0

I have a Windows Server 2022 with L2TP configured. The Server has a NATed IPv4 and a Public IPv6.
The Clients are all Windows 10 20H2
The Clients connect via it's DNS Name. The most clients do not support IPv6 and connect via IPv4.
They don't have any Problems with the connection.

But the Clients with IPv6 Addresses loose their Connection after 59 Minutes.
I have looked at three Different Clients with different IPv6 Addresses and it is the same for all of them.
From one Client I have a PCAP File from our Firewall and enabled Logging via netsh ras set tracing * enabled. I'm not entirely sure witch Log File to look at.

In the Eventviewer there is a entry which tells that the svchost.exe_IKEEXT is crashed. From the Time it matches the Disconnect.

Message              : Fehlerbucket 2073847750892668993, Typ 4
                       Ereignisname: APPCRASH
                       Antwort: Nicht verfügbar
                       CAB-Datei-ID: 0
                       
                       Problemsignatur:
                       P1: svchost.exe_IKEEXT
                       P2: 10.0.19041.1566
                       P3: 1f37eb46
                       P4: ikeext.dll
                       P5: 10.0.19041.1526
                       P6: 36e81ed5
                       P7: c0000005
                       P8: 00000000000554ab
                       P9: 
                       P10: 
                       
                       Angefügte Dateien:
                       \\?\C:\ProgramData\Microsoft\Windows\WER\Temp\WERF6AD.tmp.dmp
                       \\?\C:\ProgramData\Microsoft\Windows\WER\Temp\WERF789.tmp.WERInternalMetadata.xml
                       \\?\C:\ProgramData\Microsoft\Windows\WER\Temp\WERF7A9.tmp.xml
                       \\?\C:\ProgramData\Microsoft\Windows\WER\Temp\WERF7B7.tmp.csv
                       \\?\C:\ProgramData\Microsoft\Windows\WER\Temp\WERF835.tmp.txt
                       
                       Diese Dateien befinden sich möglicherweise hier:
                       \\?\C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_svchost.exe_IKEE_2b0aed8c6968e72acfa52ee3da196696acb3a56_b42d39d9_74fb1b7a-5e19-
                       4089-84ed-92a85ef6bd20
                       
                       Analysesymbol: 
                       Es wird erneut nach einer Lösung gesucht: 0
                       Berichts-ID: a005dda7-22ed-4677-9ef3-c79cf81be685
                       Berichtstatus: 268435456
                       Bucket mit Hash: 654e8cadfaebfd171cc7c98aae334841
                       CAB-Datei-Guid: 0

