VPN на Debian ограничение сессий

Автор T1000, 23 октября 2014, 15:32:56

« назад - далее »

0 Пользователи и 1 гость просматривают эту тему.

T1000

Здравствуйте!
Столкнулся с такой проблемой - есть сервер в облаке под управлением ОС Debian 7.7 с одним физическим интерфейсом,
на нем поднят VPN-сервер pptp и с помощью iptables настроены правила пересылки пакетов.
Клиенты коннектятся из-под Window, iOS и Android, на которых настроены pptp-интерфейсы с шифрованием.
Более 10-13 сессий сервер не держит, клиентам возвращается ошибка 807.
В чем может быть причина, подскажите пожалуйста?
Нет судьбы кроме той, что мы сами творим.

endru


T1000

В логах следующее:
/var/log/syslog
Открыть содержимое (спойлер)

Oct 24 11:47:29 SATCLOUD pptpd[3294]: CTRL: Sending ECHO REQ id 1
Oct 24 11:47:29 SATCLOUD pptpd[3294]: CTRL: Made a ECHO REQ packet
Oct 24 11:47:29 SATCLOUD pptpd[3294]: CTRL: Couldn't write packet to client.
Oct 24 11:47:29 SATCLOUD pptpd[3294]: CTRL: Error sending GRE, aborting call
Oct 24 11:47:29 SATCLOUD pptpd[3294]: CTRL: Reaping child PPP[0]
Oct 24 11:47:29 SATCLOUD pptpd[3294]: CTRL: Client 78.46.198.165 control connection finished
Oct 24 11:47:29 SATCLOUD pptpd[3294]: CTRL: Exiting now
[свернуть]
/var/log/pptpd.log - пусто
/var/log/messages - пусто

При попытке подключения с Windows возвращается ошибка 807.
Нет судьбы кроме той, что мы сами творим.

endru

Цитата: T1000 от 24 октября 2014, 12:00:19Error sending GRE, aborting call
что GRE пакет не может отправить не насторажило?

T1000

Цитата: Endru от 24 октября 2014, 12:37:36что GRE пакет не может отправить не насторожило?

Да, пытаюсь разобраться, но не могу найти информации. Подскажите пожалуйста, в какую сторону копать?
Нет судьбы кроме той, что мы сами творим.

endru

копать можно в разные стороны. а начинать нужно с конфигов. показывайте


T1000

Благодарю за помощь!!!
/etc/pptp.conf
Открыть содержимое (спойлер)

# TAG: ppp
#       Path to the pppd program, default '/usr/sbin/pppd' on Linux
#
#ppp /usr/sbin/pppd

# TAG: option
#       Specifies the location of the PPP options file.
#       By default PPP looks in '/etc/ppp/options'
#
option /etc/ppp/pptpd-options

# TAG: debug
#       Turns on (more) debugging to syslog
#
debug

# TAG: stimeout
#       Specifies timeout (in seconds) on starting ctrl connection
#
# stimeout 10

# TAG: noipparam
#       Suppress the passing of the client's IP address to PPP, which is
#       done by default otherwise.
#
#noipparam

# TAG: logwtmp
#       Use wtmp(5) to record client connections and disconnections.
#
logwtmp

# TAG: bcrelay <if>
#       Turns on broadcast relay to clients from interface <if>
#
# bcrelay eth0

# TAG: localip
# TAG: remoteip
#       Specifies the local and remote IP address ranges.
#
#       Any addresses work as long as the local machine takes care of the
#       routing.  But if you want to use MS-Windows networking, you should
#       use IP addresses out of the LAN address space and use the proxyarp
#       option in the pppd options file, or run bcrelay.
#
#       You can specify single IP addresses seperated by commas or you can
#       specify ranges, or both. For example:
#
#               192.168.0.234,192.168.0.245-249,192.168.0.254
#
#       IMPORTANT RESTRICTIONS:
#
#       1. No spaces are permitted between commas or within addresses.
#
#       2. If you give more IP addresses than MAX_CONNECTIONS, it will
#          start at the beginning of the list and go until it gets
#          MAX_CONNECTIONS IPs. Others will be ignored.
#
#       3. No shortcuts in ranges! ie. 234-8 does not mean 234 to 238,
#          you must type 234-238 if you mean this.
#
#       4. If you give a single localIP, that's ok - all local IPs will
#          be set to the given one. You MUST still give at least one remote
#          IP for each simultaneous client.
#
# listen 78.46.198.165
connection 495
# (Recommended)

# or
#localip 192.168.0.234-238,192.168.0.245
#remoteip 192.168.1.234-238,192.168.1.245
#localip 172.10.12.1
#remoteip 172.10.8.0-254,

localip 172.10.12.1
remoteip 172.10.8.0-254
remoteip 172.10.9.0-254,
remoteip 172.10.10.0-254,
remoteip 172.10.11.0-254,
remoteip 172.10.12.2-254,
remoteip 172.10.13.0-254,
remoteip 172.10.14.0-254,
remoteip 172.10.15.0-254
[свернуть]
/etc/ppp/options
Открыть содержимое (спойлер)

# Originally created by Jim Knoble <jmknoble@mercury.interpath.net>
# Modified for Debian by alvar Bray <alvar@meiko.co.uk>
# Modified for PPP Server setup by Christoph Lameter <clameter@debian.org>
#
# To quickly see what options are active in this file, use this command:
#   egrep -v '#|^ *$' /etc/ppp/options

# Specify which DNS Servers the incoming Win95 or WinNT Connection should use
# Two Servers can be remotely configured
# ms-dns 192.168.1.1
# ms-dns 192.168.1.2

# Specify which WINS Servers the incoming connection Win95 or WinNT should use
# ms-wins 192.168.1.50
# ms-wins 192.168.1.51

# Run the executable or shell command specified after pppd has
# terminated the link.  This script could, for example, issue commands
# to the modem to cause it to hang up if hardware modem control signals
# were not available.
# disconnect "chat -- \d+++\d\c OK ath0 OK"

# async character map -- 32-bit hex; each bit is a character
# that needs to be escaped for pppd to receive it.  0x00000001
# represents '\x01', and 0x80000000 represents '\x1f'.
asyncmap 0

# Require the peer to authenticate itself before allowing network
# packets to be sent or received.
# Please do not disable this setting. It is expected to be standard in
# future releases of pppd. Use the call option (see manpage) to disable
# authentication for specific peers.
auth

