H3C SSL VPN客户端接入失败之破功大法
一、欲破必先立
1、SSL VPN接入综述
SSL VPN乃西域奇功,习得此功之高手可远在千里之外传递书文、探查消息,有如身在近前一般,不可不谓之震古烁今。然则此功与当世其它功夫的法门相去甚远,其内功外招又因人而异。为解习练者的诸多疑惑,特著本大法,供后辈参详。
H3C SSL VPN支持WEB、TCP、IP三种接入方式,其中TCP和IP接入方式需要VPN网关设备在客户端操作系统及IE浏览器运行环境中自动化安装ActiveX控件、虚拟网络卡及客户端程序。由于安装ActiveX控件和客户端涉及对客户端操作系统和浏览器执行配置项变更及文件操作,鉴于客户端操作系统的安全设置、软件安装情况等因素,在使用过程中难免会出现一些SSL VPN接入不成功的情况。为便于后续讲解具体问题及解决方案,本节首先介绍SSL VPN客户端接入后的正常情况,作为范例,是为欲破必先立。
2、IP资源方式成功接入案例
(1)在客户端操作系统的设备管理器中可以看到虚拟网卡安装及状态正常。如图1所示。
图1 设备管理器中有虚网卡
(2)客户端登录SSL VPN正常无报错提示,登录后虚拟网卡成功分配了SSL VPN地址池地址并添加了指向SSL VPN网关设备的路由表项。路由条目的目标地址及掩码即为管理员所配置的IP资源的地址及掩码,下一跳为VPN网关。如图2、图3所示。
图2 登录SSL VPN后虚网卡成功分到地址
图3 登录SSL VPN后成功添加路由
(3)未启用“仅允许访问VPN”特性时,客户端成功接入的日志信息范例如下(关键信息已通过红色注释标明,可供问题定位时对比分析,其它信息酌情隐去):
……
[04-28 14:35:19]: FUNC=AutoInstall, Installed the virtual network adapter successfully.
[04-28 14:35:19]: Clear DHCP Info: Installed the virtual network adaptor successfully.
[04-28 14:35:19]: Start client: Cleared the DHCP information successfully.
[04-28 14:35:19]: Start client: Initialized the virtual network adaptor successfully.
[04-28 14:35:19]: Init Proxy: Init proxy id successful!
[04-28 14:35:19]: Start client: Initialized the proxy successfully.
[04-28 14:35:19]: Split message : pMsg=GATEWAY=192.168.252.25;svpnuid=5d0ebe3167f84e3e5f3ed04180904401;port=443;TIMEOUT=60
[04-28 14:35:19]: Split message: The call is successful.
[04-28 14:35:19]: Init TransForm: Client connected to server: 192.168.252.25 port=443
[04-28 14:35:19]: Local addr of the socket after connect is:192.168.96.17,port:3138
/*客户端成功连接网关,并向网关发起请求*/
[04-28 14:35:20]: NET_EXTEND / HTTP/1.1
Cookie:svpnuid=5D0EBE3167F84E3E5F3ED04180904401
[04-28 14:35:20]: Splite Message: IP address is : :91.0.0.101
[04-28 14:35:20]: Splite Message: IP subnet mask is: 24
[04-28 14:35:20]: Splite Message: IP subnet route is: 2.2.2.0/24;192.168.100.10/32
[04-28 14:35:20]: Splite Message: Gateway IP address: 91.0.0.1
[04-28 14:35:20]: Splite Message:DNS IP:10.72.66.36;192.168.100.240
[04-28 14:35:20]: Splite Message:Static DNS:tech/10.154.240.55;press/10.153.3.111;tdms/10.154.243.65;h3cml04-ds/10.63.20.85;
[04-28 14:35:20]: Splite Message:DNS LIST:domain:tech,ip:10.154.240.55
[04-28 14:35:20]: Splite Message:DNS LIST:domain:press,ip:10.153.3.111
[04-28 14:35:20]: Splite Message:DNS LIST:domain:tdms,ip:10.154.243.65
[04-28 14:35:20]: Splite Message:DNS LIST:domain:h3cml04-ds,ip:10.63.20.85
[04-28 14:35:20]: Init TransForm: Contents of the packet that the gateway replied with: ReceiveBuf: HTTP/1.1 200 OK /*网关校验用户身份成功,并下发相关配置信息*/
IPADDRESS:91.0.0.101 /*分配给客户端虚网卡的地址*/
SUBNETMASK:24
ROUTES:2.2.2.0/24;192.168.100.10/32 /*授权给用户的IP网段或地址*/
DNS:10.72.66.36;192.168.100.240 /*网关下发给用户的DNS*/
GATEWAY:91.0.0.1
RESTRICT:0 /*网关未配置“只允许访问VPN”*/
STATICDNS:tech/10.154.240.55;press/10.153.3.111;tdms/10.154.243.65;h3cml04-ds/10.63.20.85; /*网关下发的预置域名表项*/
[04-28 14:35:20]: Init transForm: Initialized the transmission module successfully.
