How to stop Windows Filtering Platform blocking ICMP packets for legitimate RDP traffic over L2TP tunnel

icmpl2tpwindows-firewallwindows-server-2008-r2

RDP via Windows 2008 L2TP to Windows 10 Pro did never work flawless. The first attempt in September 2018 needed the client Cord.app to be replaced with Royal TSX on OS X 10.9.5. The remote Win10 box crashed and was recently re-installed with all latest and greatest Windows as per 16 November 2018 updates, as was the local Windows 2008 R2 SBS box that serves as the VPN router using L2TP.
Network client server Windows 10 Pro schematic
The L2TP client gets an IPv4 address assigned in the twenties (.21, .22, etc.).

Since November 16th, even with Royal TSX I am unable to get a useable RDP connection to the remote Windows 10 Pro box via the tunnel, as well as with Cord. Both connection attemps stop when the initial screen display is partial finished:
RDP to Windows 10 Pro via Windows 2008 R2 L2TP partial finished
And about 10 seconds later the L2TP connection terminates.

The Windows 2008 Security event log reveals that ICMP packets are dropped with EventID 5152, task 12809 and EventData:

ProcessId 0 
  Application - 
  Direction %%14593 (=Outbound)
  SourceAddress 10.0.0.37 
  SourcePort 0 
  DestAddress 10.0.0.22 
  DestPort 0 
  Protocol 1 
  FilterRTID 141619 
  LayerName %%14601 (=ICMP error)
  LayerRTID 32

This event is logged 6 times, with a 2 second interval between message (1+2) and (3+4), and a 3 second interval between (3+4) and (5+6). Diff is the consecutive EventRecordID. No further diffs in the XML view.

Regression

  1. Similar questions like Windows Filtering Platform blocking packets for legitimate traffic or How do I fix the built-in Windows Firewall which is blocking packets despite a configured exception? don't bring me a clue.
  2. There is no virtualization involved here, so I don't see the need to disable TCP NIC offloading.
  3. I created both an inbound and an outbound Firewall rule to allow all ICMP traffic for 10.0.0.0/24 to 10.0.0.0/24. ICMP packets during RDP via L2TP are still dropped.
  4. auditpol disable logging is not a solution.
  5. reducing the MTU to 1280 bytes doesn't improve
  6. switching the client to a Mikrotik router network (from a Fritz!Box OS 06.83 home router device) did improve twice, using an iPhone4 Wi-Fi nor USB connected iPhone4 as GSM router doesn't improve
  7. upgrading to Fritz!OS 7.01 doesn't improve
  8. a Windows 7 box in the same network as the Win10 box suffers from identical RDP L2TP VPN issues, packets are dropped and the L2TP link gets disconnected about a minute after starting the RDP session.

On Mikrotik (no disconnect issue, with MTU set to auto):

$ ping -D -c 1 -s 1472 host.domain.nl     (22-11-18 10:06)
PING host.domain.nl (1.4.6.2): 1472 data bytes
1480 bytes from 1.4.6.2: icmp_seq=0 ttl=32 time=98.001 ms
$ ping -D -c 1 -s 1473 host.domain.nl     (22-11-18 10:06)
PING host.domain.nl (1.4.6.2): 1473 data bytes
ping: sendto: Message too long

On Fritz!OS 7.01: ping size 1464 = OK, 1465 = frag needed and DF set (MTU 1492).

How to make Windows Filter Platform (WFP) stop dropping ICMP packets that are sent over Windows routing engine for authenticated L2TP tunnels?

Best Answer

The partial screen load before failure looks to me like a MTU size mismatch. It is common for tunnels to have a smaller MTU then 1500.

As a test, temporarily reduce the configured MTU of your RDP client to see if makes a difference. If your client is running Windows, here is a link: https://becomethesolution.com/how-to-change-and-check-windows-mtu-size

Related Topic