PPTP VPN access server failed when using USG5100 as network gateway

Publication Date:  2014-03-27 Views:  428 Downloads:  0
Issue Description
The customer uses USG5100 as the network gateway, when he uses pptp vpn client to access vpn server which in the internet, he can see the client request logs in the server, but can't connect to server successfully.

Network topology:
Alarm Information
None
Handling Process
Anaylzed the diagnoses information, check as following steps:
(1) Check network connectivity, the test result is that from vpn client ping vpn server is reachable, but from vpn server can't reach firewall public interface. After check the firewall configuration, can't reach firewall public interface is because firewall packet-filter is deny. this doesn't affect the pptp vpn service. The configuration as following:

firewall packet-filter default permit interzone local trust direction inbound
firewall packet-filter default permit interzone local trust direction outbound
firewall packet-filter default permit interzone local untrust direction outbound
firewall packet-filter default permit interzone local dmz direction outbound
firewall packet-filter default permit interzone trust untrust direction outbound
firewall packet-filter default permit interzone trust dmz direction inbound
firewall packet-filter default permit interzone dmz untrust direction outbound   
//There isn’t local untrust direction inbound permit configuration

(2) After above analyzed and tested, the network connectivity is normal. Let's go ahead to check the pptp configuration of firewall. I find that "detect pptp" have been configured between the trust zone and untrust zone. Farther more I find source NAT function is configured under public interface by using command "nat enable", at this circs, the command "detect pptp" need to be configured under the public interface. But there isn't this command in the current firewall configuration. As following:

firewall interzone trust untrust
detect ftp
detect pptp   //detect pptp was configured between zones
detect sip
detect sqlnet
Interface configuration:
interface GigabitEthernet0/0/0
ip address x.y.23.134 255.255.255.192
vrrp vrid 1 virtual-ip 139.0.23.130 master
nat enable
detect ftp    //But isn't configuration under the interface
Root Cause
According to the issue information, the likely reasons as following:
(1) Maybe neteork isn't reachable, or reachable in single direction;
(2) Firewall drops packets due to pptp configuration incorrect;
Suggestions
Because of source NAT is configured under interface, the command "detect pptp" need to be configured under the interface,at this time, the "detect pptp" between zones is invalid.

Suggestion:

When "nat enable" is configured under interface,for pptp vpn,need to configure "detcet pptp" under the interface yet.

END