[04-28 14:35:20]: Start client: Initialized the transmission channel.
[04-28 14:35:20]: Open VPN VF Driver: Opened the virtual network adaptor successfully.
[04-28 14:35:20]: Open VPN VF Driver: Initialized the virtual network adaptor successfully.
[04-28 14:35:20]: Open VPN VF Driver: Connected the virtual network adaptor successfully.
[04-28 14:35:20]: Access link: Connecting the virtual network adaptor
[04-28 14:35:20]: Start client: Opened the virtual network adaptor successfully.
[04-28 14:35:20]: Start client: Started the two main threads successfully.
[04-28 14:35:20]: SendProc: The sending thread started.
[04-28 14:35:20]: AddDnsTohosts:buf:
10.154.240.55 tech #H3C8042HJJMTW ADD /*成功添加预置域名到Hosts文件中*/
[04-28 14:35:20]: RecvProc: The receiving thread started.
[04-28 14:35:25]: Get Packet From VF Queue: Received DHCP packets.
[04-28 14:35:25]: DHCP proxy: Replied with a DHCPOFFER packet.
[04-28 14:35:25]: Get Packet From VF Queue: Received DHCP packets.
[04-28 14:35:25]: DHCP proxy: Replied with a DHCPACK packet. /*虚网卡通过DHCP成功分到地址*/
[04-28 14:35:25]: DoSetIpForwardEntry parameters: pszDest=2.2.2.0,pszNetMask=255.255.255.0,pszGateway=91.0.0.1,pszInterface=91.0.0.101,dwMetric=1 /*成功添加路由*/
……
(4)启用“仅允许访问VPN”特性时,客户端成功接入的日志信息范例如下(关键信息已通过红色注释标明,可供问题定位时对比分析)
……
[04-28 16:36:50]: Start client: Cleared the DHCP information successfully.
[04-28 16:36:50]: Start client: Initialized the virtual network adaptor successfully.
[04-28 16:36:50]: Init Proxy: Init proxy id successful!
[04-28 16:36:50]: Start client: Initialized the proxy successfully.
[04-28 16:36:50]: Split message : pMsg=GATEWAY=200.0.0.221;svpnuid=656d18c9bd42cc9cfed57fe4ce674400;port=443;TIMEOUT=60
[04-28 16:36:50]: Split message: The call is successful.