I did collect the Report.wer. but don't know what Information I can get from it

Version=1
EventType=APPCRASH
EventTime=132926741435810051
ReportType=2
Consent=1
UploadTime=132926741440232947
ReportStatus=268435456
ReportIdentifier=74fb1b7a-5e19-4089-84ed-92a85ef6bd20
IntegratorReportIdentifier=a005dda7-22ed-4677-9ef3-c79cf81be685
Wow64Host=34404
NsAppName=svchost.exe_IKEEXT
OriginalFilename=svchost.exe
AppSessionGuid=000051a8-0000-00f4-3746-2a612240d801
TargetAppId=W:0000f519feec486de87ed73cb92d3cac802400000000!00001f912d4bec338ef10b7c9f19976286f8acc4eb97!svchost.exe
TargetAppVer=1986//08//07:00:26:46!1a0fa!svchost.exe
BootId=4294967295
ServiceGroupName=netsvcs
ServiceDllName=ikeext.dll
ServiceSplit=1
TargetAsId=1509
IsFatal=1
EtwNonCollectReason=1
Response.BucketId=654e8cadfaebfd171cc7c98aae334841
Response.BucketTable=4
Response.LegacyBucketId=2073847750892668993
Response.type=4
Sig[0].Name=Anwendungsname
Sig[0].Value=svchost.exe_IKEEXT
Sig[1].Name=Anwendungsversion
Sig[1].Value=10.0.19041.1566
Sig[2].Name=Anwendungszeitstempel
Sig[2].Value=1f37eb46
Sig[3].Name=Fehlermodulname
Sig[3].Value=ikeext.dll
Sig[4].Name=Fehlermodulversion
Sig[4].Value=10.0.19041.1526
Sig[5].Name=Fehlermodulzeitstempel
Sig[5].Value=36e81ed5
Sig[6].Name=Ausnahmecode
Sig[6].Value=c0000005
Sig[7].Name=Ausnahmeoffset
Sig[7].Value=00000000000554ab
DynamicSig[1].Name=Betriebsystemversion
DynamicSig[1].Value=10.0.19042.2.0.0.256.48
DynamicSig[2].Name=Gebietsschema-ID
DynamicSig[2].Value=1031
DynamicSig[22].Name=Zusatzinformation 1
DynamicSig[22].Value=fbc7
DynamicSig[23].Name=Zusatzinformation 2
DynamicSig[23].Value=fbc707af6f2cf90c6793247c62607853
DynamicSig[24].Name=Zusatzinformation 3
DynamicSig[24].Value=fd8f
DynamicSig[25].Name=Zusatzinformation 4
DynamicSig[25].Value=fd8ff660e04fd4578c8995654d3e9c06
UI[2]=C:\WINDOWS\system32\svchost.exe
UI[5]=Schließen
UI[8]=IKE- und AuthIP IPsec-Schlüsselerstellungsmodule wurde beendet und geschlossen.
UI[9]=Die Anwendung wird aufgrund eines Problems nicht mehr richtig ausgeführt. Sie erhalten Nachricht, wenn eine Lösung verfügbar ist.
UI[10]=S&chließen
LoadedModule[0]=C:\WINDOWS\system32\svchost.exe
LoadedModule[1]=C:\WINDOWS\SYSTEM32\ntdll.dll
LoadedModule[2]=C:\WINDOWS\System32\KERNEL32.dll
LoadedModule[3]=C:\Windows\system32\hmpalert.dll
LoadedModule[4]=C:\WINDOWS\System32\KERNELBASE.dll
LoadedModule[5]=C:\WINDOWS\System32\sechost.dll
LoadedModule[6]=C:\WINDOWS\System32\RPCRT4.dll
LoadedModule[7]=C:\WINDOWS\System32\ucrtbase.dll
LoadedModule[8]=C:\WINDOWS\System32\ADVAPI32.dll
LoadedModule[9]=C:\WINDOWS\System32\msvcrt.dll
LoadedModule[10]=C:\WINDOWS\System32\combase.dll
LoadedModule[11]=C:\WINDOWS\SYSTEM32\kernel.appcore.dll
LoadedModule[12]=C:\WINDOWS\System32\bcryptPrimitives.dll
LoadedModule[13]=C:\WINDOWS\System32\user32.dll
LoadedModule[14]=C:\WINDOWS\System32\win32u.dll
LoadedModule[15]=C:\WINDOWS\System32\GDI32.dll
LoadedModule[16]=C:\WINDOWS\System32\gdi32full.dll
LoadedModule[17]=C:\WINDOWS\System32\msvcp_win.dll
LoadedModule[18]=c:\windows\system32\ikeext.dll
LoadedModule[19]=C:\WINDOWS\System32\WS2_32.dll
LoadedModule[20]=C:\WINDOWS\System32\NSI.dll
LoadedModule[21]=c:\windows\system32\AUTHZ.dll
LoadedModule[22]=c:\windows\system32\fwpuclnt.dll
LoadedModule[23]=C:\WINDOWS\System32\bcrypt.dll
LoadedModule[24]=c:\windows\system32\MSASN1.dll
LoadedModule[25]=C:\WINDOWS\SYSTEM32\powrprof.dll
LoadedModule[26]=c:\windows\system32\CRYPTSP.dll
LoadedModule[27]=c:\windows\system32\UMPDC.dll
LoadedModule[28]=C:\WINDOWS\SYSTEM32\WLDP.DLL
LoadedModule[29]=c:\windows\system32\ncrypt.dll
LoadedModule[30]=c:\windows\system32\NTASN1.dll
LoadedModule[31]=C:\WINDOWS\system32\mswsock.dll
