SSTP: recvd too small packet
RouterOS general discussion

34 posts   •   Page 1 of 1
nejko
just joined
 
Posts: 16
Joined: Fri Jul 03, 2009 8:23 am

SSTP: recvd too small packet

by nejko » Sun Jan 15, 2012 12:31 am

Hi,

I have a RB433A device with RouterOS 5.11. I have been running SSTP (with RADIUS auth) successfully for a while now, everything was OK until recently, when my wife (we both have Windows 7) could not establish SSTP VPN any more. She would get the error, shown in this screenshot:

Capture2.PNG
Capture2.PNG (34.66 KiB) Viewed 6808 times


On RB433A, the this error is shown in the debug sstp log:

Capture.JPG
Capture.JPG (68.43 KiB) Viewed 6808 times


For me, SSTP is established fine. 2 other remote workers also have the same problem as my wife (we all use Windows 7). The certificate is valid for another month or so. My wife and I establish VPN from the same local network over the internet to the RB433A device.

Any ideas? I Wiresharked both TCP sessions of connection establishment, however the SSL error is sent encrypted back from the server, so I can't read it. Perhaps I'll try with ssldump to see what actually is sent over by the server to the failing clients.

However, can anybody help me with the "recvd too small packet" error?

Thanks,
Nejc

alantang888
just joined
 
Posts: 9
Joined: Mon Jan 16, 2012 7:20 am

Re: SSTP: recvd too small packet

by alantang888 » Mon Jan 16, 2012 7:22 am

I got the same problem, but the windows error code is 631, I'm looking for how to solve too.

User avatar
liquidcz
Frequent Visitor
Frequent Visitor
 
Posts: 73
Joined: Tue Dec 28, 2010 2:24 pm

Re: SSTP: recvd too small packet

by liquidcz » Mon Jan 16, 2012 9:31 am

I have exactly the same issue with windows error 631.

RB750 ROS 5.11 - the same issue
RB750G ROS 5.11 - the same issue
RB433AH ROS 5.11 - the same issue

Clients are Windows 7 x64 SP1 with latest patches.

Its not issue of clients, because SSTP connection to other VPN server (Windows Server 2008 R2 with RRAS) function correctly.

Kindis
just joined
 
Posts: 22
Joined: Tue Nov 01, 2011 7:54 pm

Re: SSTP: recvd too small packet

by Kindis » Mon Jan 16, 2012 10:24 pm

I also have the same issue. First time I used it since upgrading to 5.11 from 5.9.
Running RB493G

rabatin
just joined
 
Posts: 3
Joined: Mon May 31, 2010 9:13 am

Re: SSTP: recvd too small packet

by rabatin » Mon Jan 16, 2012 10:38 pm

I have the exact same problem, tried adding sstp user manually to no avail.

rabatin
just joined
 
Posts: 3
Joined: Mon May 31, 2010 9:13 am

Re: SSTP: recvd too small packet

by rabatin » Mon Jan 16, 2012 10:40 pm

Same issue here, tried adding sstp user manually, using RB1100 + RouterOS 5.11.

sedael
just joined
 
Posts: 4
Joined: Mon Oct 18, 2010 1:47 pm

Re: SSTP: recvd too small packet

by sedael » Tue Jan 17, 2012 1:07 am

I think there is a problem with some Windows 7 update.
I have the same problem on upgraded Windows 7 Ultimate, when on secondary netbook I can connect to SSTP without a problem.

I will install waiting updates one by one - and try detect which give a problem

sedael
just joined
 
Posts: 4
Joined: Mon Oct 18, 2010 1:47 pm

Re: SSTP: recvd too small packet

by sedael » Tue Jan 17, 2012 2:38 am

I found
There is an update KB2585542 (http://support.microsoft.com/kb/2585542) which fix some issues in SSL.

There is an explanation of problem and suggested fixes (editing Registry ;-( )
http://social.technet.microsoft.com/For ... 3fd2ff4931

maybe some one in MikroTik team will found a better solution.

Kindis
just joined
 
Posts: 22
Joined: Tue Nov 01, 2011 7:54 pm

Re: SSTP: recvd too small packet

by Kindis » Tue Jan 17, 2012 8:18 am

Bygger ;-) This update is all security fix for ssl and tls itself from what I understand. So there should be att simular fix for mikrotik!

Sent from my Galaxy Nexus using Tapatalk

User avatar
liquidcz
Frequent Visitor
Frequent Visitor
 
Posts: 73
Joined: Tue Dec 28, 2010 2:24 pm

Re: SSTP: recvd too small packet

by liquidcz » Tue Jan 17, 2012 11:57 am

I confirming, that source of troubles is MS Patch KB2585542.

When i uninstall this patch, Mikrotik SSTP works great.

After that, i install this patch again, and try to add registry key (HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\SendExtraRecord - 2). Well, Mikrotik SSTP vpn works again great.

nejko
just joined
 
Posts: 16
Joined: Fri Jul 03, 2009 8:23 am

Re: SSTP: recvd too small packet

by nejko » Tue Jan 17, 2012 3:27 pm

Regedit hack works for me too. Thanks!

