VPN problem has me stumped

I have two machines connecting to a corporate LAN with a PPTP. Originally both machines worked fine however the main PC has decided to give me Error 800 on connecting to the corporate LAN the other machine which is a Laptop connects fine. Both machines are running XP Pro SP2 and the vpn connection is set up in the same way on both.

Remote machines both running vpn on ip range running through a DLink Wireless DSL-G604T router connecting to a Zywall 10w and then to a SBS2003 server.

I am completely out of ideas, the laptop works fine but the workstation does not I have even re-installed the workstation.

Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Can ping the vpn server ?

If your vpn server dose not real ip addess

you need the port(1723) forworded to your vpn server
A couple steps I would take:

* ping the remote VPN server from the non-functional PC. If you can't ping it from there, can you ping from the functioning one?  If so, it's not a VPN config/software problem.

* try to connect without going through the router, if possible.  That rules out one more piece of equipment from the puzzle.

Good luck!
From your post it isn't clear if the workstation and the laptop are at the same site, but I'm going to assume they are.

So you have:
                   Remote-IP                          Office-IP                   Private-IP
Workstation -----------------| Dlink          |                     | ZyXel          |
Laptop -----------------------| DSL-G604T |--- Internet ---| ZyWall 10W |---------- SBS2003

If the diagram is correct, then test the network connectivity of both workstation and laptop by doing

C:\>ping Office-IP

from each in turn (replace Office-IP above with the Internet IP address of ZyWall 10W).

Ensure you have sufficient firewall permissions in place to allow pings to be sent and received otherwise you'll see Timed Out messages from PING.

If that is successful then we know you have a route from both to the office. If not, investigate the remote LAN.

From the SBS2003 server in the office, do a similar test:

C:\>ping Remote-IP

If that works you know you have basic connectivity established.

Are you running ISA Server on your SBS2003 server? If so review Knowledge Base article 886621.

You receive an "Unable to establish the VPN connection" error message when your Windows Small Business Server 2003-based client computer try to make an outgoing PPTP connection


Now the important question... where is the VPN connection terminating? In the ZyWall or on the SBS2003 server?

If its terminating on the ZyWall then you need to examine the user accounts on the router.

However, if its terminating on the SBS2003 server the ZyWall will be configured for VPN PPTP PAss-through mode. Check this is set correctly and knows the address of the SBS2003 server to forward VPN connections to.

Next monitor the event logs on the SBS2003 server while you connect first from the laptop, and then from the workstation, and compare any differences and follow-up any warnings or errors in the Microsoft Knowledge Base.

If you want to post confirmation of your network configuration and any results you get, we can examine matters further.

The Firewall Audit Checklist

Preparing for a firewall audit today is almost impossible.
AlgoSec, together with some of the largest global organizations and auditors, has created a checklist to follow when preparing for your firewall audit. Simplify risk mitigation while staying compliant all of the time!

mcsmmcsmAuthor Commented:
Cannot ping as dsabled on the Zywal however I can tracert on both machines.  

I do not use ISA Serever on the SBS machine.

The VPN is configured on the SBS not the Zywall

Working Machine (Laptop PIII 700, WinXP Pro ) > Zywall NIC > Dlink 604 > Internet > Zywall 10W > SBS2003

Non Working Machine (Workstation P4 2.8 HT, Win XP Pro) > Dlink NIC > Dlink 604 > Internet > Zywall 10W > SBS2003

IPconfig of non working machine

Ethernet adapter Wireless Network Connection:

        Connection-specific DNS Suffix  . :
        Description . . . . . . . . . . . : D-Link AirPlus DWL-G520 Wireless PCI
        Physical Address. . . . . . . . . : 00-0F-3D-86-C6-15
        Dhcp Enabled. . . . . . . . . . . : No
        IP Address. . . . . . . . . . . . :
        Subnet Mask . . . . . . . . . . . :
        Default Gateway . . . . . . . . . :
        DNS Servers . . . . . . . . . . . :

Ipconfig of Working machine whilst connected to VPN

Ethernet adapter Wireless Network Connection:

        Connection-specific DNS Suffix  . :
        Description . . . . . . . . . . . : ZyAIR G-100 Wireless LAN PC Card
        Physical Address. . . . . . . . . : 00-A0-C5-41-C6-19
        Dhcp Enabled. . . . . . . . . . . : No
        IP Address. . . . . . . . . . . . :
        Subnet Mask . . . . . . . . . . . :
        Default Gateway . . . . . . . . . :
        DNS Servers . . . . . . . . . . . :

PPP adapter Envisage:

        Connection-specific DNS Suffix  . : envisage-solutions.local
        Description . . . . . . . . . . . : WAN (PPP/SLIP) Interface
        Physical Address. . . . . . . . . : 00-53-45-00-00-00
        Dhcp Enabled. . . . . . . . . . . : No
        IP Address. . . . . . . . . . . . :
        Subnet Mask . . . . . . . . . . . :
        Default Gateway . . . . . . . . . :
        DNS Servers . . . . . . . . . . . :
        Primary WINS Server . . . . . . . :
        Secondary WINS Server . . . . . . :

The working machine works exactley how it should once connected to the VPN the non working machine just get error 800

Still Stumped.

We've got to assume b/c the one machine works that everything is OK at the office and that the problem is local to either your network or the local workstation. Further i will assume that your basic internet connection is OK on the non-vpn able machine and that browsing the 'net is functioning (if not i'd say that would be the core of your problem)

Multiple public IPs at the remote site? - Your SBS box will send reply traffic to the public IP it sees as the source of the traffic in this case that would be the Dlink 604. We are relying on the 604 to send the reply traffic to the appropriate machine, often times if there is only 1 public IP and the router is using NAT to put all your workstations on the 'net via that single IP set-port traffic gets bunged up like this. try connecting with the workstation while the laptop is offline. if it works then your problem is that each machine is not individually reachable from the office. invest in a hardware firewall that can negotiate the VPN for you (investigate watchguard products for this, they are comparatively easy to setup) or use one machine as the gateway to the other via ICS

Double check the DLINK access control for port-level client access control Some routers support controlling which clients have access at which times to what ports/sites. some even have started to support parental control for site content. needless to say this can be hell on troubleshooting.

check the workstations route table (From dos the command is 'route print') to double check that they both have the same gateway for the host public IP (or have the same default gateway)

if none of that helps post some more info and we'll see what else we can suggest ; )
Let's remember that VPN error 800 can be to do with lack of authentication, it doesn't necessarily mean lack of connectivity.

Have you investigated the SBS2003 Server's event log to see what RAS entries are logged when the laptop connects, and when the workstation fails to connect.

To enable maximum logging, in the "Routing and Remote Access" MMC select the server, right-click and choose Properties.

In the dialog choose the "Event Logging" tab and then select "Log the maximum amount of information".

If the workstation is reaching the SBS2003 server then you will see reports in the event log.

It's also worth running SysInternal's TCPview (www.sysinternals.com) on the SBS2003 server watching for TCP connections on port 1723 local. the remote address will be the public IP of the remote router.
I also notice that DHCP isn't enabled for the VPN client connection, so that suggests that on the SBS2003 server you've manually set the static IP address in the User Account of the person connecting.

Have both User Accounts got usuable IP addresses set?

"Active Directory Users and Computers" MMC, expand the domain, choose Users and double-click the User.

Choose the "Dial-in" tab and look at the "Assign a Static IP Address" setting.
mcsmmcsmAuthor Commented:
Sorry to waste your time subnet mask on router was differant to wkstn.
PAQed with no points refunded (of 500)

Community Support Moderator

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Software Firewalls

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.