No SYN+ACK response in the VPN tunel

Asked 2/7, 2020 at 8:42 Answered 11/7, 2020 at 9:8

tcp windows-10 vpn rdp

There are two Windows10 PCs.

Both PCs are connected VPN even being connected phisical LAN.

I'm trying to have RDP connection between PC-A and PC-B for each direction as VPN connection is estblished.

However,RDP is allowed only one direction.

PC-A >>> PC-B is OK

PC-A <<< PC-B isn't OK

I captured packet each PC and each direction for the VPN interface.

The packet at PC-B in succeeded case shows client Hello after TCP's SYN and SYN+ACK.

However,the packet at PC-A in failure case doesn't show client Hello and even doesn't respond SYN+ACK.

So TCP Retransmission is sent three times from PC-B.

Does anyone know why PC-A doesn't respond SYN+ACK ?

PC-A can respond SYN+ACK When they are disconnected from VPN ,the phisical LAN alternatively works.

It't doesn't seem it is coused by VPN itself.I can have one direction of RDP even VPN is estblished.

Multifarious answered 2/7, 2020 at 8:42 Comment(5)

Do the clients in the VPN have the same IP addresses as outside? Is there a test scenario in which only a connection via the VPN is possible? – Monroe 9/7, 2020 at 10:47

yes,i've checked IP address . Also,i tried another PC-C.Then, PC-C <<< PC-B via VPN is OK. – Multifarious 10/7, 2020 at 12:43

PC-A<<<PC-C via LAN is ok.They are in a same LAN segment.Only PC-B is in a different LAN address. – Multifarious 10/7, 2020 at 12:51

I mean PC-A and PC-B are in a different LAN segment.even they are phisically connected.However,PC-B and PC-C can make RDP connection via VPN though they are in a different LAN – Multifarious 10/7, 2020 at 13:21

No info about firewall or anti-virus on both PCs. Both PCs must be in the same Lan networks, no info about IP addresses or network devices. Magic? – Matheson 6/8, 2020 at 18:11

Include public peer IP to the ACLs. Due to the natting, the return leg of the handshake was being sent using the public peer IP, hence after adding the public peer IP to the ACLs it should work.

Desouza answered 11/7, 2020 at 9:8 Comment(2)

I've commented the firewall is disabled on PC-A. your answer seem to suit in my case. – Multifarious 12/7, 2020 at 12:2

Although this answer is not complete, I believe it should lead you to find the cause of the problem, which has nothing to do with the firewall; it has to do do with NAT. In one end you're OK, but on the other end NAT is translating your private IP address to the public IP address and that's probably your problem, but you do not state in your question the type of VPN and the infrastructure used to set it up. – Syblesybley 13/8, 2020 at 6:23

I guess PC-A Firewall is blocking the incoming connections.

Have you checked the rules ?

Piacular answered 10/7, 2020 at 19:49 Comment(1)

Fierewall is disabled . It accepts all types of packets. – Multifarious 10/7, 2020 at 20:48

Recommended topics

Hot tags