Windows 10 在最后一次数据交换后 60 秒内断开与思科路由器的 IKEv2 VPN 连接

tag-icon tag-icon networking windows-10 vpn
Windows 10 在最后一次数据交换后 60 秒内断开与思科路由器的 IKEv2 VPN 连接

更新 3:2017 年 1 月 22 日

我已经缩小了导致此问题的更新范围:KB3201845 操作系统内部版本 14393.479,2016 年 12 月 9 日发布。 我经历了所有这些更新一步步。

查看变更文件清单,这些文件已被更改:

  • 系统管理员
  • 虚拟专用网络

我创建的其他主题:

Microsoft Technet 论坛,另有 2 人确认存在同样的问题

Reddit /r/networking

Microsoft 反馈中心

更新

  • Windows 10 周年纪念版(版本 10.0.10586)运行良好

  • Windows 10 周年纪念版(版本 10.0.14393)下降,因此问题出在周年纪念更新上。

更新 2

我可以使用两台周年纪念版 Windows 主机顺利连接

如果我将 1 周年 Windows 主机连接到 VPN 并通过 ping 人为地保持其活动状态,则无法将第二台主机连接到 VPN。在路由器的“debug crypto ikev2”中,会发生以下情况:

Jan 17 19:20:35.811: IKEv2:(SESSION ID = 25,SA ID = 2):Session present in ID PAIR TREE, but absent in TUPLE TREE
Jan 17 19:20:35.811: IKEv2:(SESSION ID = 25,SA ID = 2):: Failed to add new SA into session DB
Jan 17 19:20:35.811: IKEv2:(SESSION ID = 25,SA ID = 2):Queuing IKE SA delete request reason: unknown
Jan 17 19:20:35.811: IKEv2:(SESSION ID = 25,SA ID = 2):Sending DELETE INFO message for IPsec SA [SPI: 0x3DA95352]
Jan 17 19:20:35.811: IKEv2:(SESSION ID = 25,SA ID = 2):Check for existing IPSEC SA
Jan 17 19:20:35.811: IKEv2:(SESSION ID = 25,SA ID = 2):Delete all IKE SAs
Jan 17 19:20:35.811: IKEv2:(SESSION ID = 25,SA ID = 2):Sending DELETE INFO message for IKEv2 SA [ISPI: 0x3B52B7EBA8A353B1 RSPI: 0x16F36D79AAE675A5]

我有一台 Cisco IOS 路由器,型号为 892,我正在设置 IKEv2 和 EAP-MSCHAPv2 作为远程身份验证(由 Windows 2012 Server 网络策略服务器支持)和本地证书身份验证。一切正常,我可以连接到 VPN 并在路由器上 ping 环回地址。Windows 7 和 8.1 运行良好,Android 和 Strongswan 也运行良好。

然而,在 Windows 10(10.0.14393 - 2017 年 1 月 16 日完全更新)上,在最后一次数据交换(如 ping)后恰好 60 秒,Windows 断开了连接。因此:

  • T+0 VPN 连接已开通
  • T+60 VPN 连接断开
  • T+0 VPN 连接已开通
  • T+20 1 Ping 到 172.16.0.5,收到回复
  • T+80 VPN 连接断开

VPN 被丢弃,并在系统事件日志中显示以下消息:

来源:RasClient

事件 ID:20226

CoId={43121588-861C-447A-A510-C44C2BA86639}:用户 LAPTOP-GLENN\Glenn 拨打了名为 ikev2-test 的连接,该连接已终止。终止时返回的原因代码为 829。

因此我开始深入研究并在客户端上启用了 RAS 调试:

netsh ras diagnostics * state=enabled

我能找到的唯一相关内容是在 C:\Windows\tracing\rasman.log 中(20:11:51 是断开连接发生的时间 - 有趣的部分以“***”为前缀):