[04-28 16:36:50]: Init TransForm: Client connected to server: 200.0.0.221 port=443
[04-28 16:36:50]: Local addr of the socket after connect is:200.0.0.202,port:3799
/*客户端成功连接网关,并向网关发起请求*/
[04-28 15:00:41]: NET_EXTEND / HTTP/1.1
Cookie:svpnuid=88DD7B8285A97E7F018A9C1041AF4401
[04-28 15:00:41]: Splite Message: IP address is : :91.0.0.101
[04-28 15:00:41]: Splite Message: IP subnet mask is: 24
[04-28 15:00:41]: Splite Message: IP subnet route is: 2.2.2.0/24;192.168.100.10/32
[04-28 15:00:41]: Splite Message: Gateway IP address: 91.0.0.1
[04-28 15:00:41]: Splite Message:DNS IP:10.72.66.36;192.168.100.240
[04-28 15:00:41]: Splite Message:Static DNS:tech/10.154.240.55;press/10.153.3.111;tdms/10.154.243.65;h3cml04-ds/10.63.20.85;
[04-28 15:00:41]: Splite Message:DNS LIST:domain:tech,ip:10.154.240.55
[04-28 15:00:41]: Splite Message:DNS LIST:domain:press,ip:10.153.3.111
[04-28 15:00:41]: Splite Message:DNS LIST:domain:tdms,ip:10.154.243.65
[04-28 15:00:41]: Splite Message:DNS LIST:domain:h3cml04-ds,ip:10.63.20.85
[04-28 15:00:41]: Init TransForm: Contents of the packet that the gateway replied with: ReceiveBuf: HTTP/1.1 200 OK /*网关校验用户身份成功,并下发相关配置信息*/
IPADDRESS:91.0.0.101 /*分配给客户端虚网卡的地址*/
SUBNETMASK:24
ROUTES:2.2.2.0/24;192.168.100.10/32 /*授权给用户的IP网段或地址*/
DNS:10.72.66.36;192.168.100.240 /*网关下发给用户的DNS*/
GATEWAY:91.0.0.1
RESTRICT:1 /*网关配置“只允许访问VPN”*/
STATICDNS:tech/10.154.240.55;press/10.153.3.111;tdms/10.154.243.65;h3cml04-ds/10.63.20.85; /*网关下发的预置域名表项*/
[04-28 15:00:41]: Init transForm: Initialized the transmission module successfully.
[04-28 15:00:41]: Start client: Initialized the transmission channel.
[04-28 15:00:41]: Open VPN VF Driver: Opened the virtual network adaptor successfully.
[04-28 15:00:41]: Open VPN VF Driver: Initialized the virtual network adaptor successfully.
[04-28 15:00:41]: Open VPN VF Driver: Connected the virtual network adaptor successfully.
[04-28 15:00:41]: Access link: Connecting the virtual network adaptor
[04-28 15:00:41]: Start client: Opened the virtual network adaptor successfully.
[04-28 15:00:41]: Start client: Started the two main threads successfully.
[04-28 15:00:41]: AddDnsTohosts:buf:
10.154.240.55 tech #H3C8042HJJMTW ADD /*成功添加预置域名到Hosts文件中*/
[04-28 15:00:41]: SendProc: The sending thread started.
[04-28 15:00:41]: RecvProc: The receiving thread started.
[04-28 15:00:45]: Get Packet From VF Queue: Received DHCP packets.
[04-28 15:00:45]: DHCP proxy: Replied with a DHCPOFFER packet.
[04-28 15:00:45]: Get Packet From VF Queue: Received DHCP packets.
[04-28 15:00:45]: DHCP proxy: Replied with a DHCPACK packet. /*虚网卡通过DHCP成功分到地址*/
[04-28 15:00:45]: ip:6500005b(91.0.0.101)/0
[04-28 15:00:45]: ip:6500005b(91.0.0.101)/100007f
[04-28 15:00:45]: ip:6500005b(91.0.0.101)/1160a8c0
[04-28 15:00:45]: ip:6500005b(91.0.0.101)/ca0000c8
[04-28 15:00:45]: Get packet from queue: Received ARP packets.
[04-28 15:00:45]: ARP proxy: The destination IP address is the address of the local device.
[04-28 15:00:45]: Get packet from queue: Received ARP packets.
[04-28 15:00:45]: Get packet from queue: Received ARP packets.
[04-28 15:00:45]: ARP proxy: The destination IP address is the address of the local device.
