Page 1 of 1

Softether Limitation

Posted: Mon Mar 23, 2020 4:01 pm
by claudelu
Hi there!
I have a Client - Server SE VPN environment (Version provided in attach) which runs for some years now.

Until now I didn't need too many VPN Client connections. Lately we have the following problem:

we are using costantly 10+ SE VPN Client Connections.
The problem starts from the 11th connection.
Repro Steps:
- the 11th (or more) connection is incomming;
- connection is established successfully on both SE Client and Server;
- Network Settings (DHCP) are called but not received;
- if the same user starts the connection on the first 10 -> everything is OK;

Can someone please tell me if there is a SE limitation (to 10 concurent connections)?
Or point me to what I need to change if there is a Option active somewhere?

Regards!

Re: Softether Limitation

Posted: Mon Mar 23, 2020 6:56 pm
by centeredki69
It sounds like the DHCP server is out of IP address leases to allocate.
If using "SecureNAt/Virtual DHCP" verify the amount allowed under "secureNat settings". If using "localbridge" verify local DHCP server limit.

Re: Softether Limitation

Posted: Tue Mar 24, 2020 7:43 am
by claudelu
Hi centeredki69,

thank you for your answer.

We are using "local bridge" in combination with the Windows Server DHCP Role.
I must say that your suggestion was also my first thought but I am not 100% sure.

I have looked on the "Adressleases" when the problem occured and not all IP adresses from the DHCP adresspool were ocupied.
Furthermore at that time I have also checked with Wireshark the SE Virtual Adapter on a problem PC: connection to SE VPN Server established; the traffic on the SE Virtual Adapter showed that the Adapter sent and received the correct Network Information like "Who is IP" but in the end it received none. I have looked in the Event Viewer on local PC and DHCP Server for Errors and found none.
I will check again, when the problem occurs and get back to you (Info or screenshots).

But until then is there another place where I can still search for this "limitation"?

Best regards!

Re: Softether Limitation

Posted: Tue Mar 24, 2020 9:53 am
by claudelu
Hi there!

I come with an extra Info: we do not limit the VPN Sessions on the SE VPN Server.
regards!

Re: Softether Limitation

Posted: Tue Mar 24, 2020 10:46 am
by claudelu
Hi again!

The problem is happening as I type and it does not reside in the DHCP Role:
I can connect without problems with local PCs but on the SE VPN Server the 10 Conections are there and the SE Clients (Conection Nr. 11, 12 and so on) doesn't receive their IPs.

Regards!

Re: Softether Limitation

Posted: Tue Mar 24, 2020 5:05 pm
by mad_gulls
Try stable RTM versions server & clients. Collect wiresharks dumps on client side and DHCP side and figure out if there is a problem. Try to redeploy server it easy do with rehost configuration via config file.

Re: Softether Limitation

Posted: Wed Mar 25, 2020 8:50 am
by claudelu
Hi mad_gulls!

Thank you for your answer.
I have checked the Version and it seems I use the latest RTM Version (SoftEther VPN 4.25 Build 9656 RTM (January 15, 2018)).

I will go ahead and reinstall/replace the SE VPN Server and all SE Clients with the latest BETA Version (SoftEther VPN 4.34 Build 9744 Beta (March 21, 2020)) and I hope the problem will disapear.

Best regards!

Re: Softether Limitation

Posted: Wed Mar 25, 2020 12:28 pm
by claudelu
Hi there!

I have reinstalled the VPN Server and Clients like I wrote and that did't helped. The problem is still there.

Can this be related with the fact that we are using both Split and Full Mode on the clients adapters?

Regards!

Re: Softether Limitation

Posted: Wed Mar 25, 2020 9:17 pm
by mad_gulls
What is a Split and Full Mode Can you attach a screenshot with settings?

Re: Softether Limitation

Posted: Thu Mar 26, 2020 7:35 am
by claudelu
Hi mad_gulls,

Split or Full is how you want the Client traffic to be routed: partially over VPN Server (split) or completly (full).

I am a bit confused of which config you mean. I have posted the VPN Client config as attach.
This config is on all VPN Clients the same and I repeat. It works without problems as long there are max. 10 Clients connected.
When the 11th comes, it gets successfully connected with its Windows Domain Credentials but receive no IP.

Regards!

