We are using the Unifi/Ubiquiti VPN feature for everyone to connect remotely to our office network and server.
We’ve been having issues where someone is connected to the VPN and if they get disconnected during something like a power/internet outage they will not be able to reconnect to the VPN without the Unifi router being rebooted.
We’ve found a temporary solution using a command that we execute using SSH on the router to only reboot the VPN so we don’t take down the whole network but it’s a manual process and we’re trying to find a better solution or a way to fix the problem entirely.
We’re thinking that the VPN sees the user is still connected to the VPN since the user was disconnected suddenly and so can’t reconnect until the VPN is restarted which disconnects all VPN connections.
Is anyone familiar with this issue and is there a better solution/fix?
Details:
Users are using Windows 10 Pro.
Error message on Windows 10 PC when trying to reconnect to VPN: “The network connection between your computer and the VPN server could not be established because the remote server is not responding. This could be because one of the network devices (e.g, firewalls, NAT, routers, etc) between your computer and the remote server is not configured to allow VPN connections. Please contact your Administrator or your service provider to determine which device may be causing the problem.”
We are using a Unifi USG-3P Router.
This issue seems to be amplified if the remote user has an older/lower tier router. We’ve been able to reduce this problem by upgrading the router but it has not completely eliminated the problem.
Hello! Thanks for posting on r/Ubiquiti!
This subreddit is here to provide unofficial technical support to people who use or want to dive into the world of Ubiquiti products. If you haven’t already been descriptive in your post, please take the time to edit it and add as many useful details as you can.
Please read and understand the rules in the sidebar, as posts and comments that violate them will be removed. Please put all off topic posts in the weekly off topic thread that is stickied to the top of the subreddit.
If you see people spreading misinformation, trying to mislead others, or other inappropriate behavior, please report it!
I am a bot, and this action was performed automatically. Please contact the moderators of this subreddit if you have any questions or concerns.
Can you tell me which command your using when SSH’d in? I’m having the same issue.
I’ve had this issue for a long time and officially there’s no fix yet, days ubiquiti support.
Take a look: https://redd.it/flrl4c
It sounds like port forwarding/ UPnP issues to me.
On the client side, Have you added the UDP registry entry on the windows machine? If not, save and run this registry file:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PolicyAgent]
"AssumeUDPEncapsulationContextOnSendRule"=dword:00000002
You can do it by hand if you want.
You can also manually forward ports 1701 and 500 to the machine connecting if you are only using one client as this will help it during negotiation.
On the router side, get rid of double-NAT if you’re doing that as it will screw things up. Put your modem in bridge mode and go from there. People here have claimed there’s nothing wrong with double NAT, but there is.
Switch to a business grade product with business grade support for a business solution.
Not a troll, sound business advise. Ubiquiti planted their flag firmly in the pro-consumer camp when they killed their support options to make video door bells and other loosely related networking products. This is after their rather bumpy track record of stable firmware releases.
Their only advantage is price + lazy admin. It’s cheap and if you never update it, you might be on a stable firmware release.
If price is an issue, look at cisco meraki go or Aruba instant on. Both companies released a smb focused line of their enterprise products to compete directly with ubiquiti. The price point is the same give or take and it includes support.
I dumped ~$1000 in current Ubiquiti unifi equipment for Aruba instant on and haven’t had any issues since.
Never had such problems but one thing you can do is possibly automating it to a raspberry pi or some VM server that constantly checks your router for power outage/disconnection and reboot it as needed.
Also if you’re running a business, you should have some sort of power management tool and system in place to deal with stuff like this.
Sure! Here’s the commands once you’ve SSH’d into the router:
- Try to reset the VPN connection for the specific user:
clear vpn remote-access user (replace with the name of the user trying to connect to the VPN)
- If that doesn’t work you can restart the VPN
sudo service xl2tpd restart
sudo ipsec restart
Or sometimes you can just use
restart vpn
- After a few minutes try to connect to the VPN.
This method has had a really good success rate for us so far. Although like I said we’re still looking for a more permanent solution that doesn’t require as much manual input.
Also we originally found these commands from a Ubiquiti webpage:https://community.ui.com/questions/Cant-Connect-to-L2TP-VPN-after-power-outage/ad4b5600-d231-43a1-8d8d-68f7208a0269
Before this we just had to reboot the router entirely every time which would kick off anyone on the local network and anyone connected through the VPN.
Please do not come to r/Ubiquiti to just troll with comments like this.
Instead of suggesting to drop the network entirely, it’s suffice to simply use Wireguard or OpenVPN as they are actual proven VPN solutions, in the absence of fixing this unifi bug.
These are far solutions anyways, and hopefully you can avoid hardware offloading and having terrible performance.
Takes what… 15 minutes to set this up? And I bet debugging this crap each time takes about that.
“Alternatively if you allowed each use to dial in more than once or cause the second connection to kill the first, that may help.”
That’s one idea I had but I don’t know how I would do that. Would that be something I’d have to look into manually configuring or even coding? Or is there a hidden feature in Unifi’s VPN that would allow me to set that up?
Awesome thank you. I tried “ipsec restart” but I didn’t know about those others. I think I tried “restart vpn” too but it didn’t like the command. My problem was with a brand new VPN user yesterday. It wouldn’t let me connect them for the very first time.
I’m a Unifi fanboy but lately it’s getting harder to recommend to my customers with these issues they’ve been having…
I didn’t mean to troll. MikroTik has a lot more VPN features. I use both manufacturers. In my experience ubiquiti routing is lacking just like MikroTik has wimpy wireless gear
How difficult is it to run OpenVPN or Wireguard on a USG or UDM Pro?
No problem! Btw I edited my reply since I accidentally sent it while I was still typing before I was finished so there might be a few things that are different/corrected from earlier.
Can you describe your ideal setup? I’m planning a house install and have been debating this very thing - but i’m also very new to all these fancier networking setups. VPN’ing into my house is an important feature for me.
Ideally you’d be running these services on a dedicated piece of hardware. But it is pretty easy to setup on just about any Linux or windows server.
Then you forward the port and you’re good to go.
“sudo restart vpn” and “restart vpn” and “sudo service xl2tpd restart” all give me “command not found”.
It didn’t complain about “clear vpn remote-access user ” but unfortunately it didn’t help either.
Are you doing these on a UDM Pro?
Screenshot of my terminal