Nejc

Kindis
just joined
 
Posts: 22
Joined: Tue Nov 01, 2011 7:54 pm

Re: SSTP: recvd too small packet

by Kindis » Wed Jan 18, 2012 8:29 am

The update was aimed to correct issues with tls and ssl. If Microsoft have corrected this shouldn't mikrotik do the same?

Sent from my Galaxy Nexus using Tapatalk

User avatar
liquidcz
Frequent Visitor
Frequent Visitor
 
Posts: 73
Joined: Tue Dec 28, 2010 2:24 pm

Re: SSTP: recvd too small packet

by liquidcz » Wed Jan 18, 2012 7:13 pm

Kindis wrote:The update was aimed to correct issues with tls and ssl. If Microsoft have corrected this shouldn't mikrotik do the same?

Sent from my Galaxy Nexus using Tapatalk


Definitely yes, but this is a function fix till Mikrotik will release corrected ROS.

alantang888
just joined
 
Posts: 9
Joined: Mon Jan 16, 2012 7:20 am

Re: SSTP: recvd too small packet

by alantang888 » Thu Jan 19, 2012 10:16 am

After added the regedit, SSTP work again!!

Thanks a lot!

dousin
just joined
 
Posts: 5
Joined: Fri Jun 17, 2011 11:54 pm

Re: SSTP: recvd too small packet

by dousin » Fri Jan 27, 2012 6:12 pm

I have the same issue (too small packet) (windows error 631) event with RouterOS 5.12.
... going to try the registry fix.
Dousin. RB493G

dragon2611
Frequent Visitor
Frequent Visitor
 
Posts: 90
Joined: Fri Sep 25, 2009 12:06 am

Re: SSTP: recvd too small packet

by dragon2611 » Thu Feb 02, 2012 1:51 am

Ah thanks that was driving me nuts, was trying to figure out what i'd done to my laptop to break SSTP seeing as it had worked the last time I'd used it and was working fine between routerboards.

michalciza2
just joined
 
Posts: 2
Joined: Mon Jan 18, 2010 12:34 am

Re: SSTP: recvd too small packet

by michalciza2 » Thu Feb 02, 2012 12:06 pm

What about Mikrotik ROS developers? Are you guys going to fix this issue in next version? We need the fix ASAP.

Thanks!

User avatar
mrz
MikroTik Support
MikroTik Support
 
Posts: 4090
Joined: Wed Feb 07, 2007 1:45 pm
Location: Latvia

Re: SSTP: recvd too small packet

by mrz » Thu Feb 09, 2012 6:04 pm

We have found ad fixed the problem. Please wait for v5.13 release.

siuslawbb
just joined
 
Posts: 24
Joined: Thu May 19, 2011 9:45 pm

Re: SSTP: recvd too small packet

by siuslawbb » Tue Aug 06, 2013 7:44 pm

FYI, I have confirmed that this bug is back in Windows 8.1 and ROS 6.1. Adding SendExtraRecord with with a hexadecimal base value of 2, the problem is resolved.

rdolezel
just joined
 
Posts: 3
Joined: Sat Sep 14, 2013 3:31 pm

Re: SSTP: recvd too small packet

by rdolezel » Sat Sep 14, 2013 3:53 pm

I have to confirm this bug too, don't know if it is RouterOS or MS bug this time:
server - ROS 6.3
clients - W2012 R2

Adding registry key helped me too.

Radek

r2504
just joined
 
Posts: 24
Joined: Sat Jan 21, 2012 4:00 pm

Re: SSTP: recvd too small packet

by r2504 » Sat Sep 21, 2013 11:18 am

I had the same issue on my Windows RT 8.1... adding the registry entry also solved it.

Reading http://support.microsoft.com/kb/2643584 it however means that the SSTP implementation is flawed on RouterOS.

rjickity
Member Candidate
Member Candidate
 
Posts: 191
Joined: Sat Jul 17, 2010 10:40 am
Location: Perth, Australia

Re: SSTP: recvd too small packet

by rjickity » Mon Sep 23, 2013 6:54 am

Our Windows 8.1 clients also needed this registry addition to fix this one.

User avatar
mrz
MikroTik Support
MikroTik Support
 
Posts: 4090
Joined: Wed Feb 07, 2007 1:45 pm
Location: Latvia

Re: SSTP: recvd too small packet

by mrz » Thu Sep 26, 2013 2:23 pm

Currently ROS uses TSL v1.0.
We will look into this issue and upgrade to newer TLS version.

rabatin
just joined
 
Posts: 3
Joined: Mon May 31, 2010 9:13 am

Re: SSTP: recvd too small packet

by rabatin » Mon Oct 21, 2013 7:40 pm

Same here, added registry fix for windows 8.1.