# Use hardware flow control (i.e. RTS/CTS) to control the flow of data
# on the serial port.
crtscts

# Use software flow control (i.e. XON/XOFF) to control the flow of data
# on the serial port.
# xonxoff

# Specifies that certain characters should be escaped on transmission
# (regardless of whether the peer requests them to be escaped with its
# async control character map).  The characters to be escaped are
# specified as a list of hex numbers separated by commas.  Note that
# almost any character can be specified for the escape option, unlike
# the asyncmap option which only allows control characters to be
# specified.  The characters which may not be escaped are those with hex
# values 0x20 - 0x3f or 0x5e.
# escape 11,13,ff

# Don't use the modem control lines.
# local

# Specifies that pppd should use a UUCP-style lock on the serial device
# to ensure exclusive access to the device.
lock

# Don't show the passwords when logging the contents of PAP packets.
# This is the default.
hide-password

# When logging the contents of PAP packets, this option causes pppd to
# show the password string in the log message.
# show-password

# Use the modem control lines.  On Ultrix, this option implies hardware
# flow control, as for the crtscts option.  (This option is not fully
# implemented.)
modem

# Set the MRU [Maximum Receive Unit] value to <n> for negotiation.  pppd
# will ask the peer to send packets of no more than <n> bytes. The
# minimum MRU value is 128.  The default MRU value is 1500.  A value of
# 296 is recommended for slow links (40 bytes for TCP/IP header + 256
# bytes of data).
# mru 1474

# Set the interface netmask to <n>, a 32 bit netmask in "decimal dot"
# notation (e.g. 255.255.255.0).
# netmask 255.255.255.0

# Disables the default behaviour when no local IP address is specified,
# which is to determine (if possible) the local IP address from the
# hostname. With this option, the peer will have to supply the local IP
# address during IPCP negotiation (unless it specified explicitly on the
# command line or in an options file).
# noipdefault

# Enables the "passive" option in the LCP.  With this option, pppd will
# attempt to initiate a connection; if no reply is received from the
# peer, pppd will then just wait passively for a valid LCP packet from
# the peer (instead of exiting, as it does without this option).
# passive

# With this option, pppd will not transmit LCP packets to initiate a
# connection until a valid LCP packet is received from the peer (as for
# the "passive" option with old versions of pppd).
# silent

# Don't request or allow negotiation of any options for LCP and IPCP
# (use default values).
# -all

# Disable Address/Control compression negotiation (use default, i.e.
# address/control field disabled).
# -ac

# Disable asyncmap negotiation (use the default asyncmap, i.e. escape
# all control characters).
# -am

# Don't fork to become a background process (otherwise pppd will do so
# if a serial device is specified).
# -detach

# Disable IP address negotiation (with this option, the remote IP
# address must be specified with an option on the command line or in
# an options file).
# -ip

# Disable IPCP negotiation and IP communication. This option should
# only be required if the peer is buggy and gets confused by requests
# from pppd for IPCP negotiation.
# noip

# Disable magic number negotiation.  With this option, pppd cannot
# detect a looped-back line.
# -mn

# Disable MRU [Maximum Receive Unit] negotiation (use default, i.e.
# 1500).
# -mru

# Disable protocol field compression negotiation (use default, i.e.
# protocol field compression disabled).
# -pc

# Require the peer to authenticate itself using PAP.
# +pap

# Don't agree to authenticate using PAP.
# -pap

# Require the peer to authenticate itself using CHAP [Cryptographic
# Handshake Authentication Protocol] authentication.
# +chap

# Don't agree to authenticate using CHAP.
# -chap

# Disable negotiation of Van Jacobson style IP header compression (use
# default, i.e. no compression).
# -vj

# Increase debugging level (same as -d).  If this option is given, pppd
# will log the contents of all control packets sent or received in a
# readable form.  The packets are logged through syslog with facility
# daemon and level debug. This information can be directed to a file by
# setting up /etc/syslog.conf appropriately (see syslog.conf(5)).  (If
# pppd is compiled with extra debugging enabled, it will log messages
# using facility local2 instead of daemon).
# debug

# Append the domain name <d> to the local host name for authentication
# purposes.  For example, if gethostname() returns the name porsche,
# but the fully qualified domain name is porsche.Quotron.COM, you would
# use the domain option to set the domain name to Quotron.COM.
# domain <d>

# Enable debugging code in the kernel-level PPP driver.  The argument n
# is a number which is the sum of the following values: 1 to enable
# general debug messages, 2 to request that the contents of received
# packets be printed, and 4 to request that the contents of transmitted
# packets be printed.
# kdebug n

# Set the MTU [Maximum Transmit Unit] value to <n>. Unless the peer
# requests a smaller value via MRU negotiation, pppd will request that
# the kernel networking code send data packets of no more than n bytes
# through the PPP network interface.
# mtu 1474

# Set the name of the local system for authentication purposes to <n>.
# This is a privileged option. With this option, pppd will use lines in the
# secrets files which have <n> as the second field when looking for a
# secret to use in authenticating the peer. In addition, unless overridden
# with the user option, <n> will be used as the name to send to the peer
# when authenticating the local system to the peer. (Note that pppd does
# not append the domain name to <n>.)
# name <n>

# Enforce the use of the hostname as the name of the local system for
# authentication purposes (overrides the name option).
# usehostname

# Set the assumed name of the remote system for authentication purposes
# to <n>.
# remotename <n>

# Add an entry to this system's ARP [Address Resolution Protocol]
# table with the IP address of the peer and the Ethernet address of this
# system.
# proxyarp

# Use the system password database for authenticating the peer using
# PAP. Note: mgetty already provides this option. If this is specified
# then dialin from users using a script under Linux to fire up ppp wont work.
# login

# If this option is given, pppd will send an LCP echo-request frame to the
# peer every n seconds. Normally the peer should respond to the echo-request
# by sending an echo-reply. This option can be used with the
# lcp-echo-failure option to detect that the peer is no longer connected.
lcp-echo-interval 60

# If this option is given, pppd will presume the peer to be dead if n
# LCP echo-requests are sent without receiving a valid LCP echo-reply.
# If this happens, pppd will terminate the connection.  Use of this
# option requires a non-zero value for the lcp-echo-interval parameter.
# This option can be used to enable pppd to terminate after the physical
# connection has been broken (e.g., the modem has hung up) in
# situations where no hardware modem control lines are available.
lcp-echo-failure 4