[1384] 01-16 20:11:51:216: FreeInterfaceLuidIndex: Luid = 0
[1384] 01-16 20:11:51:216: RasUpdateVpnLuidCache: Luid: 17000000000000, fAddLuid:0
[1384] 01-16 20:11:51:216: RasUpdateVpnLuidCache: Removed Luid 17000000000000 from cache
[1384] 01-16 20:11:51:216: FreeInterfaceLuidIndex: done 0
[1384] 01-16 20:11:51:216: DeallocateRouteRequestCommon: pBundle=0xa50adde0, type=0x800
[1384] 01-16 20:11:51:232: DeActivated Route , bundlehandle 0x4, prottype = 2048
[1384] 01-16 20:11:51:232: DeAllocateRoute: PI_Type=0x800, PI_AdapterName=\DEVICE\{93A76D72-2010-45BB-9096-244B06735879}, PI_Allocated=-1
[3524] 01-16 20:11:51:248: SendProtocolResultToRasman: msgid=1, hPort: 6.
*** [3524] 01-16 20:11:51:248: Setting last error for port VPN2-1 to ppp error 0x3635
[3524] 01-16 20:11:51:248: SetProtocolResultAvailableEvent: Notification handle event for port 6 is not registered.
[2640] 01-16 20:11:51:248: WorkerThread: Disconnect event signaled on port: VPN2-1
[2640] 01-16 20:11:51:248: OVEVT_DEV_STATECHANGE. pOverlapped = 0xa4611940
[2640] 01-16 20:11:51:248: onecoreuap\net\rras\ras\rasman\rasman\worker.c, 2031: Disconnecting port 6, connection 0xa6af47e0, reason 1
[2640] 01-16 20:11:51:248: Disconnecting Port 0xVPN2-1, reason 1
[2640] 01-16 20:11:51:248: DisconnectPort: Saving Bundle stats for port VPN2-1
[2640] 01-16 20:11:51:263: RevertPostConnectionActions
[2640] 01-16 20:11:51:263: RasImpersonateUser. 0x0
[2640] 01-16 20:11:51:263: DeleteCredentialsFromCredMan
[2640] 01-16 20:11:51:263: DeleteCredentialsFromCredMan Done: 0
[2640] 01-16 20:11:51:263: RasRevertToSelf. 0x0
[2640] 01-16 20:11:51:263: QueueCloseConnections: no dependent connections
[2640] 01-16 20:11:51:263: 10. Throwing away handle 0x0!
[2640] 01-16 20:11:51:263: onecoreuap\net\rras\ras\rasman\rasman\util.c, 2315:Setting port 6 for autoclosure...
[2640] 01-16 20:11:51:263: onecoreuap\net\rras\ras\rasman\rasman\util.c 2327: Disconnected Port 6, reason 1. rc=0x0
[2640] 01-16 20:11:51:263: FreeBundle: freeing pBundle=0xa50adde0
[2640] 01-16 20:11:51:263: onecoreuap\net\rras\ras\rasman\rasman\util.c: 2443: port 6 state chg: prev=2, new=3
[2640] 01-16 20:11:51:263: onecoreuap\net\rras\ras\rasman\rasman\util.c: 2459: port 6 state chg: prev=3, new=4
[2640] 01-16 20:11:51:263: 5. Notifying of disconnect on port 6
[2640] 01-16 20:11:51:263: SignalPortDisconnect: Notification handle event for port 6 is not registered.
[2640] 01-16 20:11:51:263: onecoreuap\net\rras\ras\rasman\rasman\util.c: 2573: port 6 async reqtype chg: prev=0, new=0
[2640] 01-16 20:11:51:263: ***** DisconnectType=1,DisconnectReason=4,pConn=0xa6af47e0,cbports=1,signaled=1,hEvent=0xffffffff,fRedial=0
[2640] 01-16 20:11:51:263: Calling DwQueueRedial
[2640] 01-16 20:11:51:263: DwQueueRedial
[2640] 01-16 20:11:51:263: DwQueueRedial returned 0x0
[2640] 01-16 20:11:51:263: onecoreuap\net\rras\ras\rasman\rasman\util.c, 2634: Autoclosing port 6
[2640] 01-16 20:11:51:263: PortClose: port (6). OpenInstances = 1
[2640] 01-16 20:11:51:263: Freeing the notifier list for port 6
[2640] 01-16 20:11:51:263: PortClose (6). OpenInstances = 0
[2640] 01-16 20:11:51:263: onecoreuap\net\rras\ras\rasman\rasman\request.c: 3845: port 6 async reqtype chg: prev=0, new=0
[2640] 01-16 20:11:51:263: onecoreuap\net\rras\ras\rasman\rasman\request.c: 3848: port 6 state chg: prev=4, new=4
[2640] 01-16 20:11:51:263: PortClose: Resetting PCB_OpenedUsage for port: 6.
[2640] 01-16 20:11:51:263: RemoveConnectionPort: port 6, fOwnerClose=0, pConn=0xa6af47e0, pConn->CB_Ports=0

