PPTP: MPPE decryption resulted in an unsupported protocol

Frequently Asked Questions
Posts: 620
Joined: 10 Apr 2008, 14:14
Location: Clavister HQ - Örnsköldsvik

PPTP: MPPE decryption resulted in an unsupported protocol

Post by Peter » 25 Sep 2009, 15:18

This FAQ applies to:
  • Clavister CorePlus™ 9.10 and above.
I'm having problem with my PPTP client, i get the following in the log : MPPE decryption resulted in an unsupported protocol (0a7e). Terminating PPP.

When the logs say "MPPE decryption resulted in unsupported protocol (xxxx), closing PPP." where xxxx is different numbers every the time MPPE has failed to decrypt a data message sent by the peer. If the numbers were to be the same every time, the reason might be that the peer tries to send other protocols than IP through the tunnel. In the case with different numbers, MPPE failed to decrypt. The reason for this is usually one of the following:
  • 1. We received a broken/corrupt packet from the peer.
    2. More then 1024 packets sent by the peer have been lost.
    3. The client uses MPPE in stateful mode even though we have negotiated stateless MPPE, or vice versa.
    4. The peer sends data in the wrong way, violating the protocol or the negotiated settings. (client specific problem)
Problem 4 was pretty common on Core versions pre. 9.10 as we did not have support for stateful mode. Some PocketPC's negotiated that we should NOT use stateful, but when the traffic started to flow it used stateful anyway. The only solution then was to use <none> as MPPE compression, and sending unencrypted packets kinda voids the whole purpose of VPN. Another possible solution for problem 4 is to "lock" the PPTP encryption on the server to only allow one encryption strength (such as RC4 128 bit).

If the numbers are always the same for every connection attempt the cuse can be summarized with #4 above. One reoccuring problem are clients using Protocol Field Compression (PFC) even though it is not negotiated. This is often possible to solve by turning off PFC via settings in the client.