vpn connection error
I'm troubleshooting a connection failure using checkpoint vpn client. I'm using XP and installed the client and am getting a connection failure.
To give a little background. Initially, I was going thru a linksys router, with IPSEC enabled. I didn't work. Then I tried a DLINK with IPSEC enabled. It didn't work. So, I took the router out of the equation and connected my DSL modem directly to my PC, established a PPPoE connection to the Intranet...no problem. Again, tried to establish a connection using the VPN client...connection failed. The VPN client has been tested on other PC's running XP and it works no problem. I'm using the same version. The problem seems to point to my ISP, so I called them. I thought there might be some port blocking or added security on their end that doesn't allow checkpoint vpn through their firewall. They informed me that there was nothing on their end to prevent me from connecting. Ports were open, the DSL modem I was using was a bridge or non-bridged modem (can't remember), but basically the modem wouldn't have anything that would cause me not to be able to connect. So, I'm stumped? I don't know what else to try?
Has anyone had any suggestions? I still think this is something to do with my ISP, but have nothing to come back with to say hey, could it possibly be this?
Any help with this would be greatly appreciated. I'm not sure what to try next?
Thanks,
-D-
To give a little background. Initially, I was going thru a linksys router, with IPSEC enabled. I didn't work. Then I tried a DLINK with IPSEC enabled. It didn't work. So, I took the router out of the equation and connected my DSL modem directly to my PC, established a PPPoE connection to the Intranet...no problem. Again, tried to establish a connection using the VPN client...connection failed. The VPN client has been tested on other PC's running XP and it works no problem. I'm using the same version. The problem seems to point to my ISP, so I called them. I thought there might be some port blocking or added security on their end that doesn't allow checkpoint vpn through their firewall. They informed me that there was nothing on their end to prevent me from connecting. Ports were open, the DSL modem I was using was a bridge or non-bridged modem (can't remember), but basically the modem wouldn't have anything that would cause me not to be able to connect. So, I'm stumped? I don't know what else to try?
Has anyone had any suggestions? I still think this is something to do with my ISP, but have nothing to come back with to say hey, could it possibly be this?
Any help with this would be greatly appreciated. I'm not sure what to try next?
Thanks,
-D-
What is the error? Does it point to a certain phase etc?
Do you have a static IP or internal IP from your ISP? If internal, I would also point to the ISP and possibly you could try a static IP.
Personally, I stick with Sonicwalls with VPN's....they are great!
Do you have a static IP or internal IP from your ISP? If internal, I would also point to the ISP and possibly you could try a static IP.
Personally, I stick with Sonicwalls with VPN's....they are great!
ASKER
When I'm connected thru my router, which I am now (linksys). I get the error: "can't resolve name!"
If I just connect directly from my modem to the PC, I get a connection error...it just times out and never makes the connection.
So, the router error is a gateway problem (not sure what is incorrect in my router setup)?
If I just connect directly from my modem to the PC, I get a connection error...it just times out and never makes the connection.
So, the router error is a gateway problem (not sure what is incorrect in my router setup)?
ASKER
The error thru my router when trying from a Win 2000 server box shows this error:
"Error: Communication with gateway 204.249.115.140 at site fwng.compasslearning.com failed."
In XP, the error was: "Can't resolve name!"
"Error: Communication with gateway 204.249.115.140 at site fwng.compasslearning.com failed."
In XP, the error was: "Can't resolve name!"
CheckPoint has the ability to restrict access by client. If restrictions are in place, installing the same client with the same User Name and password on another machine, does not guarantee you access. Did you set up the VPN server/router end, or is there a system administrator you could talk to? The "can't resolve name!" might imply a restriction or wrong user name.
Just a thought.
Just a thought.
ASKER
yeah, I've been working with our network administrators and they are stratching their heads? They have no clue what is causing this. Again, using the same version of the client on different PC's using the same OS, the connection works fine.
Only on my end does it not work.
Only on my end does it not work.
hmm i use checkpoint and if its authentication issues then it is uaully very clear - but i know nothing compared to Rob on this
does the network admin get a record of you actually attempting to log on at his end?
does the network admin get a record of you actually attempting to log on at his end?
Interesting. I assume compasslearning offers on-line training, and probably set up hundreds or thousands of these accounts. So unlikely you have been singled out. Though very rare, some ISP's and some modems do block IPSec traffic, though you mention yours say they do not. Any chance this is a laptop you could try from another location. It would isolate the problem quickly.
Do you have SP2 installed on the computer? There were changes to IPSec a while back on XP. There was an update, but installing SP2 ensures you have the updated files.
Do you have SP2 installed on the computer? There were changes to IPSec a while back on XP. There was an update, but installing SP2 ensures you have the updated files.
ASKER
I have several boxes I'm working off of on my home network...XP Pro, Win 2000 Pro and Win 2000 Server. All receive the same error thru the router or directly connected to the modem.
I'll check with the admin tomorrow and see if they have a log of me attempting to log in. I'm using a default username and password, so I don't know how many other folks would be using the same login?
I'm wondering if this is a firmware issue with my router? Or possibly a MTU setting in my router that isn't correct?
As you pointed out, ISP's can block IPSec traffic, which all of this was pointing to my ISP, but when we called they said there was nothing on our end. They more or less gave me the brush off and didn't want to deal with the problem. I'd like to get some information that I might be able to come back to them with, that potentially does point to a problem on their side.
I'll check with the admin tomorrow and see if they have a log of me attempting to log in. I'm using a default username and password, so I don't know how many other folks would be using the same login?