*** [2640] 01-16 20:11:51:263: Completely disconnected connection: Reason: ERROR_LINK_FAILURE (829)
[2640] 01-16 20:11:51:263: SendSensNotification(_RAS_DISCONNECT) for 0x00040000 returns 0x00000000
[2640] 01-16 20:11:51:263: Successfully notified event(128, C:\Users\Glenn\AppData\Roaming\Microsoft\Network\Connections\Pbk\rasphone.pbk, ikev2-test) to the caller.
[2640] 01-16 20:11:51:263: SignalNetman: IRasEventNotify::RasEvent returned S_FALSE
[2640] 01-16 20:11:51:263: DwSendNotificationInternal(ENTRY_DISCONNECTED) rc=0x1
[2640] 01-16 20:11:51:263: RemoveConnectionPort: FreeConnection hconn=0x40000, pconn=0xa6af47e0, AutoClose=1
[2640] 01-16 20:11:51:263: FreeConnection: pConn=0xa6af47e0, 1
[2640] 01-16 20:11:51:263: onecoreuap\net\rras\ras\rasman\rasman\request.c, 3918: Clearing the autoclose flag for port 6
[2640] 01-16 20:11:51:263: fAnyConnectedPorts: 0
[2640] 01-16 20:11:51:263: SetRasmanServiceStopControl: Enabled 1
[2640] 01-16 20:11:51:263: PortClose: DisableAutoWPPTracing failed with error 0x2 
[2640] 01-16 20:11:51:263: DisconnectPort Complete
[2640] 01-16 20:11:51:263: onecoreuap\net\rras\ras\rasman\rasman\worker.c: 2077: port 6 state chg: prev=4, new=4
[2640] 01-16 20:11:51:263: onecoreuap\net\rras\ras\rasman\rasman\worker.c: 2081: port 6 async reqtype chg: prev=0, new=0
[1276] 01-16 20:11:51:263: The specified notification entry with cookie 2 found.
[1276] 01-16 20:11:51:263: Dequed notification entry: (128, C:\Users\Glenn\AppData\Roaming\Microsoft\Network\Connections\Pbk\rasphone.pbk, ikev2-test) from the queue.
  • 在 Cisco CSR1000v 路由器上运行相同的配置,发生了完全相同的事情。
  • 在 HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class{4d36e972-e325-11ce-bfc1-08002be10318}\0012 (WAN Miniport (IKEv2)) 下创建了一个名为“InactivityIdleSeconds”的 REG_DWORD,并修改了它的值,但什么也没改变(看看我为什么这么做
  • 尝试了死对端检测,但也没有改变任何东西

我找不到 Windows 10 认为 IKEv2 连接中断的标准是什么,或者哪些状态变化导致 Windows 10 认为 VPN 必须断开连接。

那么...有什么指点吗?

Microsoft Technet:错误 829 表示 ERROR_LINK_FAILURE 调制解调器(或其他连接设备)由于链接故障而断开连接。

Microsoft Technet:0x3635 表示 13877 ERROR_IPSEC_IKE_RPC_DELETE“通过 RPC 调用删除”。

Cisco IOS 路由器配置。

Cisco IOS 路由器 IKEv2 调试日志

完整的 C:\Windows\tracing 目录的 Zip 文件

答案1

我之所以能够解决这个问题,是因为我已经在自己的服务器上自行设置了 VPN 服务器。StrongSwan VPN 服务器允许注册 updown 脚本,该脚本在客户端连接发生变化时运行。

conn %default
    ...
    leftupdown=/absolute/path/to/keepalive/script.sh
    ...

看起来script.sh像这样:

#!/bin/bash
/usr/lib/ipsec/_updown $* # call original updown script, just to be sure

# PLUTO_VERB - name of the event
# PLUTO_PEER_SOURCEIP - IP of the client

PLUTO_IPSTRING="${PLUTO_PEER_SOURCEIP//./}" # strip client IP of dots, to create unique name for pidfile
PID_PATH="/absolute/path/to/writable/location"

if [ "up-client" == "$PLUTO_VERB" ]; then # when new client connects
        ping $PLUTO_PEER_SOURCEIP -i 30 >/dev/null 2>/dev/null & echo $! > "$PID_PATH/pluto$PLUTO_IPSTRING.pid" # launch ping in background, send packets every 30 seconds. Store the PID in given file.
fi

if [ "down-client" == "$PLUTO_VERB" ]; then # when client disconnects
        kill -9 $(cat "$PID_PATH/pluto$PLUTO_IPSTRING.pid") # kill the ping process
        rm -rf "$PID_PATH/pluto$PLUTO_IPSTRING.pid" # remove the associated PID file
fi

您必须编辑路径来反映您的设置。

这种方法有点儿像黑客,但效果很好。遗憾的是,只有您可以创建这样的脚本才有可能。如果您无法访问远程 VPN 服务器,这将对您没有帮助。

答案2

这看起来像是删除会话的对等体..;

*1 月 16 日 20:12:10.655:IKEv2:(会话 ID = 12,SA ID = 1):已接收数据包 [来自 192.168.0.107:4500/到 192.168.0.200:4500/VRF i0:f0] 发起方 SPI:598D998BFD1C9FFB - 响应方 SPI:6ADF174B54D76AA1 消息 ID:6 IKEv2 信息交换请求有效负载内容:删除

所以您需要 t/shoot windows 客户端(如果您已经在那里的话很抱歉..)

你的风扇看起来也在播放……

*Jan 16 20:11:24.243:%ENVMON-3-FAN_FAILED:风扇出现故障

相关内容