Additional troubleshooting for Samba VPN Client

Introduction:

This is a summary of the common problems we encountered until now with users who fail to connect to Samba and HUJI-netX. Do not be alarmed by the length, these systems work very smoothly most of the time and all the problems covered here are pretty rare. These problems occur even when these network connections were installed according to our guides. Please let me know if anything is missing.

Problems with HUJI-NetX

 

  • Problem: Vista (SP1) can sometimes stop sending the authentication packets (even though it does prompt for credentials). Deleting and rebuilding the connection does not help.
  • Resolution: Modify the connection properties to use a connection method other than PEAP (such as EAP-TTLS), save, try to authenticate, and revert back to EAP-PEAP. I have a feeling that this problem was sorted out in SP2 but I did not find a documentation of it.

Samba will not work in the following cases

 

  • Problem: On Windows with "Routing and Remote Access" (RRAS) service active, Internet connection sharing (ICS) or dial _IN_ modem AnyConnect will display a messagebox alerting that RRAS is active and will refuse to connect.
    Resolution: Temporary solution - stop the RRAS service. Permanent solution - switch the service to "manual" from automatic, disable ICS, if dial-in services are active (very rare) remove them too.

  • Problem: AnyConnect will refuse to work when the computer is being remote-controlled. No workaround, it should be this way.

  • Problem: AnyConnect will refuse to work when the computer has multiple local users logged in concurrently using "Fast User Switching". No workaround, it should be this way.

  • Problem: When authenticating the Cisco AnyConnect it preforms automatic update and fails to connect. It does so every time it's started. Un-installation and re-installation does not help.
    Resolution: Uninstall "embassy trust suite by wave systems", especially on Dell computers. Note - the same programs causes many problems in conjunction with McAfee VirusScan.

  • Problem: AnyConnect complains about certificate errors, When attempting to connect generates an error message saying "The VPN client is unable to establish a connection.".
    Cause: SSL proxy that does content inspection/ problems with local CA certificates/ man-in-the-middle on SSL connection. All these can cause certificate mismatch.
    Resolution:
    1. verify that the certificate for the CA that signs Samba's certificate (currently "Equifax Secure Certificate Authority") exists in the computer's certificate store and is valid (SHA1 thumbprint for the Equifax CA should be "d2 32 09 ad 23 d3 14 23 21 74 e4 0d 7f 9d 62 13 97 86 63 3a").
    2. Make sure that no system wide proxy is set up (in windows it is defined in Internet Explorer, Macs set it up in the "Network" control panel).
    3. In the rare case that a content inspecting proxy must be used (usually _very_ secure networks) the network system administrator should sort the certificate mess. Sys admins is such places will probably reject entirely the idea that VPN can be used to get out of their net.

  • Problem: Computers running Mac OS or Linux connected to the internet by PPTP or L2TP fail to connect to Samba. The authentication is successful but no data passes on the VPN (connection statistics show only 768 bytes received). Anyconnect either disconnect immediately or within two minutes. In Linux the Internet connection is dropped too.
    Cause: When AnyConnect establishes the VPN link it has to rearrange the routing table so that all traffic will be routed through it. It fails to keep the route to the PPP peer (the ISP's dial in address) alive.
    Resolution:
    1. If possible - switch to PPPoE to establish the Internet connection. It is easy to do so in the dorms (or public ports) and more difficult in aDSL as it usually requires modification to modem setup. HOT do not enable PPPoE.
    2. Linux users can manually exclude the PPP peer from the VPN. Macs can't yet but it should be fixed in a few months. the instructions for the PPP exclusion appear in the AnyConnect release notes, the easiest solution is to tell the users to talk to me so I'll send them a ~/.anyconnect file with the exclusion.
    Notes:
    1. It will be better in future AnyConnect releases (PPP peer will be auto detected like it is on Windows systems).
    2. Computers connected via a router are not affected by this issue even if the router uses PPTP or L2TP to connect to the internet.

  • Problem: Samba WebVPN (not AnyConnect) shows some sites incorrectly, with some content missing or scripts not working properly.
    Resolution:
    1. We can ask Cisco for fixes for specific sites. We are still learning how it is done exactly. Notify Simon, Alex or me of the site.
    2. If the site is within HUJI - fix is since it is probably written poorly (badly written scripts, or the site relies heavily on flashy stuff such as flash).
    Note: The site repair is mainly intended towards sites that hold academic data, e-journals and sites that are only accessible from HUJI net. We already asked the librarians for a list of problematic sites. Note (2): We already know that flash on www.huji.ac.il is not working or that ynet takes ages to load. Read previous note again.


If you encounter any problems please contact vpn@savion.huji.ac.il

Last updated: 23/12/2012

 

[an error occurred while processing this directive]