# Set the LCP restart interval (retransmission timeout) to <n> seconds
# (default 3).
# lcp-restart <n>

# Set the maximum number of LCP terminate-request transmissions to <n>
# (default 3).
# lcp-max-terminate <n>

# Set the maximum number of LCP configure-request transmissions to <n>
# (default 10).
# lcp-max-configure <n>

# Set the maximum number of LCP configure-NAKs returned before starting
# to send configure-Rejects instead to <n> (default 10).
# lcp-max-failure <n>

# Set the IPCP restart interval (retransmission timeout) to <n>
# seconds (default 3).
# ipcp-restart <n>

# Set the maximum number of IPCP terminate-request transmissions to <n>
# (default 3).
# ipcp-max-terminate <n>

# Set the maximum number of IPCP configure-request transmissions to <n>
# (default 10).
# ipcp-max-configure <n>

# Set the maximum number of IPCP configure-NAKs returned before starting
# to send configure-Rejects instead to <n> (default 10).
# ipcp-max-failure <n>

# Set the PAP restart interval (retransmission timeout) to <n> seconds
# (default 3).
# pap-restart <n>

# Set the maximum number of PAP authenticate-request transmissions to
# <n> (default 10).
# pap-max-authreq <n>

# Set the maximum time that pppd will wait for the peer to authenticate
# itself with PAP to <n> seconds (0 means no limit).
# pap-timeout <n>

# Set the CHAP restart interval (retransmission timeout for
# challenges) to <n> seconds (default 3).
# chap-restart <n>

# Set the maximum number of CHAP challenge transmissions to <n>
# (default 10).
# chap-max-challenge

# If this option is given, pppd will rechallenge the peer every <n>
# seconds.
# chap-interval <n>

# With this option, pppd will accept the peer's idea of our local IP
# address, even if the local IP address was specified in an option.
# ipcp-accept-local

# With this option, pppd will accept the peer's idea of its (remote) IP
# address, even if the remote IP address was specified in an option.
# ipcp-accept-remote

# Disable the IPXCP and IPX protocols.
# To let pppd pass IPX packets comment this out --- you'll probably also
# want to install ipxripd, and have the Internal IPX Network option enabled
# in your kernel.  /usr/doc/HOWTO/IPX-HOWTO.gz contains more info.
noipx

# Exit once a connection has been made and terminated. This is the default,
# unless the `persist' or `demand' option has been specified.
# nopersist

# Do not exit after a connection is terminated; instead try to reopen
# the connection.
# persist

# Terminate after n consecutive failed connection attempts.
# A value of 0 means no limit. The default value is 10.
# maxfail <n>

# Initiate the link only on demand, i.e. when data traffic is present.
# With this option, the remote IP address must be specified by the user on
# the command line or in an options file.  Pppd will initially configure
# the interface and enable it for IP traffic without connecting to the peer.
# When traffic is available, pppd will connect to the peer and perform
# negotiation, authentication, etc.  When this is completed, pppd will
# commence passing data packets (i.e., IP packets) across the link.
# demand

# Specifies that pppd should disconnect if the link is idle for <n> seconds.
# The link is idle when no data packets (i.e. IP packets) are being sent or
# received.  Note: it is not advisable to use this option with the persist
# option without the demand option.  If the active-filter option is given,
# data packets which are rejected by the specified activity filter also
# count as the link being idle.
idle 60000

# Specifies how many seconds to wait before re-initiating the link after
# it terminates.  This option only has any effect if the persist or demand
# option is used.  The holdoff period is not applied if the link was
# terminated because it was idle.
# holdoff <n>

# Wait for up n milliseconds after the connect script finishes for a valid
# PPP packet from the peer.  At the end of this time, or when a valid PPP
# packet is received from the peer, pppd will commence negotiation by
# sending its first LCP packet.  The default value is 1000 (1 second).
# This wait period only applies if the connect or pty option is used.
# connect-delay <n>

# Packet filtering: for more information, see pppd(8)
# Any packets matching the filter expression will be interpreted as link
# activity, and will cause a "demand" connection to be activated, and reset
# the idle connection timer. (idle option)
# The filter expression is akin to that of tcpdump(1)
# active-filter <filter-expression>

# ---<End of File>---
[свернуть]
/etc/ppp/pptpd-options
Открыть содержимое (спойлер)

###############################################################################
# $Id$
#
# Sample Poptop PPP options file /etc/ppp/pptpd-options
# Options used by PPP when a connection arrives from a client.
# This file is pointed to by /etc/pptpd.conf option keyword.
# Changes are effective on the next connection.  See "man pppd".
#
# You are expected to change this file to suit your system.  As
# packaged, it requires PPP 2.4.2 and the kernel MPPE module.
###############################################################################


# Authentication

auth
logfile /var/log/pptpd.log

# Name of the local system for authentication purposes
# (must match the second field in /etc/ppp/chap-secrets entries)

name pptpd

# Optional: domain name to use for authentication
# domain mydomain.net

# Strip the domain prefix from the username before authentication.
# (applies if you use pppd with chapms-strip-domain patch)
# chapms-strip-domain


# Encryption
# Debian: on systems with a kernel built with the package
# kernel-patch-mppe >= 2.4.2 and using ppp >= 2.4.2, ...
# {{{
refuse-pap
refuse-chap
refuse-mschap
# Require the peer to authenticate itself using MS-CHAPv2 [Microsoft
# Challenge Handshake Authentication Protocol, Version 2] authentication.
require-mschap-v2
# Require MPPE 128-bit encryption
# (note that MPPE requires the use of MSCHAP-V2 during authentication)
require-mppe-128
# }}}


# Network and Routing

# If pppd is acting as a server for Microsoft Windows clients, this
# option allows pppd to supply one or two DNS (Domain Name Server)
# addresses to the clients.  The first instance of this option
# specifies the primary DNS address; the second instance (if given)
# specifies the secondary DNS address.
# Attention! This information may not be taken into account by a Windows
# client. See KB311218 in Microsoft's knowledge base for more information.
ms-dns 8.8.8.8
# ms-dns 10.0.0.1
# ms-dns 10.0.0.2

