https://community.checkpoint.com/t5/SASE-and-Remote-Access/80-40-L2TP-remote-access-users-dropped-after-renegotiation/m-p/135437#M7594 <P>On a 77.30 standalone gateway ( using an 80.40 management server ) our L2TP remote access users could stay connected for an unlimited amount of time.</P><P>After upgrading the gateway to 80.40 our users are getting dropped after about 8 hours. This happens right after the renegotiation of&nbsp; Phase1+phase2. I have been through all of the vpn debug logs and it looks like the renegotiation completes successfully but the connection is still dropped.</P><P>Has anyone found a solution to this problem in 80.40? I have been applying hotfixes as they come out and am now up to Ongoing 131.&nbsp; These have fixed some issues with L2TP but not this one.</P><P>At the time of the drop in the firewall log i see&nbsp; these 2 entries</P><P><BR />Id: 98610405-6120-0000-61a8-6fa200000000<BR />Marker: @A@@B@1638427242@C@1277101<BR />Log Server Origin: 152.x.x.x<BR />Time: 2021-12-02T07:02:58Z<BR />Id Generated By Indexer: false<BR />First: false<BR />Sequencenum: 20<BR />Category: Session<BR />Event Type: Login<BR />Name: L2TP<BR />Login Option: Standard<BR />Failed Login Factor Number:0<BR />User DN: Unknown<BR />User Groups: All Users<BR />Re-authentication every: 8 hours<BR />Login Timestamp: 2021-12-02T07:02:58Z<BR />Source: 99.125.x.x<BR />IP Protocol: 6<BR />Destination Port: 443<BR />Data Protocol: IPSec<BR />Methods: 3DES + SHA1<BR />Status: Success<BR />Suppressed Logs: 0<BR />Mobile Access Session UID: 61A86FA2-0000-0000-9861-040561200000<BR />Data Encryption: 3DES + SHA1 + Group 2, Pre shared secrets<BR />Last Update Time: 2021-12-02T07:02:58Z<BR />Action: Log In<BR />Type: Log<BR />Blade: Mobile Access<BR />Origin: fw2.sewanee.edu<BR />Service: TCP/443<BR />Product Family: Access</P><P>Followed by:</P><P>Id: 98611316-e39e-7e0f-61a8-6faab8cf0012<BR />Marker: @A@@B@1638427242@C@1284570<BR />Log Server Origin: 152.x.x.x<BR />Time: 2021-12-02T07:03:06Z<BR />Interface Direction: inbound<BR />Interface Name: eth4<BR />Id Generated By Indexer:false<BR />First: true<BR />Sequencenum: 19<BR />Source: 99.125.x.x<BR />Source Port: 1701<BR />Destination: 152.x.x.x<BR />Destination Port: 1701<BR />IP Protocol: 17<BR />User: &lt;L2TP_machine_user&gt;_10658159151012685838_1120329598916211330<BR />Message: Cannot control L2TP tunnel owned by &lt;L2TP_machine_user&gt;_<BR />VPN Feature: L2TP<BR />Action: Drop<BR />Type: Connection<BR />Policy Name: new_rules_2<BR />Policy Management: cpmanage<BR />Db Tag: {696A09B6-67EB-6C4D-87D7-38AD5CFF65F9}<BR />Policy Date: 2021-12-01T18:12:36Z<BR />Blade: VPN<BR />Origin: firewall2<BR />Service: UDP/1701<BR />Product Family: Access<BR />Logid: 1<BR />Interface: eth4<BR />Description: Cannot control L2TP tunnel owned by &lt;L2TP_machine_user&gt;_</P><P>&nbsp;</P><P>The only thing I see unusual in the vpn debug log is that on initial connection&nbsp; I see HandleNatDPayloads: I am not behind a NAT!.<BR />But after the renegotiation I see HandleNatDPayloads: I am behind a NAT!<BR />The peer is always behind a NAT.</P> Thu, 02 Dec 2021 22:22:46 GMT Michael_Guyear 2021-12-02T22:22:46Z https://community.checkpoint.com/t5/SASE-and-Remote-Access/80-40-L2TP-remote-access-users-dropped-after-renegotiation/m-p/135437#M7594 <P>On a 77.30 standalone gateway ( using an 80.40 management server ) our L2TP remote access users could stay connected for an unlimited amount of time.