Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

Windows Server 2003 Inconsistent VPN Logon Failure  VPN Error 721

Posted on 2006-04-13
10
Medium Priority
?
2,236 Views
Last Modified: 2008-02-20
HI I have a NAT DSL router Netopia 4562-T series with a Windows Server 2003 RRAS  With Router and VPN enabled.   I have Computer A with User A configured to connect to the network Via VPN. IF i try to connect from within the Subnet of the VPN server on the internal IP . I can connect 100% of the time. If I try to connect using the Public IP address I can connect 20% of the time. The other 80% of the time I get VPN ERROR 721 after it reached to the user and password portion of the conenction. I seem to have GRE and PPTP Filtered and forwarded. Any ideas as to what may cause this problem?
0
Comment
Question by:tattsnyc
  • 5
  • 5
10 Comments
 
LVL 78

Expert Comment

by:Rob Williams
ID: 16451266
721 is most often a GRE error, in that it is being blocked. You say 20% of the time you can connect. When you connect can you access shares and open files, if so GRE passs-through should be OK.
If the connection works but is inconsistent it may be due to insufficient bandwidth to support a VPN or to large an MTU (Maximum Transmission Unit) packet size
-first check that the local (client end) router has VPN or PPTP pass-through enabled
-test the VPN performance. Once connected (I know you can only do this 20% of the time) try pinging a device on the remote end of the tunnel. To support a VPN the response time should be 125ms or less. I prefer to see less than 50ms.
-following links explain the problems with too large an MTU size, how to test and how to adjust. It should be adjusted on the client machine and the clients router.
http://www.dslreports.com/faq/7752
http://www.chicagotech.net/vpnslow.htm
http://help.expedient.net/broadband/mtu.shtml
0
 

Author Comment

by:tattsnyc
ID: 16452741
THanks Will do? What you say makes sense but how can The same Client on The same PC have an MTU thats not proper sometimes and is others?
0
 
LVL 78

Expert Comment

by:Rob Williams
ID: 16453122
I haven't found MTU to fix problems that often, but it's definitely a known cause for performance and especially VPN issues. When you see randomly dropped connections it is not usually just the MTU but rather reduced performance, due to a slow "hop" somewhere in the connection, and the MTU size seems to push it over the edge. Adjusting the MTU seems to make it slightly more stable in those situations.
Have to say there are no guarantees, just a suggestion.  :-)
The first site above has a link somewhere in it to take you to this site to help you test. It may not be a problem at all, but it is worth checking. The response time test above is important. If the response is "iffy", increased traffic will definitely cause a disconnect.:
http://www.dslreports.com/faq/5793
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:tattsnyc
ID: 16457615
Thanks. i am new to this and trying to learn this ASAP. would the TTL have anything to do with this possibly?
0
 

Author Comment

by:tattsnyc
ID: 16457744
This should help a lot. i am getting the following errors in The event viewer of the Cleint Machine Now.

Event Type:      Error
Event Source:      Userenv
Event Category:      None
Event ID:      1054
Date:            4/14/2006
Time:            6:03:33 PM
User:            NT AUTHORITY\SYSTEM
Computer:      
Description:
Windows cannot obtain the domain controller name for your computer network. (The specified domain either does not exist or could not be contacted. ). Group Policy processing aborted.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

And also :

Event Type:      Error
Event Source:      AutoEnrollment
Event Category:      None
Event ID:      15
Date:            4/14/2006
Time:            4:53:40 PM
User:            N/A
Computer:      
Description:
Automatic certificate enrollment for local system failed to contact the active directory (0x8007054b).  The specified domain either does not exist or could not be contacted.
  Enrollment will not be performed.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.


0
 
LVL 78

Expert Comment

by:Rob Williams
ID: 16458346
TTL is the number of "hops" to the destination address before it will drop the packet. Not something you can really control and not an issue unless when you do your ping test you are getting a "Reply from x.x.x.x TTL expired in transit" error.

The 1054 error is probably not related to your VPN issue. However, the error may be a result of the VPN. Does that make any sense :-)
Where is the domain controller? If on the local network the error is most often related to incorrectly configured DNS. If the DC is at the remote office, the other end of the VPN tunnel, it is a result of the tunnel not connecting , rather than the cause of it not connecting.

Maybe I have jumped a couple of steps here, I should clarify a few things.
-Where is the Domain controller?
-How is your VPN established. Is the VPN server a Windows server on the main network, or a VPN router. I noticed the Netopia 4652 (you say 4562 above) is a VPN router
-What are you using for the VPN client, Windows client or other?
-Is the Netopia both a DSL modem and a router, if so is there another router at that site?
-I didn't mention but the main office subnet and the remote network subnet should be different. For example if the main office is 192.168.1.x the remote site should be something else like 192.168.2.x

--Rob
0
 

Author Comment

by:tattsnyc
ID: 16460603
-Where is the Domain controller?
Local Main Site Subnet Physically located next to eachother.
-How is your VPN established. Is the VPN server a Windows server on the main network, or a VPN router. I noticed the Netopia 4652 (you say 4562 above) is a VPN router
Tje server is a windows server 2003 member server
-What are you using for the VPN client, Windows client or other?
windows client
-Is the Netopia both a DSL modem and a router, if so is there another router at that site?
Yes Netopia is a NAT router.The VPN Server also  doubles as a router as IT has Remote Desktop WebConnections and WSUS running on it.Private IP 192.x.x.x and public static 65.x.x.x

-I didn't mention but the main office subnet and the remote network subnet should be different. For example if the main office is 192.168.1.x the remote site should be something else like 192.168.2.x
Local is 192.168.1.x and remote depends on location. Usually different but sao far inconsistant at best.