# If pppd is acting as a server for Microsoft Windows or "Samba"
# clients, this option allows pppd to supply one or two WINS (Windows
# Internet Name Services) server addresses to the clients.  The first
# instance of this option specifies the primary WINS address; the
# second instance (if given) specifies the secondary WINS address.
# ms-wins 10.0.0.3
# ms-wins 10.0.0.4

# Add an entry to this system's ARP [Address Resolution Protocol]
# table with the IP address of the peer and the Ethernet address of this
# system.  This will have the effect of making the peer appear to other
# systems to be on the local ethernet.
# (you do not need this if your PPTP server is responsible for routing
# packets to the clients -- James Cameron)
proxyarp

# Debian: do not replace the default route
nodefaultroute


# Logging

# Enable connection debugging facilities.
# (see your syslog configuration for where pppd sends to)
debug

# Print out all the option values which have been set.
# (often requested by mailing list to verify options)
# dump


# Miscellaneous

# Create a UUCP-style lock file for the pseudo-tty to ensure exclusive
# access.
lock

# Disable BSD-Compress compression
nobsdcomp
novj
novjccomp

[свернуть]

Правила iptables тоже показывать?
Нет судьбы кроме той, что мы сами творим.

T1000

#7
Лог tcpdump:
Открыть содержимое (спойлер)

tcpdump -vi eth0 host 46.20.71.108 and not port 22003
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
11:25:51.594562 IP (tos 0x0, ttl 118, id 18237, offset 0, flags [DF], proto TCP (6), length 52)
    46.20.71.108.samara-ttk.ru.64630 > SATCLOUD.1723: Flags , cksum 0xa061 (correct), seq 710997704, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
11:25:51.594616 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 52)
    SATCLOUD.1723 > 46.20.71.108.samara-ttk.ru.64630: Flags [S.], cksum 0x8a7a (incorrect -> 0xe920), seq 3121996820, ack 710997705, win 14600, options [mss 1460,nop,nop,sackOK,nop,wscale 5], length 0
11:25:51.670859 IP (tos 0x0, ttl 118, id 18241, offset 0, flags [DF], proto TCP (6), length 40)
    46.20.71.108.samara-ttk.ru.64630 > SATCLOUD.1723: Flags [.], cksum 0x61f9 (correct), ack 1, win 256, length 0
11:25:51.670904 IP (tos 0x0, ttl 118, id 18242, offset 0, flags [DF], proto TCP (6), length 196)
    46.20.71.108.samara-ttk.ru.64630 > SATCLOUD.1723: Flags [P.], cksum 0x0587 (correct), seq 1:157, ack 1, win 256, length 156: pptp Length=156 CTRL-MSG Magic-Cookie=1a2b3c4d CTRL_MSGTYPE=SCCRQ PROTO_VER(1.0) FRAME_CAP(A) BEARER_CAP(A) MAX_CHAN(0) FIRM_REV(0) HOSTNAME() VENDOR(Microsoft)
11:25:51.976647 IP (tos 0x0, ttl 118, id 18249, offset 0, flags [DF], proto TCP (6), length 196)
    46.20.71.108.samara-ttk.ru.64630 > SATCLOUD.1723: Flags [P.], cksum 0x0587 (correct), seq 1:157, ack 1, win 256, length 156: pptp Length=156 CTRL-MSG Magic-Cookie=1a2b3c4d CTRL_MSGTYPE=SCCRQ PROTO_VER(1.0) FRAME_CAP(A) BEARER_CAP(A) MAX_CHAN(0) FIRM_REV(0) HOSTNAME() VENDOR(Microsoft)
11:25:52.574068 IP (tos 0x0, ttl 118, id 18253, offset 0, flags [DF], proto TCP (6), length 196)
    46.20.71.108.samara-ttk.ru.64630 > SATCLOUD.1723: Flags [P.], cksum 0x0587 (correct), seq 1:157, ack 1, win 256, length 156: pptp Length=156 CTRL-MSG Magic-Cookie=1a2b3c4d CTRL_MSGTYPE=SCCRQ PROTO_VER(1.0) FRAME_CAP(A) BEARER_CAP(A) MAX_CHAN(0) FIRM_REV(0) HOSTNAME() VENDOR(Microsoft)
11:25:53.058900 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 52)
    SATCLOUD.1723 > 46.20.71.108.samara-ttk.ru.64630: Flags [S.], cksum 0x8a7a (incorrect -> 0xe920), seq 3121996820, ack 710997705, win 14600, options [mss 1460,nop,nop,sackOK,nop,wscale 5], length 0
11:25:53.135762 IP (tos 0x0, ttl 118, id 18257, offset 0, flags [DF], proto TCP (6), length 52)
    46.20.71.108.samara-ttk.ru.64630 > SATCLOUD.1723: Flags [.], cksum 0xeeef (correct), ack 1, win 256, options [nop,nop,sack 1 {0:1}], length 0
11:25:53.778548 IP (tos 0x0, ttl 118, id 18261, offset 0, flags [DF], proto TCP (6), length 196)
    46.20.71.108.samara-ttk.ru.64630 > SATCLOUD.1723: Flags [P.], cksum 0x0587 (correct), seq 1:157, ack 1, win 256, length 156: pptp Length=156 CTRL-MSG Magic-Cookie=1a2b3c4d CTRL_MSGTYPE=SCCRQ PROTO_VER(1.0) FRAME_CAP(A) BEARER_CAP(A) MAX_CHAN(0) FIRM_REV(0) HOSTNAME() VENDOR(Microsoft)
11:25:55.259007 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 52)
    SATCLOUD.1723 > 46.20.71.108.samara-ttk.ru.64630: Flags [S.], cksum 0x8a7a (incorrect -> 0xe920), seq 3121996820, ack 710997705, win 14600, options [mss 1460,nop,nop,sackOK,nop,wscale 5], length 0
11:25:55.334498 IP (tos 0x0, ttl 118, id 18267, offset 0, flags [DF], proto TCP (6), length 52)
    46.20.71.108.samara-ttk.ru.64630 > SATCLOUD.1723: Flags [.], cksum 0xeeef (correct), ack 1, win 256, options [nop,nop,sack 1 {0:1}], length 0
11:25:56.173523 IP (tos 0x0, ttl 118, id 18270, offset 0, flags [DF], proto TCP (6), length 196)
    46.20.71.108.samara-ttk.ru.64630 > SATCLOUD.1723: Flags [P.], cksum 0x0587 (correct), seq 1:157, ack 1, win 256, length 156: pptp Length=156 CTRL-MSG Magic-Cookie=1a2b3c4d CTRL_MSGTYPE=SCCRQ PROTO_VER(1.0) FRAME_CAP(A) BEARER_CAP(A) MAX_CHAN(0) FIRM_REV(0) HOSTNAME() VENDOR(Microsoft)
11:25:56.173592 IP (tos 0x0, ttl 64, id 59175, offset 0, flags [DF], proto TCP (6), length 40)
    SATCLOUD.1723 > 46.20.71.108.samara-ttk.ru.64630: Flags [.], cksum 0x8a6e (incorrect -> 0x6073), ack 157, win 490, length 0
11:26:21.672656 IP (tos 0x0, ttl 118, id 18274, offset 0, flags [DF], proto TCP (6), length 40)
    46.20.71.108.samara-ttk.ru.64630 > SATCLOUD.1723: Flags [F.], cksum 0x615c (correct), seq 157, ack 1, win 256, length 0
11:26:21.710896 IP (tos 0x0, ttl 64, id 59176, offset 0, flags [DF], proto TCP (6), length 40)
    SATCLOUD.1723 > 46.20.71.108.samara-ttk.ru.64630: Flags [.], cksum 0x8a6e (incorrect -> 0x6072), ack 158, win 490, length 0
11:26:21.787438 IP (tos 0x0, ttl 118, id 18277, offset 0, flags [DF], proto TCP (6), length 40)
    46.20.71.108.samara-ttk.ru.64630 > SATCLOUD.1723: Flags [R.], cksum 0x6258 (correct), seq 158, ack 1, win 0, length 0
[свернуть]
Открыть содержимое (спойлер)