[04-28 15:00:46]: ip:6500005b(91.0.0.101)/6500005b
[04-28 15:00:46]: Found the network adaptor with the IP address 91.0.0.101.
[04-28 15:00:46]: The local addr of the socket is:192.168.96.17
[04-28 15:00:46]: ip:1160a8c0(192.168.96.17)/6500005b
[04-28 15:00:46]: ip:1160a8c0(192.168.96.17)/100007f
[04-28 15:00:46]: ip:1160a8c0(192.168.96.17)/1160a8c0
[04-28 15:00:46]: Found the network adaptor with the IP address 192.168.96.17.
[04-28 15:00:46]: Set the host route successfully. The gateway address is fe63a8c0:
/*成功设置主机路由*/
[04-28 15:00:46]: Backed up the route. The IP address of the next hop is: fe63a8c0
/*成功备份路由*/
[04-28 15:00:46]: Get packet from queue: Received ARP packets.
二、内功心法:基础配置及客户端运行环境检查
1、SSL VPN网关相关配置,包括用户、用户组、资源、资源组、权限认证等等,可通过参考SSL VPN产品的用户手册、配置文档等确认配置正确。
2、客户端运行环境问题
(1)使用高版本IE浏览器访问登录页面时,未启用IE浏览器“兼容性视图”特性。
(2)使用高版本IE浏览器时未停用“保护模式”并将SSL VPN网关地址加入可信任站点。
(3)首次登录SSL VPN时未按提示信息安装ActiveX控件。
(4)浏览器禁止安装或运行ActiveX控件,或在IE浏览器管理加载项界面中停用相应的控件。此时应在“IE选项”-“安全设置”中启用与ActiveX控件相关的配置项。避免浏览器对ActiveX控件的限制。
(5)当SSL VPN网关软件版本未及时更新时,使用64位浏览器。
(6)客户端操作系统安装有软件防火墙或杀毒软件,阻止ActiveX控件的安装或运行,造成ActiveX控件无法修改系统注册表并导致客户端程序自动下载失败。
(7)客户端操作系统安装有软件防火墙或杀毒软件,阻止客户端程序修改主机路由或Hosts文件。
(8)客户端操作系统未及时更新补丁,或操作系统文件有缺失。
(9)虚拟网卡自动安装操作失败,未正常启用。
(10)在Windows XP/2003 Server系统下,DHCP客户端服务异常,导致虚拟网卡未能正确请求并获得地址。
(11)登录时未按浏览器提示信息及时更新“VPNActX.DLL”等相关文件。
3、DNS解析相关问题
(1)为IP接入客户端分配了内部DNS服务器地址,但没有将该地址作为资源向客户端授权,导致DNS解析失败。
(2)客户端PC加入域后,通过虚网卡转发的DNS请求未自动补齐待解析域名,导致解析失败。
(3)以域名方式访问IP资源时,本地网卡的DNS服务器和SSL VPN下发的DNS服务器相互影响,因解析顺序无法保证而导致解析失败。
三、以偏概全:正确配置IP资源并授权给用户,但未做IP全局配置
1、故障描述
SSL VPN管理员已经正确配置了IP资源并授权给用户,但用户登录SSL VPN后浏览器弹框提示如下:
。
图4 客户端启动失败报错
2、故障处理步骤
(1)检查SSL VPN客户端日志信息,确认出现如下标红字样,即可初步判断为本问题。
……
[03-31 14:23:48]: Init TransForm: Client connected to server: 100.0.0.221 port=443
[03-31 14:23:48]: Local addr of the socket after connect is:100.0.0.202,port:4346
[03-31 14:23:49]: NET_EXTEND / HTTP/1.1
Cookie:svpnuid=3293DA6B37A5D2C9C03997DB3FE74401
[03-31 14:23:49]: Init TransForm: Failed to read the message recurrently! Received a wrong packet: x
[03-31 14:23:49]: Start client: Failed to initialize the gateway transmission channel.