petterg
Frequent Visitor
Frequent Visitor
 
Posts: 80
Joined: Wed Sep 16, 2009 2:55 pm

Re: SSTP: recvd too small packet

by petterg » Thu Oct 24, 2013 6:27 am

Registry fix did not solve the problem for my user who upgraded to windows 8.1. I guess there is something more that has to be fixed when using radius for authentication?
(pptp also fail to authenticate using radius, and the router never send auth-packets to the radius server, neigther for pptp nor sstp. Both pptp and sstp works with radius when client is win7/win8.0)

rjickity
Member Candidate
Member Candidate
 
Posts: 191
Joined: Sat Jul 17, 2010 10:40 am
Location: Perth, Australia

Re: SSTP: recvd too small packet

by rjickity » Sat Oct 26, 2013 4:34 pm

Petterg. I'm using sstp and radius for auth and 8.1 clients are connecting fine (after registry fix)

Sent from my GT-I9100 using Tapatalk [url='http://tapatalk.com/m?id=10']now Free[/url]

nurmia
newbie
 
Posts: 28
Joined: Thu Oct 03, 2013 4:34 pm

Re: SSTP: recvd too small packet

by nurmia » Mon Oct 28, 2013 9:25 am

Excellent review here. I definitely agree with all your points Alan. Good job!

petterg
Frequent Visitor
Frequent Visitor
 
Posts: 80
Joined: Wed Sep 16, 2009 2:55 pm

Re: SSTP: recvd too small packet

by petterg » Sun Dec 01, 2013 11:59 pm

A little update here as the registerfix didn't work for one of my users.
The next time I had the users pc on my hands I searched through the registry for keys named "SCHANNEL" and added the key value to all the hits I got. That solved the problem. The search got 4-5 hits. I don't know which key did the trick.

frekn0
just joined
 
Posts: 2
Joined: Thu Jan 30, 2014 4:45 pm

Re: SSTP: recvd too small packet

by frekn0 » Tue Feb 04, 2014 3:08 pm

I can confirm that the registry change worked for me as well - a first time setup with a test user (Win8.1).

I will read up on the links you all so kindly passed on in the thread, but perhaps someone could share their opinion on the implications of making the required change to the registry (i.e Beast vuln?). Also, has the change to other TLS version made its way into the product's roadmap?

On a separate note, how do I enable the debug logging for sstp connections as seen in the original post?

Fredrik

agrisvv
just joined
 
Posts: 3
Joined: Sun Oct 14, 2012 6:36 pm
Location: LATVIA

Re: SSTP: recvd too small packet

by agrisvv » Wed Feb 05, 2014 9:43 pm

bad news.. updated win7 win8 and win 8.1 Now all are affected with this error. not so goo to tell client why vpn not work.. and to all say whats need registry fix...

so i hope what this would bee resolved near top 1 in bugtracked

rdolezel
just joined
 
Posts: 3
Joined: Sat Sep 14, 2013 3:31 pm

Re: SSTP: recvd too small packet

by rdolezel » Sun Feb 16, 2014 9:19 pm

Hi all,
I tried to update to v6.10. I removed registry key (described above) on Windows 7/2008 and tried to connect to Mikrotik SSTP VPN. It worked - but ended up with a different error.

Error 734: The PPP link control protocol was terminated.

With try&mistake approach I found out that if I changed "Use encryption" in PPP profile from "required" to "yes" on my Mikrotik, VPN was successfully connected.

Can anybody else confirm?

kipotz1986
just joined
 
Posts: 1
Joined: Thu Feb 20, 2014 1:41 pm

Re: SSTP: recvd too small packet

by kipotz1986 » Thu Feb 20, 2014 1:44 pm

to solve this problem just edit regedit on every client pc

HKEY_LOCAL_MACHINE \ System \ CurrentControlSet \ Control \ SecurityProviders \ SCHANNEL \ SendExtraRecord = 2

use DWORD 32bit

it works for me

t332
just joined
 
Posts: 3
Joined: Wed Feb 27, 2013 10:07 am

Re: SSTP: recvd too small packet

by t332 » Tue Apr 08, 2014 10:39 pm

Unfortunately, but registry hack does not work for me (I'm check this record few times)

Trying on
RB2011xx with RoS 5.24 & 5.26
Windows 8.1 with all current updates
Result:
on Windows - Error 631
On RoS: rcvd too small packet

Now, only ONE client has this problem - my personal ultrabook. =(

Any ideas?

PS. Also, I try uncheck "use TLS 1.1/1.2" in IE options - no result

rdolezel
just joined
 
Posts: 3
Joined: Sat Sep 14, 2013 3:31 pm

Re: SSTP: recvd too small packet

by rdolezel » Wed Apr 16, 2014 12:07 pm

Changed "Use encryption" in PPP profile from "required" to "yes" on your Mikrotik, VPN from Win8.1 will be successfully connected.

I verified it once again today. I wasn't able to connect from fully patched Win8.1 (including spring update) to Mikrotik SSTP VPN (ROS 6.6). First of all I upgraded Mikrotik to the latest 6.12. I checked there is no regedit fix on my Win8.1. Then I changed "Use encryption" from "required" to "yes" in Mikrotik's PPP profile and I was able to connect from Win8.1 immediately.

34 posts   •   Page 1 of 1

Who is online

Users browsing this forum: Google Feedfetcher and 28 guests

It is currently Sat Dec 20, 2014 3:53 pm