root@SATCLOUD:~# iptables-save
# Generated by iptables-save v1.4.14 on Mon Oct 27 11:35:04 2014
*nat
:PREROUTING ACCEPT [165926:10278028]
:INPUT ACCEPT [131349:7936173]
:OUTPUT ACCEPT [2003:142751]
:POSTROUTING ACCEPT [2330:162791]
-A POSTROUTING -s 172.10.8.0/21 -o eth0 -j SNAT --to-source 78.46.198.165
COMMIT
# Completed on Mon Oct 27 11:35:04 2014
# Generated by iptables-save v1.4.14 on Mon Oct 27 11:35:04 2014
*mangle
:PREROUTING ACCEPT [1915165:1167357857]
:INPUT ACCEPT [1295905:658538438]
:FORWARD ACCEPT [616603:508390234]
:OUTPUT ACCEPT [1313704:573596058]
:POSTROUTING ACCEPT [1898991:1080109463]
COMMIT
# Completed on Mon Oct 27 11:35:04 2014
# Generated by iptables-save v1.4.14 on Mon Oct 27 11:35:04 2014
*filter
:INPUT ACCEPT [1295905:658538438]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [1313704:573596058]
-A FORWARD -s 172.10.12.2/32 -d 172.10.12.3/32 -j ACCEPT
-A FORWARD -s 172.10.12.3/32 -d 172.10.12.2/32 -j ACCEPT
-A FORWARD -s 172.10.12.2/32 -d 172.10.12.4/32 -j ACCEPT
-A FORWARD -s 172.10.12.4/32 -d 172.10.12.2/32 -j ACCEPT
-A FORWARD -s 172.10.12.2/32 -d 172.10.12.5/32 -j ACCEPT
-A FORWARD -s 172.10.12.5/32 -d 172.10.12.2/32 -j ACCEPT
-A FORWARD -s 172.10.12.3/32 -d 172.10.12.4/32 -j ACCEPT
-A FORWARD -s 172.10.12.4/32 -d 172.10.12.3/32 -j ACCEPT
-A FORWARD -s 172.10.12.3/32 -d 172.10.12.5/32 -j ACCEPT
-A FORWARD -s 172.10.12.5/32 -d 172.10.12.3/32 -j ACCEPT
-A FORWARD -s 172.10.12.4/32 -d 172.10.12.5/32 -j ACCEPT
-A FORWARD -s 172.10.12.5/32 -d 172.10.12.4/32 -j ACCEPT
-A FORWARD -s 172.10.12.6/32 -d 172.10.12.7/32 -j ACCEPT
-A FORWARD -s 172.10.12.7/32 -d 172.10.12.6/32 -j ACCEPT
-A FORWARD -s 172.10.12.8/32 -d 172.10.12.9/32 -j ACCEPT
-A FORWARD -s 172.10.12.9/32 -d 172.10.12.8/32 -j ACCEPT
-A FORWARD -s 172.10.12.10/32 -d 172.10.12.11/32 -j ACCEPT
-A FORWARD -s 172.10.12.11/32 -d 172.10.12.10/32 -j ACCEPT
-A FORWARD -s 172.10.12.12/32 -d 172.10.12.13/32 -j ACCEPT
-A FORWARD -s 172.10.12.13/32 -d 172.10.12.12/32 -j ACCEPT
-A FORWARD -s 172.10.12.14/32 -d 172.10.12.15/32 -j ACCEPT
-A FORWARD -s 172.10.12.15/32 -d 172.10.12.14/32 -j ACCEPT
-A FORWARD -s 172.10.12.16/32 -d 172.10.12.17/32 -j ACCEPT
-A FORWARD -s 172.10.12.17/32 -d 172.10.12.16/32 -j ACCEPT
-A FORWARD -s 172.10.12.18/32 -d 172.10.12.19/32 -j ACCEPT
-A FORWARD -s 172.10.12.19/32 -d 172.10.12.18/32 -j ACCEPT
-A FORWARD -s 172.10.12.20/32 -d 172.10.12.21/32 -j ACCEPT
-A FORWARD -s 172.10.12.21/32 -d 172.10.12.20/32 -j ACCEPT
-A FORWARD -s 172.10.12.22/32 -d 172.10.12.23/32 -j ACCEPT
-A FORWARD -s 172.10.12.23/32 -d 172.10.12.22/32 -j ACCEPT
-A FORWARD -s 172.10.12.24/32 -d 172.10.12.25/32 -j ACCEPT
-A FORWARD -s 172.10.12.25/32 -d 172.10.12.24/32 -j ACCEPT
-A FORWARD -s 172.10.12.26/32 -d 172.10.12.27/32 -j ACCEPT
-A FORWARD -s 172.10.12.27/32 -d 172.10.12.26/32 -j ACCEPT
-A FORWARD -s 172.10.12.28/32 -d 172.10.12.29/32 -j ACCEPT
-A FORWARD -s 172.10.12.29/32 -d 172.10.12.28/32 -j ACCEPT
-A FORWARD -s 172.10.12.30/32 -d 172.10.12.31/32 -j ACCEPT
-A FORWARD -s 172.10.12.31/32 -d 172.10.12.30/32 -j ACCEPT
-A FORWARD -s 172.10.12.32/32 -d 172.10.12.33/32 -j ACCEPT
-A FORWARD -s 172.10.12.33/32 -d 172.10.12.32/32 -j ACCEPT
-A FORWARD -s 172.10.12.34/32 -d 172.10.12.35/32 -j ACCEPT
