Windows Server 2003 Inconsistent VPN Logon Failure VPN Error 721

HI I have a NAT DSL router Netopia 4562-T series with a Windows Server 2003 RRAS  With Router and VPN enabled.   I have Computer A with User A configured to connect to the network Via VPN. IF i try to connect from within the Subnet of the VPN server on the internal IP . I can connect 100% of the time. If I try to connect using the Public IP address I can connect 20% of the time. The other 80% of the time I get VPN ERROR 721 after it reached to the user and password portion of the conenction. I seem to have GRE and PPTP Filtered and forwarded. Any ideas as to what may cause this problem?
tattsnycAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Rob WilliamsCommented:
721 is most often a GRE error, in that it is being blocked. You say 20% of the time you can connect. When you connect can you access shares and open files, if so GRE passs-through should be OK.
If the connection works but is inconsistent it may be due to insufficient bandwidth to support a VPN or to large an MTU (Maximum Transmission Unit) packet size
-first check that the local (client end) router has VPN or PPTP pass-through enabled
-test the VPN performance. Once connected (I know you can only do this 20% of the time) try pinging a device on the remote end of the tunnel. To support a VPN the response time should be 125ms or less. I prefer to see less than 50ms.
-following links explain the problems with too large an MTU size, how to test and how to adjust. It should be adjusted on the client machine and the clients router.
http://www.dslreports.com/faq/7752
http://www.chicagotech.net/vpnslow.htm
http://help.expedient.net/broadband/mtu.shtml
0
tattsnycAuthor Commented:
THanks Will do? What you say makes sense but how can The same Client on The same PC have an MTU thats not proper sometimes and is others?
0
Rob WilliamsCommented:
I haven't found MTU to fix problems that often, but it's definitely a known cause for performance and especially VPN issues. When you see randomly dropped connections it is not usually just the MTU but rather reduced performance, due to a slow "hop" somewhere in the connection, and the MTU size seems to push it over the edge. Adjusting the MTU seems to make it slightly more stable in those situations.
Have to say there are no guarantees, just a suggestion.  :-)
The first site above has a link somewhere in it to take you to this site to help you test. It may not be a problem at all, but it is worth checking. The response time test above is important. If the response is "iffy", increased traffic will definitely cause a disconnect.:
http://www.dslreports.com/faq/5793
0
How do you know if your security is working?

Protecting your business doesn’t have to mean sifting through endless alerts and notifications. With WatchGuard Total Security Suite, you can feel confident that your business is secure, meaning you can get back to the things that have been sitting on your to-do list.

tattsnycAuthor Commented:
Thanks. i am new to this and trying to learn this ASAP. would the TTL have anything to do with this possibly?
0
tattsnycAuthor Commented:
This should help a lot. i am getting the following errors in The event viewer of the Cleint Machine Now.

Event Type:      Error
Event Source:      Userenv
Event Category:      None
Event ID:      1054
Date:            4/14/2006
Time:            6:03:33 PM
User:            NT AUTHORITY\SYSTEM
Computer:      
Description:
Windows cannot obtain the domain controller name for your computer network. (The specified domain either does not exist or could not be contacted. ). Group Policy processing aborted.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

And also :

Event Type:      Error
Event Source:      AutoEnrollment
Event Category:      None
Event ID:      15
Date:            4/14/2006
Time:            4:53:40 PM
User:            N/A
Computer:      
Description:
Automatic certificate enrollment for local system failed to contact the active directory (0x8007054b).  The specified domain either does not exist or could not be contacted.
  Enrollment will not be performed.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.


0
Rob WilliamsCommented:
TTL is the number of "hops" to the destination address before it will drop the packet. Not something you can really control and not an issue unless when you do your ping test you are getting a "Reply from x.x.x.x TTL expired in transit" error.

The 1054 error is probably not related to your VPN issue. However, the error may be a result of the VPN. Does that make any sense :-)
Where is the domain controller? If on the local network the error is most often related to incorrectly configured DNS. If the DC is at the remote office, the other end of the VPN tunnel, it is a result of the tunnel not connecting , rather than the cause of it not connecting.