I do understand what u mean. the resulting errors above  happen because of problems with VPN they are not causing the problems with VPN. Doess DNS need to be configured some way different for VPN to work

Perhaps the question should be since i am new to this is what is the best way to coinfigure a windows vpn server client, and a NAT router firewall to allow VPN to work ?
0
 
LVL 78

Accepted Solution

by:
Rob Williams earned 2000 total points
ID: 16462771
>>"what is the best way to configure a windows vpn server client, and a NAT router firewall to allow VPN to work ?"
Assuming you want to use the Windows server as the VPN server have a look at these links:
The basic server and client configurations can be found at the following sites with good detail:
Server 2003 configuration:
http://www.onecomputerguy.com/networking/w3k_vpn_server.htm
Windows XP client configuration:
http://www.onecomputerguy.com/networking/xp_vpn.htm
You will also have to configure the router to forward the VPN traffic to the server. This is done by enabling on your router VPN or PPTP pass-through (GRE protocol 47 -not port 47), and also forwarding port 1723 traffic to the server's IP. For details about that see the following link. Click your router make and model # which will take you to another page where you need to click on PPTP forwarding for details specific to your router:
http://www.portforward.com/english/routers/port_forwarding/routerindex.htm
The only other thing to remember is the subnet you use at the remote office needs to be different than the server end. For example if you are using 192.168.1.x at the office , the remote should be something like 192.168.2.x (This is important)
Once this is configured you can then use services similar to how you would on the local network. You will not be able to browse the network unless you have a WINS server installed. Also depending on your network configuration you may have problems connecting to devices by name. Using the IP address is less problematic such as \\192.168.1.111\SharenName.  See below for name resolution solutions.

>>"Doess DNS need to be configured some way different for VPN to work"
Name resolution often does not work properly over a VPN.
You can resolve this in several ways:
1) Use the IP address (of the computer you are connecting to) when connecting to devices such as;   \\123.123.123.123\ShareName   or map a drive at a  command prompt using  
 Net  Use  U:  \\123.123.123.123\ShareName
2) An option is to use the LMHosts file which creates a table of IP's and computer names. LMHosts is located in the Windows directory under c:\Windows (or WINNT)\System32\Drivers\Etc\LMHosts.sam , instructions are included within the file. Any line starting with # is just a comment and is ignored. Open the file with Notepad and add entries for your computers as below;
192.168.0.101      CompName       #PRE
Hit enter when each line is complete (important), then save the file without a file extension. To be sure there is no extension ,when saving enclose in quotations like "LMHosts". Now when you try to connect to a computer name it should find it as it will search the LMHosts file for the record before connecting.
More details regarding LMHosts file:
http://www.microsoft.com/resources/documentation/Windows/2000/server/reskit/en-us/Default.asp?url=/resources/documentation/windows/2000/server/reskit/en-us/cnet/cnfd_lmh_QXQQ.asp
The drawback of the LMHosts file is you have to maintain a static list of computernames and IP addresses. Also if the remote end uses DHCP assigned IP's it is not a feasible option. Thus in order to be able to use computer names dynamically try to enable with some of the following options:
3) if you have a WINS server add that to the network cards configuration
4) also under the WINS configuration on the network adapter make sure NetBIOS over TCP/IP is selected
5) try adding the remote DNS server to your local DNS servers in your network card's TCP/IP configuration
6) verify your router does not have a "block NetBIOS broadcast" option enabled
7) test if you can connect with the full computer and domain name as  \\ComputerName.domain.local  If so, add the suffix DomainName.local to the DNS configuration of the virtual private adapter/connection [ right click virtual adapter | properties | TCP/IP properties | Advanced | DNS | "Append these DNS suffixes (in order)" | Add ]
0
 

Author Comment

by:tattsnyc
ID: 16470170
the DHCP Relay Agent was not working properly thanks for the help. Statically assigned Addresses fixed the problem :)
0
 
LVL 78

Expert Comment

by:Rob Williams
ID: 16470617
Thanks tattsnyc,
--Rob
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Sometimes, you want your microsoft VPN to route all the traffic to the remote network. Usually your employer network. This makes it possible to access all the nodes inside this remote LAN, even if they have no "public DNS" entries. To do so, you wo…
Like many others, when I created a Windows 2008 RRAS VPN server, I connected via PPTP, and still do, but there are problems that can arise from solely using PPTP.  One particular problem was that the CFO of the company used a Virgin Broadband Wirele…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

577 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question