-A FORWARD -s 172.10.12.35/32 -d 172.10.12.34/32 -j ACCEPT
-A FORWARD -s 172.10.12.36/32 -d 172.10.12.37/32 -j ACCEPT
-A FORWARD -s 172.10.12.37/32 -d 172.10.12.36/32 -j ACCEPT
-A FORWARD -s 172.10.12.38/32 -d 172.10.12.39/32 -j ACCEPT
-A FORWARD -s 172.10.12.39/32 -d 172.10.12.38/32 -j ACCEPT
-A FORWARD -s 172.10.12.40/32 -d 172.10.12.41/32 -j ACCEPT
-A FORWARD -s 172.10.12.41/32 -d 172.10.12.40/32 -j ACCEPT
-A FORWARD -s 172.10.12.42/32 -d 172.10.12.43/32 -j ACCEPT
-A FORWARD -s 172.10.12.43/32 -d 172.10.12.42/32 -j ACCEPT
-A FORWARD -s 172.10.12.44/32 -d 172.10.12.45/32 -j ACCEPT
-A FORWARD -s 172.10.12.45/32 -d 172.10.12.44/32 -j ACCEPT
-A FORWARD -s 172.10.12.46/32 -d 172.10.12.47/32 -j ACCEPT
-A FORWARD -s 172.10.12.47/32 -d 172.10.12.46/32 -j ACCEPT
-A FORWARD -s 172.10.12.48/32 -d 172.10.12.49/32 -j ACCEPT
-A FORWARD -s 172.10.12.49/32 -d 172.10.12.48/32 -j ACCEPT
-A FORWARD -s 172.10.12.50/32 -d 172.10.12.51/32 -j ACCEPT
-A FORWARD -s 172.10.12.51/32 -d 172.10.12.50/32 -j ACCEPT
-A FORWARD -s 172.10.12.52/32 -d 172.10.12.53/32 -j ACCEPT
-A FORWARD -s 172.10.12.53/32 -d 172.10.12.52/32 -j ACCEPT
-A FORWARD -s 172.10.12.54/32 -d 172.10.12.55/32 -j ACCEPT
-A FORWARD -s 172.10.12.55/32 -d 172.10.12.54/32 -j ACCEPT
-A FORWARD -s 172.10.12.56/32 -d 172.10.12.57/32 -j ACCEPT
-A FORWARD -s 172.10.12.57/32 -d 172.10.12.56/32 -j ACCEPT
-A FORWARD -s 172.10.12.58/32 -d 172.10.12.59/32 -j ACCEPT
-A FORWARD -s 172.10.12.59/32 -d 172.10.12.58/32 -j ACCEPT
-A FORWARD -s 172.10.12.60/32 -d 172.10.12.61/32 -j ACCEPT
-A FORWARD -s 172.10.12.61/32 -d 172.10.12.60/32 -j ACCEPT
-A FORWARD -s 172.10.12.62/32 -d 172.10.12.63/32 -j ACCEPT
-A FORWARD -s 172.10.12.63/32 -d 172.10.12.62/32 -j ACCEPT
-A FORWARD -s 172.10.12.64/32 -d 172.10.12.65/32 -j ACCEPT
-A FORWARD -s 172.10.12.65/32 -d 172.10.12.64/32 -j ACCEPT
-A FORWARD -s 172.10.12.66/32 -d 172.10.12.67/32 -j ACCEPT
-A FORWARD -s 172.10.12.67/32 -d 172.10.12.66/32 -j ACCEPT
-A FORWARD -s 172.10.12.68/32 -d 172.10.12.69/32 -j ACCEPT
-A FORWARD -s 172.10.12.69/32 -d 172.10.12.68/32 -j ACCEPT
-A FORWARD -s 172.10.12.70/32 -d 172.10.12.71/32 -j ACCEPT
-A FORWARD -s 172.10.12.71/32 -d 172.10.12.70/32 -j ACCEPT
-A FORWARD -s 172.10.12.72/32 -d 172.10.12.73/32 -j ACCEPT
-A FORWARD -s 172.10.12.73/32 -d 172.10.12.72/32 -j ACCEPT
-A FORWARD -s 172.10.12.74/32 -d 172.10.12.75/32 -j ACCEPT
-A FORWARD -s 172.10.12.75/32 -d 172.10.12.74/32 -j ACCEPT
-A FORWARD -s 172.10.12.76/32 -d 172.10.12.77/32 -j ACCEPT
-A FORWARD -s 172.10.12.77/32 -d 172.10.12.76/32 -j ACCEPT
-A FORWARD -s 172.10.12.78/32 -d 172.10.12.79/32 -j ACCEPT
-A FORWARD -s 172.10.12.79/32 -d 172.10.12.78/32 -j ACCEPT
-A FORWARD -s 172.10.12.80/32 -d 172.10.12.81/32 -j ACCEPT
-A FORWARD -s 172.10.12.81/32 -d 172.10.12.80/32 -j ACCEPT
-A FORWARD -s 172.10.12.82/32 -d 172.10.12.83/32 -j ACCEPT
-A FORWARD -s 172.10.12.83/32 -d 172.10.12.82/32 -j ACCEPT
-A FORWARD -s 172.10.12.84/32 -d 172.10.12.85/32 -j ACCEPT
-A FORWARD -s 172.10.12.85/32 -d 172.10.12.84/32 -j ACCEPT
-A FORWARD -s 172.10.12.86/32 -d 172.10.12.87/32 -j ACCEPT
-A FORWARD -s 172.10.12.87/32 -d 172.10.12.86/32 -j ACCEPT
-A FORWARD -s 172.10.12.88/32 -d 172.10.12.89/32 -j ACCEPT