</P><P>After upgrading the gateway to 80.40 our users are getting dropped after about 8 hours. This happens right after the renegotiation of&nbsp; Phase1+phase2. I have been through all of the vpn debug logs and it looks like the renegotiation completes successfully but the connection is still dropped.</P><P>Has anyone found a solution to this problem in 80.40? I have been applying hotfixes as they come out and am now up to Ongoing 131.&nbsp; These have fixed some issues with L2TP but not this one.</P><P>At the time of the drop in the firewall log i see&nbsp; these 2 entries</P><P><BR />Id: 98610405-6120-0000-61a8-6fa200000000<BR />Marker: @A@@B@1638427242@C@1277101<BR />Log Server Origin: 152.x.x.x<BR />Time: 2021-12-02T07:02:58Z<BR />Id Generated By Indexer: false<BR />First: false<BR />Sequencenum: 20<BR />Category: Session<BR />Event Type: Login<BR />Name: L2TP<BR />Login Option: Standard<BR />Failed Login Factor Number:0<BR />User DN: Unknown<BR />User Groups: All Users<BR />Re-authentication every: 8 hours<BR />Login Timestamp: 2021-12-02T07:02:58Z<BR />Source: 99.125.x.x<BR />IP Protocol: 6<BR />Destination Port: 443<BR />Data Protocol: IPSec<BR />Methods: 3DES + SHA1<BR />Status: Success<BR />Suppressed Logs: 0<BR />Mobile Access Session UID: 61A86FA2-0000-0000-9861-040561200000<BR />Data Encryption: 3DES + SHA1 + Group 2, Pre shared secrets<BR />Last Update Time: 2021-12-02T07:02:58Z<BR />Action: Log In<BR />Type: Log<BR />Blade: Mobile Access<BR />Origin: fw2.sewanee.edu<BR />Service: TCP/443<BR />Product Family: Access</P><P>Followed by:</P><P>Id: 98611316-e39e-7e0f-61a8-6faab8cf0012<BR />Marker: @A@@B@1638427242@C@1284570<BR />Log Server Origin: 152.x.x.x<BR />Time: 2021-12-02T07:03:06Z<BR />Interface Direction: inbound<BR />Interface Name: eth4<BR />Id Generated By Indexer:false<BR />First: true<BR />Sequencenum: 19<BR />Source: 99.125.x.x<BR />Source Port: 1701<BR />Destination: 152.x.x.x<BR />Destination Port: 1701<BR />IP Protocol: 17<BR />User: &lt;L2TP_machine_user&gt;_10658159151012685838_1120329598916211330<BR />Message: Cannot control L2TP tunnel owned by &lt;L2TP_machine_user&gt;_<BR />VPN Feature: L2TP<BR />Action: Drop<BR />Type: Connection<BR />Policy Name: new_rules_2<BR />Policy Management: cpmanage<BR />Db Tag: {696A09B6-67EB-6C4D-87D7-38AD5CFF65F9}<BR />Policy Date: 2021-12-01T18:12:36Z<BR />Blade: VPN<BR />Origin: firewall2<BR />Service: UDP/1701<BR />Product Family: Access<BR />Logid: 1<BR />Interface: eth4<BR />Description: Cannot control L2TP tunnel owned by &lt;L2TP_machine_user&gt;_</P><P>&nbsp;</P><P>The only thing I see unusual in the vpn debug log is that on initial connection&nbsp; I see HandleNatDPayloads: I am not behind a NAT!.<BR />But after the renegotiation I see HandleNatDPayloads: I am behind a NAT!<BR />The peer is always behind a NAT.</P> Thu, 02 Dec 2021 22:22:46 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/80-40-L2TP-remote-access-users-dropped-after-renegotiation/m-p/135437#M7594 Michael_Guyear 2021-12-02T22:22:46Z https://community.checkpoint.com/t5/SASE-and-Remote-Access/80-40-L2TP-remote-access-users-dropped-after-renegotiation/m-p/135482#M7595 <P>Hi <a href="https://community.checkpoint.com/t5/user/viewprofilepage/user-id/22010">@Michael_Guyear</a> ,</P><P>might be not a solution but a fix for your problem:</P><P>Have you increased the renegotiation time under "Global properties / Remote Access / SecureClient Mobile / Re-Authenticate user every " 1440 minutes or the time which fills your preference?</P><P>Regards</P><P>Michael</P> Fri, 03 Dec 2021 16:12:06 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/80-40-L2TP-remote-access-users-dropped-after-renegotiation/m-p/135482#M7595 mhuettig 2021-12-03T16:12:06Z