Maybe I have jumped a couple of steps here, I should clarify a few things.
-Where is the Domain controller?
-How is your VPN established. Is the VPN server a Windows server on the main network, or a VPN router. I noticed the Netopia 4652 (you say 4562 above) is a VPN router
-What are you using for the VPN client, Windows client or other?
-Is the Netopia both a DSL modem and a router, if so is there another router at that site?
-I didn't mention but the main office subnet and the remote network subnet should be different. For example if the main office is 192.168.1.x the remote site should be something else like 192.168.2.x

--Rob
0
tattsnycAuthor Commented:
-Where is the Domain controller?
Local Main Site Subnet Physically located next to eachother.
-How is your VPN established. Is the VPN server a Windows server on the main network, or a VPN router. I noticed the Netopia 4652 (you say 4562 above) is a VPN router
Tje server is a windows server 2003 member server
-What are you using for the VPN client, Windows client or other?
windows client
-Is the Netopia both a DSL modem and a router, if so is there another router at that site?
Yes Netopia is a NAT router.The VPN Server also  doubles as a router as IT has Remote Desktop WebConnections and WSUS running on it.Private IP 192.x.x.x and public static 65.x.x.x

-I didn't mention but the main office subnet and the remote network subnet should be different. For example if the main office is 192.168.1.x the remote site should be something else like 192.168.2.x
Local is 192.168.1.x and remote depends on location. Usually different but sao far inconsistant at best.

I do understand what u mean. the resulting errors above  happen because of problems with VPN they are not causing the problems with VPN. Doess DNS need to be configured some way different for VPN to work

Perhaps the question should be since i am new to this is what is the best way to coinfigure a windows vpn server client, and a NAT router firewall to allow VPN to work ?
0
Rob WilliamsCommented:
>>"what is the best way to configure a windows vpn server client, and a NAT router firewall to allow VPN to work ?"
Assuming you want to use the Windows server as the VPN server have a look at these links:
The basic server and client configurations can be found at the following sites with good detail:
Server 2003 configuration:
http://www.onecomputerguy.com/networking/w3k_vpn_server.htm
Windows XP client configuration:
http://www.onecomputerguy.com/networking/xp_vpn.htm
You will also have to configure the router to forward the VPN traffic to the server. This is done by enabling on your router VPN or PPTP pass-through (GRE protocol 47 -not port 47), and also forwarding port 1723 traffic to the server's IP. For details about that see the following link. Click your router make and model # which will take you to another page where you need to click on PPTP forwarding for details specific to your router:
http://www.portforward.com/english/routers/port_forwarding/routerindex.htm
The only other thing to remember is the subnet you use at the remote office needs to be different than the server end. For example if you are using 192.168.1.x at the office , the remote should be something like 192.168.2.x (This is important)
Once this is configured you can then use services similar to how you would on the local network. You will not be able to browse the network unless you have a WINS server installed. Also depending on your network configuration you may have problems connecting to devices by name. Using the IP address is less problematic such as \\192.168.1.111\SharenName.  See below for name resolution solutions.

>>"Doess DNS need to be configured some way different for VPN to work"
Name resolution often does not work properly over a VPN.
You can resolve this in several ways:
1) Use the IP address (of the computer you are connecting to) when connecting to devices such as;   \\123.123.123.123\ShareName   or map a drive at a  command prompt using  
 Net  Use  U:  \\123.123.123.123\ShareName
2) An option is to use the LMHosts file which creates a table of IP's and computer names. LMHosts is located in the Windows directory under c:\Windows (or WINNT)\System32\Drivers\Etc\LMHosts.sam , instructions are included within the file. Any line starting with # is just a comment and is ignored. Open the file with Notepad and add entries for your computers as below;
192.168.0.101      CompName       #PRE
Hit enter when each line is complete (important), then save the file without a file extension. To be sure there is no extension ,when saving enclose in quotations like "LMHosts". Now when you try to connect to a computer name it should find it as it will search the LMHosts file for the record before connecting.
More details regarding LMHosts file:
http://www.microsoft.com/resources/documentation/Windows/2000/server/reskit/en-us/Default.asp?url=/resources/documentation/windows/2000/server/reskit/en-us/cnet/cnfd_lmh_QXQQ.asp
The drawback of the LMHosts file is you have to maintain a static list of computernames and IP addresses. Also if the remote end uses DHCP assigned IP's it is not a feasible option. Thus in order to be able to use computer names dynamically try to enable with some of the following options:
3) if you have a WINS server add that to the network cards configuration
4) also under the WINS configuration on the network adapter make sure NetBIOS over TCP/IP is selected
5) try adding the remote DNS server to your local DNS servers in your network card's TCP/IP configuration
6) verify your router does not have a "block NetBIOS broadcast" option enabled
7) test if you can connect with the full computer and domain name as  \\ComputerName.domain.local  If so, add the suffix DomainName.local to the DNS configuration of the virtual private adapter/connection [ right click virtual adapter | properties | TCP/IP properties | Advanced | DNS | "Append these DNS suffixes (in order)" | Add ]
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
tattsnycAuthor Commented:
the DHCP Relay Agent was not working properly thanks for the help. Statically assigned Addresses fixed the problem :)
0
Rob WilliamsCommented:
Thanks tattsnyc,
--Rob
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
VPN

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.