[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 417
  • Last Modified:

VPN problem has me stumped

I have two machines connecting to a corporate LAN with a PPTP. Originally both machines worked fine however the main PC has decided to give me Error 800 on connecting to the corporate LAN the other machine which is a Laptop connects fine. Both machines are running XP Pro SP2 and the vpn connection is set up in the same way on both.

Remote machines both running vpn on ip range running through a DLink Wireless DSL-G604T router connecting to a Zywall 10w and then to a SBS2003 server.

I am completely out of ideas, the laptop works fine but the workstation does not I have even re-installed the workstation.

1 Solution
Can ping the vpn server ?

If your vpn server dose not real ip addess

you need the port(1723) forworded to your vpn server
A couple steps I would take:

* ping the remote VPN server from the non-functional PC. If you can't ping it from there, can you ping from the functioning one?  If so, it's not a VPN config/software problem.

* try to connect without going through the router, if possible.  That rules out one more piece of equipment from the puzzle.

Good luck!
From your post it isn't clear if the workstation and the laptop are at the same site, but I'm going to assume they are.

So you have:
                   Remote-IP                          Office-IP                   Private-IP
Workstation -----------------| Dlink          |                     | ZyXel          |
Laptop -----------------------| DSL-G604T |--- Internet ---| ZyWall 10W |---------- SBS2003

If the diagram is correct, then test the network connectivity of both workstation and laptop by doing

C:\>ping Office-IP

from each in turn (replace Office-IP above with the Internet IP address of ZyWall 10W).

Ensure you have sufficient firewall permissions in place to allow pings to be sent and received otherwise you'll see Timed Out messages from PING.

If that is successful then we know you have a route from both to the office. If not, investigate the remote LAN.

From the SBS2003 server in the office, do a similar test:

C:\>ping Remote-IP

If that works you know you have basic connectivity established.

Are you running ISA Server on your SBS2003 server? If so review Knowledge Base article 886621.

You receive an "Unable to establish the VPN connection" error message when your Windows Small Business Server 2003-based client computer try to make an outgoing PPTP connection


Now the important question... where is the VPN connection terminating? In the ZyWall or on the SBS2003 server?

If its terminating on the ZyWall then you need to examine the user accounts on the router.

However, if its terminating on the SBS2003 server the ZyWall will be configured for VPN PPTP PAss-through mode. Check this is set correctly and knows the address of the SBS2003 server to forward VPN connections to.

Next monitor the event logs on the SBS2003 server while you connect first from the laptop, and then from the workstation, and compare any differences and follow-up any warnings or errors in the Microsoft Knowledge Base.

If you want to post confirmation of your network configuration and any results you get, we can examine matters further.

Get free NFR key for Veeam Availability Suite 9.5

Veeam is happy to provide a free NFR license (1 year, 2 sockets) to all certified IT Pros. The license allows for the non-production use of Veeam Availability Suite v9.5 in your home lab, without any feature limitations. It works for both VMware and Hyper-V environments

mcsmmcsmAuthor Commented:
Cannot ping as dsabled on the Zywal however I can tracert on both machines.  

I do not use ISA Serever on the SBS machine.

The VPN is configured on the SBS not the Zywall

Working Machine (Laptop PIII 700, WinXP Pro ) > Zywall NIC > Dlink 604 > Internet > Zywall 10W > SBS2003

Non Working Machine (Workstation P4 2.8 HT, Win XP Pro) > Dlink NIC > Dlink 604 > Internet > Zywall 10W > SBS2003

IPconfig of non working machine

Ethernet adapter Wireless Network Connection:

        Connection-specific DNS Suffix  . :
        Description . . . . . . . . . . . : D-Link AirPlus DWL-G520 Wireless PCI
        Physical Address. . . . . . . . . : 00-0F-3D-86-C6-15
        Dhcp Enabled. . . . . . . . . . . : No
        IP Address. . . . . . . . . . . . :
        Subnet Mask . . . . . . . . . . . :
        Default Gateway . . . . . . . . . :
        DNS Servers . . . . . . . . . . . :