LoadedModule[32]=C:\WINDOWS\SYSTEM32\rmclient.dll
LoadedModule[33]=c:\windows\system32\SspiCli.dll
LoadedModule[34]=c:\windows\system32\IPHLPAPI.DLL
LoadedModule[35]=C:\WINDOWS\SYSTEM32\dhcpcsvc6.DLL
LoadedModule[36]=C:\WINDOWS\SYSTEM32\dhcpcsvc.DLL
LoadedModule[37]=C:\WINDOWS\SYSTEM32\DNSAPI.dll
LoadedModule[38]=C:\WINDOWS\SYSTEM32\WINNSI.DLL
LoadedModule[39]=C:\WINDOWS\system32\rsaenh.dll
LoadedModule[40]=C:\WINDOWS\system32\CRYPTBASE.dll
LoadedModule[41]=C:\WINDOWS\system32\kerberos.DLL
State[0].Key=Transport.DoneStage1
State[0].Value=1
OsInfo[0].Key=vermaj
OsInfo[0].Value=10
OsInfo[1].Key=vermin
OsInfo[1].Value=0
OsInfo[2].Key=verbld
OsInfo[2].Value=19042
OsInfo[3].Key=ubr
OsInfo[3].Value=1586
OsInfo[4].Key=versp
OsInfo[4].Value=0
OsInfo[5].Key=arch
OsInfo[5].Value=9
OsInfo[6].Key=lcid
OsInfo[6].Value=1031
OsInfo[7].Key=geoid
OsInfo[7].Value=94
OsInfo[8].Key=sku
OsInfo[8].Value=48
OsInfo[9].Key=domain
OsInfo[9].Value=1
OsInfo[10].Key=prodsuite
OsInfo[10].Value=256
OsInfo[11].Key=ntprodtype
OsInfo[11].Value=1
OsInfo[12].Key=platid
OsInfo[12].Value=10
OsInfo[13].Key=sr
OsInfo[13].Value=0
OsInfo[14].Key=tmsi
OsInfo[14].Value=221541823
OsInfo[15].Key=osinsty
OsInfo[15].Value=3
OsInfo[16].Key=iever
OsInfo[16].Value=11.789.19041.0-11.0.1000
OsInfo[17].Key=portos
OsInfo[17].Value=0
OsInfo[18].Key=ram
OsInfo[18].Value=7399
OsInfo[19].Key=svolsz
OsInfo[19].Value=237
OsInfo[20].Key=wimbt
OsInfo[20].Value=0
OsInfo[21].Key=blddt
OsInfo[21].Value=191206
OsInfo[22].Key=bldtm
OsInfo[22].Value=1406
OsInfo[23].Key=bldbrch
OsInfo[23].Value=vb_release
OsInfo[24].Key=bldchk
OsInfo[24].Value=0
OsInfo[25].Key=wpvermaj
OsInfo[25].Value=0
OsInfo[26].Key=wpvermin
OsInfo[26].Value=0
OsInfo[27].Key=wpbuildmaj
OsInfo[27].Value=0
OsInfo[28].Key=wpbuildmin
OsInfo[28].Value=0
OsInfo[29].Key=osver
OsInfo[29].Value=10.0.19041.1586.amd64fre.vb_release.191206-1406
OsInfo[30].Key=buildflightid
OsInfo[30].Value=39c349a8-d2a6-4e3f-853f-d4b2f6ef300c
OsInfo[31].Key=edition
OsInfo[31].Value=Professional
OsInfo[32].Key=ring
OsInfo[32].Value=Retail
OsInfo[33].Key=expid
OsInfo[33].Value=RD:14F0,RD:150B,RD:1515,RD:1626,RD:16C0,RD:1807,RD:1907,RD:1C43,RD:6D7,RD:94A,RD:3361
OsInfo[34].Key=fconid
OsInfo[35].Key=containerid
OsInfo[36].Key=containertype
OsInfo[37].Key=edu
OsInfo[37].Value=0
FriendlyEventName=Nicht mehr funktionsfähig
ConsentKey=APPCRASH
AppName=IKE- und AuthIP IPsec-Schlüsselerstellungsmodule
AppPath=C:\WINDOWS\system32\svchost.exe
NsPartner=windows
NsGroup=windows8
ApplicationIdentity=3865C238BFA1A3C11D2BA0FB43D6ECB6
MetadataHash=1987045312

A Get-VpnServerIPsecConfiguration from the Server looks like that. So it should not need to rekey before the 8 hours are passed.

PS C:\Windows\system32> Get-VpnServerIPsecConfiguration |fl -Property *


TunnelType                 : IKEV2
GrePorts                   : 0
IdleDisconnect             : 300
Ikev2Ports                 : 0
L2tpPorts                  : 128
MMSALifeTime               : 28800
SADataSizeForRenegotiation : 102400
SALifeTime                 : 28800
SstpPorts                  : 0
EncryptionType             : RequireEncryption
PSComputerName             :
CimClass                   : root/Microsoft/Windows/RemoteAccess:VpnServerIPsecDefaultConfiguration
CimInstanceProperties      : {GrePorts, IdleDisconnect, Ikev2Ports, L2tpPorts...}
CimSystemProperties        : Microsoft.Management.Infrastructure.CimSystemProperties

Can I find a Rekeying event in a PCAP without decrypting the Traffic ?

Where should I look at to find the issue ?

Kind Regards
Marco Hald
Crosspost at https://docs.microsoft.com/en-us/answers/questions/787506/l2tp-disconnect-after-59-minutes-1-hour-only-with.html

marcohald
  • 1

0 Answers0