VPN stops working. No ISAKMP packets sent.

Question

My VPN connection on a Win10 machine suddenly stopped working. However, the VPN on a virtual Win10 on the same machine continued to work. Ran thru standard fixes and finally used Wireshark to track packets. I could see complete session on the virtual machine but nothing on the host machine. Did a logman capture and found that Send ISAKMP packet was immediately followed by Packet Dropped - Error Code: IPsec dropped a clear text packet.

SFC fixed a few bad files. No change.
Reinstalled Win10 keeping programs and data. No change.
Problem affects all users on the host machine. Virtual machine unaffected.

The appears to be a problem with some installed program interfering with forming the ISAKMP packet but I have no clue how to proceed from here short of wiping and reinstalling a clean OS.

Answer 1

Hello @Jerry ,

Many thanks for that (nicely sanitized) data - it was just what I wanted; it is nice to collaborate with someone so competent. The data is also a big step forward in solving the problem.

When no L2TP VPN is active, there are normally no L2TP objects in the WFP state; they are added by RasMan when trying to connect the VPN. Here is a trace from my system that shows the objects that are added at that time:

If you view the image in its original size, you should see that it adds "IKE Exemption" filters and L2TP specific filters and provider context.

If you run a "strings" program (capable of showing UTF-16 strings) over %SystemRoot%\System32\rasmans.dll and %SystemRoot%\System32\mprddm.dll and search for L2TP, you will probably find:

L2TP Server Inbound and Outbound Filter
L2TP Server Outbound Filter
L2TP Server Inbound Filter
L2TP Server Filter1
L2TP Client Inbound and Outbound Filter
L2TP Client Specific Filter
L2TP No Encryption Quick Mode Policy
L2TP Optional Encryption Quick Mode Policy
L2TP Require Encryption Quick Mode Policy
L2TP Require Max Encryption Quick Mode Policy
L2TP Custom Encryption Quick Mode Policy
L2TP Main Mode Policy

What you probably won't find is the string "L2TP UDP ports" (I can't find that anywhere on my system), but there are 54 filters with that name in your WFP state (referring to ports 500, 4500 and 1701).

Where you probably will find the string is in the "Windows Defender Firewall with Advanced Security" MMC snap-in (in both the "Inbound Rules" and "Outbound Rules" lists).

Some person or component (almost certainly not from Microsoft) has added these rules/filters. Just disabling the rules should enable the built-in VPN to work.

If you can identify the source of the rule, you should be able to prevent the problem from reoccurring.

Gary

Answer 2

Hello @Jerry ,

If you want, you could try the following. Issue the command netsh trace start report=disabled provider=Microsoft-Windows-RRAS provider=Microsoft-Windows-WFP provider={106B464D-8043-46B1-8CB8-E92A0CD7A560} keywords=0x10 level=4 tracefile=why.etl to start a trace, try to connect to the VPN and then issue the command netsh trace stop to stop the trace.

The trace might contain more information than you are comfortable with sharing, but if you are prepared to share the data, make the why.etl file available here via a OneDrive, Google Drive, etc. link and I will take a look at it.

Gary

Answer 3

Hello @Jerry ,

The link works, but you should delete it now - buried deep within the trace is something that should not be shared.

A trace of L2TP/IPsec using the Windows VPN client starts with lots of events from AgileVPN/RRAS (the Microsoft client); here is a trace from my PC:

That is completely missing from your trace - are you using the Windows built-in VPN client? Your trace starts like this:

The few RRAS events just show that RRAS event tracing was enabled.

I need a bit of time to think about the problems shown by the trace data.

Gary

Answer 4

Hello @Jerry ,

It is late here already (22:50), so this is the last post of the day.

One way of creating such a trace is to save the following XML to a file (say wfp.wprp) and to issue the command wpr -start wfp.wprp!WFP -filemode to start the trace. wpr -stop why.etl stops the trace.

<?xml version="1.0" encoding="utf-8"?>  
<!-- wpr -start wfp.wprp!WFP -filemode -->  
<!-- wpr -stop ?.etl -->  
<WindowsPerformanceRecorder Version="1.0" Author="Gary">  
  <Profiles>  
    <SystemCollector Id="NTKL" Name="NT Kernel Logger">  
      <BufferSize Value="64" />  
      <Buffers Value="128" />  
    </SystemCollector>  
    <EventCollector Id="ETW" Name="ETW">  
      <BufferSize Value="64" />  
      <Buffers Value="128" />  
    </EventCollector>  
    <SystemProvider Id="Map">  
      <Keywords>  
	<Keyword Value="Loader" />   
      </Keywords>  
    </SystemProvider>  
    <EventProvider Id="WFP" Name="Microsoft-Windows-WFP" NonPagedMemory="true" Stack="true" />  
    <Profile Id="WFP.Verbose.File" Name="WFP" Description="WFP" DetailLevel="Verbose" LoggingMode="File">  
      <Collectors>  
        <SystemCollectorId Value="NTKL">  
          <SystemProviderId Value="Map" />  
        </SystemCollectorId>  
        <EventCollectorId Value="ETW">  
          <EventProviders>  
            <EventProviderId Value="WFP" />  
          </EventProviders>  
        </EventCollectorId>  
      </Collectors>  
    </Profile>  
  </Profiles>  
</WindowsPerformanceRecorder>  

Gary

Answer 5

Hello @Jerry ,

Thanks for that. As expected, the problem is detected in tcpip!IpSecTlPacketsOutProcessing (see stack trace below). I have spent several hours today, assuming that this was the problem, trying to reconstruct/reproduce it - without success so far (don't worry about the large symbol offsets in the stack trace - that is normal for code not on the main path after profiling driven optimization).

netio!BfeEventProviderFireNetEvent+0xcb
netio!FwpmEventProviderFireNetEvent0+0x9
tcpip!IPSecFireDiagEvent+0x105
tcpip!IpSecTlPacketsOutProcessing+0x7c196
tcpip!ProcessOutboundTransportLayerClassify+0xa43
tcpip!WfpProcessOutTransportStackIndication+0x7cb39
tcpip!IppInspectLocalDatagramsOut+0x87d
tcpip!IppSendDatagramsCommon+0x41b
tcpip!IpNlpSendDatagrams+0x40
tcpip!UdpSendMessagesOnPath+0x7ad
tcpip!UdpSendMessages+0x29c
tcpip!UdpTlProviderSendMessagesCalloutRoutine+0x15
ntoskrnl!KeExpandKernelStackAndCalloutInternal+0x78
ntoskrnl!KeExpandKernelStackAndCalloutEx+0x1d
tcpip!UdpTlProviderSendMessages+0x7b
afd!AfdFastDatagramSend+0x658
afd!AfdFastIoDeviceControl+0x1825
ntoskrnl!IopXxxControlFile+0x382
ntoskrnl!NtDeviceIoControlFile+0x56
ntoskrnl!KiSystemServiceCopyEnd+0x28
ntdll!NtDeviceIoControlFile+0x14
mswsock!MSAFD_WSPSendMsg+0x402
ikeext!IkeSendPacketEx+0x3ea
ikeext!IkeSendPacket+0x7b
ikeext!IkeConstructAndSendMMResponse+0x25b
ikeext!IkeStartMMNegotiation+0x146
ikeext!IkeBeginMMInitiator+0x2bf
ikeext!IkeProcessAcquireDispatch+0x349
ikeext!IkeHandleAcquireDispatch+0xc

I will think about this some more - it would probably be helpful to future readers if we can bottom this out - but now, at 21:30 in Switzerland, I think that I am done for today.

Gary