responding. Try reconnecting."

If I was to reconnect from the first user again it would connect and then kick the second user off the VPN. So it is acting like I can only have one user connected at a time. They are both using different usernames and passwords. Both using L2TP and this server is currently version 10.7.5 with all updates done. I even tried setting it up with just L2TP and still same issue. The second user always disconnects the first user.

The server log file shows:

L2TP received CDN

Connection terminated

Connect time 2.0 minutes

Sent bytes, received bytes

L2TP disconnecting...

L2TP disconnected

Client with address 192.168.1.224 has hungup

If I have just one user connected then it continues to work just fine, but this server needs to have multiple VPN connections at one time. Any ideas or suggestions?

Thanks!

Mac mini, Mac OS X (10.7.5)

Posted on Sep 3, 2014 8:01 AM

Reply

Answer 1

Best reply

bfdulock

Level 2

214 points

Sep 3, 2014 8:10 AM in response to Chad Aldrich

My understanding is you cannot have two users from the same LAN connect simultaneously to the VPN service in OS X Server.

Bryan Dulock

ACN

Houston, TX

Reply

Answer 2

Chad Aldrich Author

Level 1

5 points

Sep 3, 2014 8:27 AM in response to bfdulock

Thanks for the response and that got me thinking. When I have two users from the same external network connect to the VPN it will boot one user, so only one remote user from an external network can connect at the same time. So if I connect a laptop to the VPN from an external network it works fine and then if I connect my iPad to the VPN using TMobile LTE I can have both clients connected at the same time and all is fine.

So now my question now is, is this a feature of the Mac Server VPN or a bug? If it is a feature, is there a way to fix this via Command Line? This server needs to have multiple users from the same remote network to connect at the same time. Any ideas?

Chad

Reply

Answer 3

bfdulock

Level 2

214 points

Sep 3, 2014 8:36 AM in response to Chad Aldrich

I don't know if this is a limitation of VPN in general or a limitation of Apple's implementation of VPN. It is not a bug.

One workaround (if you have only two users) is to have one user connect via L2TP over IPSec and the other user connect via PPTP.

Bryan Dulock

ACN

Houston, TX

Reply

Answer 4

Chad Aldrich Author

Level 1

5 points

Sep 3, 2014 9:17 AM in response to bfdulock

I tried that but I can't seem to get the PPTP to work on either my iPad or my MacBook Pro Mac OS 10.9.4. I even tried no encryption and it still won't connect. The error message I get is: "A connection could not be established to the PPP server. Try reconnecting. If the problem continues, verify your settings and contact your Administrator."

The settings are correct but still fails. The server log files indicated that the "admin" user is authorized for access then it gives an error "MPPE required but not available" Connection terminated.

Chad

Reply

Answer 5

Sep 3, 2014 1:16 PM in response to Chad Aldrich

Usual trigger for the second L2TP VPN dropping is the firewall-gateway-NAT device; it can get tangled up with which ports are going where, and which can sometimes be resolved by opening additional ports for NAT pass-thru, and can also be resolved by moving the VPN server out in front of the NAT processing — NAT and VPN tend to work at cross purposes, where NAT tries to hide the end-point of a connection, and a VPN wants to keep track of the end-points — with a firewall-gateway-NAT device with an embedded VPN server.

PPTP is far less secure than L2TP, but passes through a firewall somewhat more easily.

The embedded VPN server in OS X Server is fairly limited, too.

Confirm the IP ports and protocols are open.

PPTP expects GRE (protocol 47) and TCP port 1723.

IPSec expects UDP port 500 and ESP (protocol 50) for site to site non-NAT.

L2TP expects UDP port 500, UDP port 1701 and UDP port 4500 when behind NAT.

GRE and ESP are protocols, not ports.

Reply

Answer 6

Linc Davis

Level 10

209,541 points

Sep 3, 2014 2:34 PM in response to Chad Aldrich

How many addresses have you allocated for L2TP?

Reply

Answer 7

Chad Aldrich Author

Level 1

5 points

Sep 3, 2014 2:34 PM in response to MrHoffman

I have confirmed that the ports are open and I am including a screen shot of the ports. It is on a newer CenturyLink Wireless router (which could be some of the issue) not sure.

I did not see an option for GRE or ESP.

It still won't connect via PPTP. I think for now we will just continue to use the L2TP option.

Thanks for the help.

Chad

Reply

Answer 8

Sep 4, 2014 6:56 AM in response to Chad Aldrich

We previously experienced this exact issue and had a few conversations with Apple about it. It seems it's not considered a 'bug' per say just the way the OS X server VPN implementation works. It seems rooted in the protocols used (e.g., PPTP) which either don't allow or frequently have issues with multiple remote connections from the same remote IP address (i.e., multiple machines on the same LAN). Behavior is that when a new machine connects the first one is dropped.

For us we migrated over to an SSL VPN (aka OpenVPN) based solution for our VPN connections. We made the migration as part of an upgrade to some core networking hardware when the VPN was integrated into our core internet facing router/firewall. That protocol allows simultaneous connections from the same remote location without any issues.

Reply

Answer 9

May 20, 2015 5:10 AM in response to Chad Aldrich

I was able to resolve this similar issue while keeping the VPN on the Mac Server; using Yosemite, Server 4.x and L2TP VPN.

Issue:

Many users can connect to the VPN server from different locations, but as soon as a second user from our remote office (on the same LAN) connects, whoever is already connected gets kicked out.

Solution:

I checked for Static IP addresses as this seems like a documented bug, they are now configured through the router (Airport Extreme) using MAC address, so the client network configuration is set to "Using DHCP".

What cleared it for us was simply to "send all traffic over VPN Connection" for each client on the LAN.

Though not really documented, I don't think this is a bug, rather it makes sense from a security point of view.

Reply