[03-31 14:23:49]: ========
[03-31 14:23:49]: No result returned from the server.
[03-31 14:23:49]: Release resource: Releasing the resource
……
(2)补全“全局配置”中的IP地址池等配置,特别地,注意使地址池中地址与SSL VPN网关设备其它接口地址、用户企业内网其它网段不冲突。
四、无法自动:AutoHome特性接入失败
1、故障描述
SSL VPN网关支持AutoHome特性。管理员可以将希望用户在成功登录VPN后实现自动打开的资源,加入到系统缺省的资源组autohome中),然后将autohome组授权给用户,即可实现普通用户登录后不再显示资源访问页面,而是直接打开已添加至资源组中的资源,同时弹出一个VPN控制窗口。
但由于管理员配置错误,可能导致资源打开失败,如图5所示
图5 客户端启动失败报错
2、故障处理步骤
(1)检查SSL VPN客户端日志信息,确认出现如下标红字样,即可初步判断为本问题。
……
[03-31 14:23:48]: Init TransForm: Client connected to server: 100.0.0.221 port=443
[03-31 14:23:48]: Local addr of the socket after connect is:100.0.0.202,port:4346
[03-31 14:23:49]: NET_EXTEND / HTTP/1.1
Cookie:svpnuid=3293DA6B37A5D2C9C03997DB3FE74401
[04-12 11:16:46]: Splite Message: Failed the authentication by the server, the code returned by the server= 556
[04-12 11:16:46]: Init TransForm: Failed to resolve the packet that the gateway replied with! x
[04-12 11:16:46]: Start client: Failed to initialize the gateway transmission channel.
[04-12 11:16:46]: ========
[04-12 11:16:46]: 未知故障,请尝试重新登录!
……
(2)该问题通常由未将该资源以IP资源的形式授权给用户引起,须将服务资源以IP资源的形式,配置授权给该用户即可解决。
五、左右互博:IP全局配置地址池地址和用户本机地址冲突
1、故障描述
用户登录SSL VPN后浏览器弹框提示如下:
图6 客户端启动失败报错
2、故障处理步骤
(1)检查SSL VPN客户端日志信息,确认出现如下标红字样,即可初步判断为本问题。
……[03-31 14:49:33]: Get VF Index: Found the virtual network adaptor.
[03-31 14:49:33]: Splite Message: IP address assigned to the virtual network adaptor conflicts with that of the local network adaptor.
[03-31 14:49:33]: Init TransForm: Failed to resolve the packet that the gateway replied with! x
[03-31 14:49:33]: Start client: Failed to initialize the gateway transmission channel.
[03-31 14:49:33]: ========
[03-31 14:49:33]: IP address assigned to the virtual network adaptor conflicts with that of the local network adaptor!
……
(2)检查SSL VPN网关全局配置及客户端PC配置,发现VPN地址池地址与客户端PC网卡地址处于同一网段中。如图7、图8示例。
图7 IP网络全局地址池配置
图8 客户端本地IP配置
(3)修改“全局配置”中的IP地址池,使地址池中地址与客户本机地址网段不冲突即可解决。也正因如此,通常不建议将地址池地址设置为192.168.0.0、192.168.1.0等常见网段。
六、自我救赎:SSL VPN网关地址包含在授权给用户的IP资源中
1、故障描述
用户登录后无法访问IP资源,一段时间后客户端弹出“客户端正在连接”的提示信息,如图9所示:
图9 客户端错误提示信息
2、故障处理步骤
(1)检查SSL VPN客户端日志信息,确认出现如下标红字样,即可初步判断为本问题。
……
[04-01 14:44:08]: RestartClient: Succeed to restart IP Client.
[04-01 14:44:08]: SendProc: The sending thread quitted.
[04-01 14:46:24]: Receive procedure: Failed to receive the packet header. Error No = 10054
[04-01 14:46:24]: [04-01 14:46:24]: RecvProc: The receiving thread quitted.