-A FORWARD -s 172.10.12.89/32 -d 172.10.12.88/32 -j ACCEPT
-A FORWARD -s 172.10.12.90/32 -d 172.10.12.91/32 -j ACCEPT
-A FORWARD -s 172.10.12.91/32 -d 172.10.12.90/32 -j ACCEPT
-A FORWARD -s 172.10.12.92/32 -d 172.10.12.93/32 -j ACCEPT
-A FORWARD -s 172.10.12.93/32 -d 172.10.12.92/32 -j ACCEPT
-A FORWARD -s 172.10.12.94/32 -d 172.10.12.95/32 -j ACCEPT
-A FORWARD -s 172.10.12.95/32 -d 172.10.12.94/32 -j ACCEPT
-A FORWARD -s 172.10.12.96/32 -d 172.10.12.97/32 -j ACCEPT
-A FORWARD -s 172.10.12.97/32 -d 172.10.12.96/32 -j ACCEPT
-A FORWARD -s 172.10.12.98/32 -d 172.10.12.99/32 -j ACCEPT
-A FORWARD -s 172.10.12.99/32 -d 172.10.12.98/32 -j ACCEPT
-A FORWARD -s 172.10.12.100/32 -d 172.10.12.101/32 -j ACCEPT
-A FORWARD -s 172.10.12.101/32 -d 172.10.12.100/32 -j ACCEPT
-A FORWARD -s 172.10.12.102/32 -d 172.10.12.103/32 -j ACCEPT
-A FORWARD -s 172.10.12.103/32 -d 172.10.12.102/32 -j ACCEPT
-A FORWARD -s 172.10.12.104/32 -d 172.10.12.105/32 -j ACCEPT
-A FORWARD -s 172.10.12.105/32 -d 172.10.12.104/32 -j ACCEPT
-A FORWARD -s 172.10.12.106/32 -d 172.10.12.107/32 -j ACCEPT
-A FORWARD -s 172.10.12.107/32 -d 172.10.12.106/32 -j ACCEPT
-A FORWARD -s 172.10.8.0/32 -d 172.10.8.1/32 -j ACCEPT
-A FORWARD -s 172.10.8.1/32 -d 172.10.8.0/32 -j ACCEPT
-A FORWARD -s 172.10.8.2/32 -d 172.10.8.3/32 -j ACCEPT
-A FORWARD -s 172.10.8.3/32 -d 172.10.8.2/32 -j ACCEPT
-A FORWARD -s 172.10.8.4/32 -d 172.10.8.5/32 -j ACCEPT
-A FORWARD -s 172.10.8.5/32 -d 172.10.8.4/32 -j ACCEPT
-A FORWARD -s 172.10.8.6/32 -d 172.10.8.7/32 -j ACCEPT
-A FORWARD -s 172.10.8.7/32 -d 172.10.8.6/32 -j ACCEPT
-A FORWARD -s 172.10.8.8/32 -d 172.10.8.9/32 -j ACCEPT
-A FORWARD -s 172.10.8.9/32 -d 172.10.8.8/32 -j ACCEPT
-A FORWARD -s 172.10.8.10/32 -d 172.10.8.11/32 -j ACCEPT
-A FORWARD -s 172.10.8.11/32 -d 172.10.8.10/32 -j ACCEPT
-A FORWARD -s 172.10.8.12/32 -d 172.10.8.13/32 -j ACCEPT
-A FORWARD -s 172.10.8.13/32 -d 172.10.8.12/32 -j ACCEPT
-A FORWARD -s 172.10.8.14/32 -d 172.10.8.15/32 -j ACCEPT
-A FORWARD -s 172.10.8.15/32 -d 172.10.8.14/32 -j ACCEPT
-A FORWARD -s 172.10.8.16/32 -d 172.10.8.17/32 -j ACCEPT
-A FORWARD -s 172.10.8.17/32 -d 172.10.8.16/32 -j ACCEPT
-A FORWARD -s 172.10.8.18/32 -d 172.10.8.19/32 -j ACCEPT
-A FORWARD -s 172.10.8.19/32 -d 172.10.8.18/32 -j ACCEPT
-A FORWARD -s 172.10.8.20/32 -d 172.10.8.21/32 -j ACCEPT
-A FORWARD -s 172.10.8.21/32 -d 172.10.8.20/32 -j ACCEPT
-A FORWARD -s 172.10.8.22/32 -d 172.10.8.23/32 -j ACCEPT
-A FORWARD -s 172.10.8.23/32 -d 172.10.8.22/32 -j ACCEPT
-A FORWARD -s 172.10.8.24/32 -d 172.10.8.25/32 -j ACCEPT
-A FORWARD -s 172.10.8.25/32 -d 172.10.8.24/32 -j ACCEPT
-A FORWARD -s 172.10.8.26/32 -d 172.10.8.27/32 -j ACCEPT
-A FORWARD -s 172.10.8.27/32 -d 172.10.8.26/32 -j ACCEPT
-A FORWARD -s 172.10.8.28/32 -d 172.10.8.29/32 -j ACCEPT
-A FORWARD -s 172.10.8.29/32 -d 172.10.8.28/32 -j ACCEPT
-A FORWARD -s 172.10.8.106/32 -d 172.10.8.107/32 -j ACCEPT
-A FORWARD -s 172.10.8.107/32 -d 172.10.8.106/32 -j ACCEPT
-A FORWARD -s 172.10.12.253/32 -j ACCEPT
-A FORWARD -d 172.10.12.253/32 -j ACCEPT
-A FORWARD -s 172.10.12.252/32 -j ACCEPT
-A FORWARD -d 172.10.12.252/32 -j ACCEPT
-A FORWARD -s 172.10.8.0/21 -j DROP
COMMIT
# Completed on Mon Oct 27 11:35:04 2014