Re: Softether Limitation

Posted: Thu Mar 26, 2020 8:56 am
by mad_gulls
Hmm, I would check is it a dhcp issue only, are you tried to assign a static ip addresses to 10th, 11th VPN connections? What shows VPN servers logs and logs from DHCP server?

Re: Softether Limitation

Posted: Fri Mar 27, 2020 8:51 am
by claudelu
Hi mad_gulls!

As requested I have attached the logs in two parts - I have hided the sensitive infos - this is part 1.
My understandins everythings look OK and I see no error.

That is why I don't understand why the first 10 VPN Clients receive their IPs from DHCP Server and the others are not.

Re: Softether Limitation

Posted: Fri Mar 27, 2020 8:52 am
by claudelu
Hi mad_gulls!
here is the part 2.

Regards!

Re: Softether Limitation

Posted: Fri Mar 27, 2020 9:54 am
by claudelu
Hi there again!

Here I post my Windows DHCP Infos:
- Addresspool: 100
- Leasetime: it was set to 4 h -> now I have changed it to 30 Min.
- Failover: Hot Standby, see attach

Regards!

Re: Softether Limitation

Posted: Fri Mar 27, 2020 10:11 am
by claudelu
Hi !
and here is the DHCP Log.
Best regards!

Re: Softether Limitation

Posted: Fri Mar 27, 2020 10:18 am
by claudelu
Hi again!

And here is what the Log on the other DHCP Server looks like.

Regards!

Re: Softether Limitation

Posted: Fri Mar 27, 2020 11:00 am
by claudelu
Hi there again!

I must come with explanations. I have hided the sensitive informations, but I can confirm that the Remote PC Name (with VPN Client) is not logged in the DHCP Log File.
So that means that the Remote PC is not receiving an IP, but on Wireshark i see the Ping/Pong traffic "Who has IP?" and again the authentication on AD works fine. Furthermore the AD and DHCP are bothon the same Servers: DC1 <-> DC2

Regards!

Re: Softether Limitation

Posted: Mon Mar 30, 2020 7:47 am
by claudelu
Hi everyone,

can someone at least please confirm that he/she has a SE VPN Server that trully runs with more than 10 concurent connections.
Because my problem sounds like a DHCP problem but then again: why does the DHCP Server works for any other LAN component and the first 10 VPN connections?

Re: Softether Limitation

Posted: Mon Mar 30, 2020 10:51 pm
by centeredki69
This DHCP server is on a router not a Window server.
11 connections.jpg
Do you have a dedicated Physical NIC with all protocols removed for the " Local Bridge". Not sure if that would cause your issue See link
https://www.softether.org/4-docs/1-manu ... rk_adapter
https://www.softether.org/4-docs/1-manu ... rk_Adapter

Re: Softether Limitation

Posted: Tue Mar 31, 2020 9:56 am
by claudelu
Hi centeredki69,

thank you for your answer.
I would gladly try the "Local Bridge" suggestion from the manual 3.6.3 but I don'quite understand it.
On my SE VPN Server I have 2 network cards (the second is currently disabled) and I know/can (how to) bridge them.

The Problem is I don't know on which Network card should I connect my network cable afterwards. Or better yet: as the manual describes I should put the internet cable direct in the first Network card and the cable for the LAN in the second.

But my SE VPN server runs behind a firewall and he is inside the LAN. So if I have understood the manual right I can not use this option in my environment. Please correct me if I am wrong and please advise further.

I am open for other suggestions, which could work better for me (I am the admin of the whole environement).

(I have attached the currently konfig of my environment as explanation.)

Regards!

Re: Softether Limitation

Posted: Tue Mar 31, 2020 10:38 am
by centeredki69
Claudelu,
On the "Network 2" NIC 2 remove all checks from all protocols but enable the "softether lightweight network protocol" and then enable the NIC. Plug "Network 2" NIC 2 into the same "Main Switch" (Based on your diagram). "NIC 1" & "NIC 2" connect to the same switch & same local network. In the SE server manager you now need to create a new "local Bridge" between your Virtual HUB and "NIC2" and DELETE the old "local bridge". My understanding is that "NIC 1" connects the server to the local network on layer 3 (TCP/IP) like any normal computer. "NIC 2" connects to the SAME local network at a Layer 2 level. A single NIC will work but can become overloaded with multiple connections. An extra dedicated "local Bridge" NIC is preferred. NOTE: I'm still not sure this will fix your DHCP issue.
NIC no protocols.jpg
NIC 2 connection.jpg

Re: Softether Limitation

Posted: Wed Apr 01, 2020 7:16 am
by claudelu
Hi centeredki69!
I wanted to thank you for your answer and the explanations.
I have changed the config as described, restarted everything and re-tested.