SendProc, Quitted the thread from non-running state.
……
(2)解决方法主要有两种,任选其一即可:1、修改IP资源,避免将SSL VPN网关地址包含在授权IP资源网段中;2、启用“只允许访问VPN”特性,使用户登录SSL VPN后系统可以为客户端操作系统自动添加指向SSL VPN网关的正确路由表项。
七、缺斤短两:客户端操作系统缺少组件或补丁导致安装ActiveX失败
1、故障描述
用户访问SSL VPN并登录,浏览器提示安装ActiveX控件,但是点击安装后,出现提示信息“安装ActiveX控件失败”。
2、故障处理步骤
(1)ActiveX控件的注册安装需要系统的一些组件(*.dll)预先安装注册好,如果系统中这些文件不存在或被损坏或者是没有注册,则会导致ActiveX控件安装失败。上述错误通常即是由于在系统中缺少必要的组件,导致不能安装其他的ActiveX文件引起。可尝试通过下述步骤手动安装控件解决。
(2)从SSL VPN登录首页下载ActiveX控件安装文件。
(3)在“开始->运行”里输入:regsvr32 atl.dll 并回车,如果显示成功,则点击ActiveX控件安装包里的setup.exe,手动重新安装控件。
(4)若执行“regsvr32 atl.dll”操作不成功,则应检查Windows系统目录(system32)中是否有这三个文件:“msvcp60.dll”、“mfc42.dll”、“msvcrt.dll”,若无,建议从其它运行正常的PC中复制并恢复三个文件;然后继续检查系统目录中是否存在“atl.dll”文件,若无,也须按同理复制恢复,并在“开始->运行”中执行命令:“regsvr32 atl.dll”。待前述操作完成后,再次手动尝试安装ActiveX控件。
八、迷途知返:虚网卡安装成功,但客户端不主动发起DHCP请求
1、故障描述
客户端操作系统中SSL VPN虚网卡已安装成功,但客户端不主动发起DHCP请求,导致IP地址自动分配失败,浏览器弹框提示如下:
图10 客户端启动失败报错
2、故障处理步骤
(1)检查SSL VPN客户端日志信息,确认出现如下标红字样,即可初步判断为本问题。
……
[04-01 11:01:45]: SendProc, Quitted the thread from non-running state.
[04-01 11:01:45]: SendProc: The sending thread quitted./*缺少DHCP地址请求日志*/
[04-01 11:01:45]: start client: Failed to set route.
[04-01 11:01:45]: Receive procedure1: Peer socket closed!
[04-01 11:01:45]: RecvProc: Preparing to release the resources
……
(2) 该问题通常为客户端操作系统设置原因导致,可尝试在操作系统注册表中增加HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
(键名为DisableDHCPMediaSense,类型为DWORD,值为0)并验证是否可以解决,如图11所示。
图11 在注册表中增加项目
九、庸人自扰:软件防火墙或杀毒软件阻止客户端修改路由或Hosts文件
1、故障描述
SSL VPN用户登录后,访问内网资源异常,同时客户端操作系统中安装的软件防火墙或第三方杀毒软件有告警信息或日志提示。
2、故障处理步骤
(1)检查SSL VPN客户端日志信息,确认出现如下标红字样,即可初步判断为本问题。
……
[04-15 17:35:22]: Found the network adaptor with the IP address 172.16.112.30.
[04-15 17:35:22]: Set IP forward entry: Failed to add 10.5.25.0 to the routing table, dwStatus = 5
(2)SSL VPN启动后,根据不同功能需要,存在修改客户端操作系统或Hosts文件的等动作。当客户端操作系统安装有软件防火墙或杀毒软件时,可能会将这些动作误判为恶意软件行为,进而造成客户端启动后访问内网资源失败的问题。此时,请根据实现情况、参考软件提示信息,允许SSL VPN客户端相应的操作动作即可。