[свернуть]

результат команды ps axf:
Открыть содержимое (спойлер)

root@SATCLOUD:/var/log# ps axf | grep pptpd
3530 pts/12   S+     0:00                  \_ grep pptpd
2849 ?        S      0:00 pptpd [188.162.36.59:052A - 0000]
2890 ?        S      0:00  \_ /usr/sbin/pppd local file /etc/ppp/pptpd-options 115200 172.10.12.1:172.10.8.1 ipparam 188.162.36.59 plugin /usr/lib/pptpd/pptpd-logwtmp.so pptpd-original-ip 188.162.36.59 remotenumber 188.162.36.59
2850 ?        S      0:00 pptpd [188.162.36.209:0006 - 0080]
2860 ?        S      0:00  \_ /usr/sbin/pppd local file /etc/ppp/pptpd-options 115200 172.10.12.1:172.10.8.2 ipparam 188.162.36.209 plugin /usr/lib/pptpd/pptpd-logwtmp.so pptpd-original-ip 188.162.36.209 remotenumber 188.162.36.209
2851 ?        S      0:00 pptpd [188.162.36.150:0006 - 0100]
2883 ?        S      0:00  \_ /usr/sbin/pppd local file /etc/ppp/pptpd-options 115200 172.10.12.1:172.10.8.3 ipparam 188.162.36.150 plugin /usr/lib/pptpd/pptpd-logwtmp.so pptpd-original-ip 188.162.36.150 remotenumber 188.162.36.150
2852 ?        S      0:00 pptpd [185.3.32.225:7241 - 0180]
2853 ?        S      0:00  \_ /usr/sbin/pppd local file /etc/ppp/pptpd-options 115200 172.10.12.1:172.10.8.4 ipparam 185.3.32.225 plugin /usr/lib/pptpd/pptpd-logwtmp.so pptpd-original-ip 185.3.32.225 remotenumber 185.3.32.225
2905 ?        S      0:00 pptpd [213.87.130.190:DA15 - 0200]
2910 ?        S      0:00  \_ /usr/sbin/pppd local file /etc/ppp/pptpd-options 115200 172.10.12.1:172.10.8.5 ipparam 213.87.130.190 plugin /usr/lib/pptpd/pptpd-logwtmp.so pptpd-original-ip 213.87.130.190 remotenumber 213.87.130.190
2906 ?        S      0:00 pptpd [85.26.233.11:87D4 - 0280]
2907 ?        S      0:00  \_ /usr/sbin/pppd local file /etc/ppp/pptpd-options 115200 172.10.12.1:172.10.8.6 ipparam 85.26.233.11 plugin /usr/lib/pptpd/pptpd-logwtmp.so pptpd-original-ip 85.26.233.11 remotenumber 85.26.233.11
2919 ?        S      0:00 pptpd [95.153.198.53:8E1D - 0400]
2923 ?        S      0:00  \_ /usr/sbin/pppd local file /etc/ppp/pptpd-options 115200 172.10.12.1:172.10.8.9 ipparam 95.153.198.53 plugin /usr/lib/pptpd/pptpd-logwtmp.so pptpd-original-ip 95.153.198.53 remotenumber 95.153.198.53
2932 ?        S      0:00 pptpd [188.162.166.127:F015 - 0480]
2933 ?        S      0:00  \_ /usr/sbin/pppd local file /etc/ppp/pptpd-options 115200 172.10.12.1:172.10.8.10 ipparam 188.162.166.127 plugin /usr/lib/pptpd/pptpd-logwtmp.so pptpd-original-ip 188.162.166.127 remotenumber 188.162.166.127
2940 ?        S      0:00 pptpd [85.26.235.36:4997 - 0500]
2942 ?        S      0:00  \_ /usr/sbin/pppd local file /etc/ppp/pptpd-options 115200 172.10.12.1:172.10.8.7 ipparam 85.26.235.36 plugin /usr/lib/pptpd/pptpd-logwtmp.so pptpd-original-ip 85.26.235.36 remotenumber 85.26.235.36
2949 ?        S      0:00 pptpd [85.26.235.0:5B09 - 0600]
2950 ?        S      0:00  \_ /usr/sbin/pppd local file /etc/ppp/pptpd-options 115200 172.10.12.1:172.10.8.11 ipparam 85.26.235.0 plugin /usr/lib/pptpd/pptpd-logwtmp.so pptpd-original-ip 85.26.235.0 remotenumber 85.26.235.0
2957 ?        S      0:00 pptpd [85.26.165.15:7355 - 0680]
2958 ?        S      0:00  \_ /usr/sbin/pppd local file /etc/ppp/pptpd-options 115200 172.10.12.1:172.10.8.12 ipparam 85.26.165.15 plugin /usr/lib/pptpd/pptpd-logwtmp.so pptpd-original-ip 85.26.165.15 remotenumber 85.26.165.15
3088 ?        S      0:00 pptpd [185.3.33.238:760A - 0900]
3089 ?        S      0:00  \_ /usr/sbin/pppd local file /etc/ppp/pptpd-options 115200 172.10.12.1:172.10.8.14 ipparam 185.3.33.238 plugin /usr/lib/pptpd/pptpd-logwtmp.so pptpd-original-ip 185.3.33.238 remotenumber 185.3.33.238
3127 ?        Ss     0:00 /usr/sbin/pptpd
3456 ?        S      0:00  \_ pptpd [188.162.36.213]
[свернуть]
Нет судьбы кроме той, что мы сами творим.

T1000

Почистил таблицы iptables (удалил все правила), частично помогло.
Клиенты могут подключаться, но не с первого раза(ошибка 807).
В логах не вижу причины, которая бы влияла на это.  ???
Нет судьбы кроме той, что мы сами творим.

T1000

#9
Снял лог запроса подключения с клиента Windows к серверу, проблема только с виндовыми клиентами.
Разобрался немного в логе tcpdump'а, обнаружил, что сервер не может согласовать с клиентом протокол прикладного уровня:

Открыть содержимое (спойлер)
клиент>серверу Flags , cksum 0x1667 (correct), seq 1288081054
сервер>клиенту Flags [S.], cksum 0x8a7a (incorrect -> 0x2606), seq 3565421254, ack 1288081055.
[свернуть]

Т.е. физический канал устанавливается между сервером и клиентом, но согласование протокола не проходит.
В чем может быть причина? Возможно проблема в MTU?
Нет судьбы кроме той, что мы сами творим.