SRX Services Gateway
Reply
Visitor
jkatchmar
Posts: 2
Registered: ‎12-01-2009
0
Accepted Solution

SRX PPTP ALG issues

Greetings

 

After upgrading to an SRX220H I'm running into issues with my Windows based VPN that is in my trust network

 

The VPN will establish but will only stay active for 5-35 minutes and will suddenly timeout. After reviewing several posts, it appears the solution is to disable the PPTP ALG. I have attempted to do this, but am running into issues where the username and password verification will time out.

 

I have attached my cfg for your review

 

Am I running into a bug or am I missing something?

 

Regards

//jk

 

Distinguished Expert
Distinguished Expert
pk
Posts: 801
Registered: ‎10-09-2008
0

Re: SRX PPTP ALG issues

Hi

If no traffic hits the session for some time it will be deleted due to
timeout - this is normal. Try to find your vpn sessions is "show security flow session"
output and look at "Timeout:" field. There will be 2 sessions, by the way: TCP on
port 1723 and GRE (as PPTP = TCP + GRE).

If you will see that session is dropped when timeout reaches zero, then you can increase
it by editing the predefined junos-pptp application,

lab@jsrx> show configuration groups junos-defaults applications application junos-pptp   
term t1 alg pptp protocol tcp destination-port 1723;

To do it, you will need to add the following to your config:
#set applications application junos-pptp inactivity-timeout [seconds, or "never"]

Best Regards,
Petr (PK)

Juniper Ambassador, Juniper Networks Certified Instructor,
JNCIE-SEC #98, JNCIE-ENT #393, JNCIE-SP #2253
[Juniper Authorized Education & Support in Russia]
Visitor
jkatchmar
Posts: 2
Registered: ‎12-01-2009
0

Re: SRX PPTP ALG issues

Thanks PK!!!

 

I believe that the issue was resolved with the following NAT rule while keeping the ALG PPTP in place:

 

}

rule-set untrust-nat {

  from zone untrust;

  to zone trust;

  rule VPN {

    match {

     source-address 0.0.0.0/0;

     destination-address 192.168.10.0/24;

     destination-port 1723;

     }

    then {             

     source-nat {

      off;

    }

}

 

The information that you have provided was very useful in verifying resolution

 

Thanks

//jon

Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.