Unfortunatelly it didn't solved the problem. The same scenario is hapening again: the first 10 SE VPN clients are connecting, authenticating and are receiving their IPs without problems. Every other SE VPN Clients are authenticating but not receiving an IP. I have restarted the DHCP service several times, it says that there are 67% free IPs in the pool. In LAN every new DHCP client is receiving a new IP from the pool without problem.

I am clueless here. :(

Regards!

Re: Softether Limitation

Posted: Wed Apr 01, 2020 11:12 am
by centeredki69
Just for testing!! This is not a long term solution for your network needs but a trouble shooting step to verify that it is DHCP related. 1) delete the new "local bridge" you recently created. 2) enable the "SecureNAT" option on the Virtual HUB your 10+ users connect to. This creates a "virtual router" behind the main router. "secureNAT" should receive 1 IP address from your Windows Server DHCP. " SecureNAT" will also issue its own Range of IP address to the VPN clients (default is 192.168.30.0/24). 3) have 11+ VPN clients connect and see if they now receive an IP address. IMPORTANT: make sure you do step 1 first or you will have 2 DHCP servers on your network at the same time. All cables should be left plugged in. After you see the results of test. Disable "SecureNAT" and recreate "local Bridge" using NIC2 no protocols ( returning SE server to the previous configuration)

Re: Softether Limitation

Posted: Wed Apr 01, 2020 12:34 pm
by ivica.glavocic
I can confirm that SoftEhter VPN on Linux virtual server (2vCPU, 4 GB RAM) with two interfaces, bridged setup, can handle 25 simultaneous connections.

However, there is a problem - when there are more than 22 connections, new clients cannot access some resources on network as described in thread on this forum https://www.vpnusers.com/viewtopic.php?f=7&t=65356
For example, 25th PC connects, gets IP from DHCP server, can access entire network except one server which is accessible to everyone else.

Still waiting for answer and solution in that thread.

Re: Softether Limitation

Posted: Wed Apr 01, 2020 1:19 pm
by claudelu
Hi centeredki69,

I will try to test your Scenario, but I must plan this internaly...I will get back.

Re: Softether Limitation

Posted: Wed Apr 01, 2020 2:19 pm
by claudelu
Hi ivica.glavocic!

Thank you for your confirmation. This point even further to a DHCP problem - or (possible ??) firewall limitation?

In the main firewall I have a Port Forwarding (Incomming) rule set up to point to my SE VPN Server --> this means that the traffic between my SE VPN Server and Clients is no longer restricted, right?

And on a Windows DHCP Service there are not too many options to check (please see Screenshot).On the DHCP Log the first 10 VPN Clients are all logged, but the other (11th, 12th, etc.) are not logged.
Regards!

Re: Softether Limitation

Posted: Fri Apr 03, 2020 8:09 am
by claudelu
Hi centeredki69!

I haven't received the OK to test your suggestion. Thank you though for the help and suggestion.
Regards!

Re: Softether Limitation

Posted: Fri Apr 03, 2020 5:47 pm
by centeredki69
Please Note. With the troubleshooting configuration mentioned. Your existing Local LAN Network (Windows server Role) will continue to function as normal and not be affected, only the VPN clients. The Secure NAT creates a "virtual Router" behind / inside the Local LAN Network. The VPN clients tunnel to the "SecureNAt network" where they can all communicate in a seperate subnet and their traffic flow out via the "SecureNAT" gateway to the next upstream network which would be your Local LAN Network ( Windows server Role). Its kinda like plugging all your 10+ clients into a "SOHO NAT router" and then connection the WAN port to your Local LAN Network. " SecureNAT" was designed to be used when the "local bridge" option is not possible. We are using it now because it gives the VPN clients a different DHCP server to test while isolating them from the main Local LAN Network. NO rush. I'm just giving a little more info based on my observation on how "secureNAT' functions.