Ipconfig of Working machine whilst connected to VPN

Ethernet adapter Wireless Network Connection:

        Connection-specific DNS Suffix  . :
        Description . . . . . . . . . . . : ZyAIR G-100 Wireless LAN PC Card
        Physical Address. . . . . . . . . : 00-A0-C5-41-C6-19
        Dhcp Enabled. . . . . . . . . . . : No
        IP Address. . . . . . . . . . . . :
        Subnet Mask . . . . . . . . . . . :
        Default Gateway . . . . . . . . . :
        DNS Servers . . . . . . . . . . . :

PPP adapter Envisage:

        Connection-specific DNS Suffix  . : envisage-solutions.local
        Description . . . . . . . . . . . : WAN (PPP/SLIP) Interface
        Physical Address. . . . . . . . . : 00-53-45-00-00-00
        Dhcp Enabled. . . . . . . . . . . : No
        IP Address. . . . . . . . . . . . :
        Subnet Mask . . . . . . . . . . . :
        Default Gateway . . . . . . . . . :
        DNS Servers . . . . . . . . . . . :
        Primary WINS Server . . . . . . . :
        Secondary WINS Server . . . . . . :

The working machine works exactley how it should once connected to the VPN the non working machine just get error 800

Still Stumped.

We've got to assume b/c the one machine works that everything is OK at the office and that the problem is local to either your network or the local workstation. Further i will assume that your basic internet connection is OK on the non-vpn able machine and that browsing the 'net is functioning (if not i'd say that would be the core of your problem)

Multiple public IPs at the remote site? - Your SBS box will send reply traffic to the public IP it sees as the source of the traffic in this case that would be the Dlink 604. We are relying on the 604 to send the reply traffic to the appropriate machine, often times if there is only 1 public IP and the router is using NAT to put all your workstations on the 'net via that single IP set-port traffic gets bunged up like this. try connecting with the workstation while the laptop is offline. if it works then your problem is that each machine is not individually reachable from the office. invest in a hardware firewall that can negotiate the VPN for you (investigate watchguard products for this, they are comparatively easy to setup) or use one machine as the gateway to the other via ICS

Double check the DLINK access control for port-level client access control Some routers support controlling which clients have access at which times to what ports/sites. some even have started to support parental control for site content. needless to say this can be hell on troubleshooting.

check the workstations route table (From dos the command is 'route print') to double check that they both have the same gateway for the host public IP (or have the same default gateway)

if none of that helps post some more info and we'll see what else we can suggest ; )
Let's remember that VPN error 800 can be to do with lack of authentication, it doesn't necessarily mean lack of connectivity.

Have you investigated the SBS2003 Server's event log to see what RAS entries are logged when the laptop connects, and when the workstation fails to connect.

To enable maximum logging, in the "Routing and Remote Access" MMC select the server, right-click and choose Properties.

In the dialog choose the "Event Logging" tab and then select "Log the maximum amount of information".

If the workstation is reaching the SBS2003 server then you will see reports in the event log.

It's also worth running SysInternal's TCPview (www.sysinternals.com) on the SBS2003 server watching for TCP connections on port 1723 local. the remote address will be the public IP of the remote router.
I also notice that DHCP isn't enabled for the VPN client connection, so that suggests that on the SBS2003 server you've manually set the static IP address in the User Account of the person connecting.

Have both User Accounts got usuable IP addresses set?

"Active Directory Users and Computers" MMC, expand the domain, choose Users and double-click the User.

Choose the "Dial-in" tab and look at the "Assign a Static IP Address" setting.
mcsmmcsmAuthor Commented:
Sorry to waste your time subnet mask on router was differant to wkstn.
PAQed with no points refunded (of 500)

Community Support Moderator

Featured Post

Cyber Threats to Small Businesses (Part 2)

The evolving cybersecurity landscape presents SMBs with a host of new threats to their clients, their data, and their bottom line. In part 2 of this blog series, learn three quick processes Webroot’s CISO, Gary Hayslip, recommends to help small businesses beat modern threats.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now