Link to home
Create AccountLog in
Avatar of tattsnyc
tattsnyc

asked on

Windows Server 2003 Inconsistent VPN Logon Failure VPN Error 721

HI I have a NAT DSL router Netopia 4562-T series with a Windows Server 2003 RRAS  With Router and VPN enabled.   I have Computer A with User A configured to connect to the network Via VPN. IF i try to connect from within the Subnet of the VPN server on the internal IP . I can connect 100% of the time. If I try to connect using the Public IP address I can connect 20% of the time. The other 80% of the time I get VPN ERROR 721 after it reached to the user and password portion of the conenction. I seem to have GRE and PPTP Filtered and forwarded. Any ideas as to what may cause this problem?
Avatar of Rob Williams
Rob Williams
Flag of Canada image

721 is most often a GRE error, in that it is being blocked. You say 20% of the time you can connect. When you connect can you access shares and open files, if so GRE passs-through should be OK.
If the connection works but is inconsistent it may be due to insufficient bandwidth to support a VPN or to large an MTU (Maximum Transmission Unit) packet size
-first check that the local (client end) router has VPN or PPTP pass-through enabled
-test the VPN performance. Once connected (I know you can only do this 20% of the time) try pinging a device on the remote end of the tunnel. To support a VPN the response time should be 125ms or less. I prefer to see less than 50ms.
-following links explain the problems with too large an MTU size, how to test and how to adjust. It should be adjusted on the client machine and the clients router.
http://www.dslreports.com/faq/7752
http://www.chicagotech.net/vpnslow.htm
http://help.expedient.net/broadband/mtu.shtml
Avatar of tattsnyc
tattsnyc

ASKER

THanks Will do? What you say makes sense but how can The same Client on The same PC have an MTU thats not proper sometimes and is others?
I haven't found MTU to fix problems that often, but it's definitely a known cause for performance and especially VPN issues. When you see randomly dropped connections it is not usually just the MTU but rather reduced performance, due to a slow "hop" somewhere in the connection, and the MTU size seems to push it over the edge. Adjusting the MTU seems to make it slightly more stable in those situations.
Have to say there are no guarantees, just a suggestion.  :-)
The first site above has a link somewhere in it to take you to this site to help you test. It may not be a problem at all, but it is worth checking. The response time test above is important. If the response is "iffy", increased traffic will definitely cause a disconnect.:
http://www.dslreports.com/faq/5793
Thanks. i am new to this and trying to learn this ASAP. would the TTL have anything to do with this possibly?
This should help a lot. i am getting the following errors in The event viewer of the Cleint Machine Now.

Event Type:      Error
Event Source:      Userenv
Event Category:      None
Event ID:      1054
Date:            4/14/2006
Time:            6:03:33 PM
User:            NT AUTHORITY\SYSTEM
Computer:      
Description:
Windows cannot obtain the domain controller name for your computer network. (The specified domain either does not exist or could not be contacted. ). Group Policy processing aborted.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

And also :

Event Type:      Error
Event Source:      AutoEnrollment
Event Category:      None
Event ID:      15
Date:            4/14/2006
Time:            4:53:40 PM
User:            N/A
Computer:      
Description:
Automatic certificate enrollment for local system failed to contact the active directory (0x8007054b).  The specified domain either does not exist or could not be contacted.
  Enrollment will not be performed.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.


TTL is the number of "hops" to the destination address before it will drop the packet. Not something you can really control and not an issue unless when you do your ping test you are getting a "Reply from x.x.x.x TTL expired in transit" error.

The 1054 error is probably not related to your VPN issue. However, the error may be a result of the VPN. Does that make any sense :-)
Where is the domain controller? If on the local network the error is most often related to incorrectly configured DNS. If the DC is at the remote office, the other end of the VPN tunnel, it is a result of the tunnel not connecting , rather than the cause of it not connecting.

Maybe I have jumped a couple of steps here, I should clarify a few things.
-Where is the Domain controller?
-How is your VPN established. Is the VPN server a Windows server on the main network, or a VPN router. I noticed the Netopia 4652 (you say 4562 above) is a VPN router
-What are you using for the VPN client, Windows client or other?
-Is the Netopia both a DSL modem and a router, if so is there another router at that site?
-I didn't mention but the main office subnet and the remote network subnet should be different. For example if the main office is 192.168.1.x the remote site should be something else like 192.168.2.x

--Rob
-Where is the Domain controller?
Local Main Site Subnet Physically located next to eachother.
-How is your VPN established. Is the VPN server a Windows server on the main network, or a VPN router. I noticed the Netopia 4652 (you say 4562 above) is a VPN router
Tje server is a windows server 2003 member server
-What are you using for the VPN client, Windows client or other?
windows client
-Is the Netopia both a DSL modem and a router, if so is there another router at that site?
Yes Netopia is a NAT router.The VPN Server also  doubles as a router as IT has Remote Desktop WebConnections and WSUS running on it.Private IP 192.x.x.x and public static 65.x.x.x

-I didn't mention but the main office subnet and the remote network subnet should be different. For example if the main office is 192.168.1.x the remote site should be something else like 192.168.2.x
Local is 192.168.1.x and remote depends on location. Usually different but sao far inconsistant at best.

I do understand what u mean. the resulting errors above  happen because of problems with VPN they are not causing the problems with VPN. Doess DNS need to be configured some way different for VPN to work

Perhaps the question should be since i am new to this is what is the best way to coinfigure a windows vpn server client, and a NAT router firewall to allow VPN to work ?
ASKER CERTIFIED SOLUTION
Avatar of Rob Williams
Rob Williams
Flag of Canada image

Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
See answer
the DHCP Relay Agent was not working properly thanks for the help. Statically assigned Addresses fixed the problem :)
Thanks tattsnyc,
--Rob