I'm wondering if this is a firmware issue with my router? Or possibly a MTU setting in my router that isn't correct?
As you pointed out, ISP's can block IPSec traffic, which all of this was pointing to my ISP, but when we called they said there was nothing on our end. They more or less gave me the brush off and didn't want to deal with the problem. I'd like to get some information that I might be able to come back to them with, that potentially does point to a problem on their side.
on your vpn client - does it actually hit the server before erroring or the name resolution error comes up straight away? have you got an ip set or a name as the destination?
ASKER
The name resolution error does not come up straight away. I type in the URL and I'm prompted to authenticate. I type in the username and password, it says "Getting data from the site"
Waits about 30 seconds and then I get the error:
"Error: Communication with gateway 204.249.115.140 at site fwng.compasslearning.com failed."
Waits about 30 seconds and then I get the error:
"Error: Communication with gateway 204.249.115.140 at site fwng.compasslearning.com failed."
then it doesnt look like your ISP as you are reaching the the site and being asked to authenticate
your admin need to give you a "why" its being rejected
your admin need to give you a "why" its being rejected
Jay_Jay70, do you know at what point IPSec kicks in with the CheckPoint connection? Initial connection might be pre-IPSec, so it could still possibly be an ISP IPSec issue.
-Dman100- what is the public IP of your router? Don't publish it here for security reasons, but just let us know the first 2 octets like 123.123.xxx.xxx Some ISP's perform NAT (Network Address Translation), mostly in rural areas, resulting in a private, rather than public IP. This could cause problems.
-Dman100- what is the public IP of your router? Don't publish it here for security reasons, but just let us know the first 2 octets like 123.123.xxx.xxx Some ISP's perform NAT (Network Address Translation), mostly in rural areas, resulting in a private, rather than public IP. This could cause problems.
your correct as usual Rob, just confirmed that IPSec is phase 2 with Checkpoint - A handshake and a tunnel phase.
ASKER
Do you mean the dynamic IP I get from my ISP?
If so,
207.119.xx.xx
If so,
207.119.xx.xx
ASKER
Is this a solvable problem? What does IPSec in phase 2 with CheckPoint mean? I'm lost with this?
>"your correct as usual Rob"
James, if I send you my wife's e-mail, I would greatly appreciate it if you would forward that to her. <G>
>"207.119.xx.xx"
That's it -Dman100-, and that is fine, shouldn't be any problem with that.
This really sounds like ISP related, though it is not common. The fact that your IP is OK, you have tried connecting directly to the modem, and you have tried multiple computers only leaves human error in setting up the client ( I don't mean to be insulting) or the ISP. As I understand it, the beauty of the CheckPoint client is it's ease of installation, so I am doubtful that is the problem. However, most ISP help desk technicians I have talked to, do know what IPSec is, so they may honestly not know if there is a problem. If you could get one of your computers to work at another location, or bring a working computer from another location to your connection it would verify the issue and give you some ammunition to use against the ISP. Very odd though.
I'm about to pack it in for the night. But will check in tomorrow.
ps- This is the article I was referring to earlier pertaining to IPSec. The update was superseded with SP2, so if installed please ignore.
http://support.microsoft.com/kb/818043
pps- >" What does IPSec in phase 2 with CheckPoint mean? I'm lost with this?"
Authentication, with a CheckPoint VPN and most others,is in 2 stages. Phase one is basically an introduction agreeing upon terms and who is who, phase two sets up the encryption and access. Really just means we cannot rule out the ISP.
James, if I send you my wife's e-mail, I would greatly appreciate it if you would forward that to her. <G>
>"207.119.xx.xx"
That's it -Dman100-, and that is fine, shouldn't be any problem with that.
This really sounds like ISP related, though it is not common. The fact that your IP is OK, you have tried connecting directly to the modem, and you have tried multiple computers only leaves human error in setting up the client ( I don't mean to be insulting) or the ISP. As I understand it, the beauty of the CheckPoint client is it's ease of installation, so I am doubtful that is the problem. However, most ISP help desk technicians I have talked to, do know what IPSec is, so they may honestly not know if there is a problem. If you could get one of your computers to work at another location, or bring a working computer from another location to your connection it would verify the issue and give you some ammunition to use against the ISP. Very odd though.
I'm about to pack it in for the night. But will check in tomorrow.
ps- This is the article I was referring to earlier pertaining to IPSec. The update was superseded with SP2, so if installed please ignore.
http://support.microsoft.com/kb/818043
pps- >" What does IPSec in phase 2 with CheckPoint mean? I'm lost with this?"
Authentication, with a CheckPoint VPN and most others,is in 2 stages. Phase one is basically an introduction agreeing upon terms and who is who, phase two sets up the encryption and access. Really just means we cannot rule out the ISP.
ASKER
I'v spoken to my ISP again and I have a bridged modem and they are telling me nothing could be blocking it on their end. We are using standard ports for VPN.
Does Windows 2000 Server, 2000 Pro and XP have any firewall software automatically run that could cause the VPN connection to fail?
Everything points to the ISP, but again, I don't know what to tell them to get them to investigate further?
Does Windows 2000 Server, 2000 Pro and XP have any firewall software automatically run that could cause the VPN connection to fail?
Everything points to the ISP, but again, I don't know what to tell them to get them to investigate further?
If modem is "bridged" it should pass all traffic of any sort through, assuming it is working properly. Likely is or there would be other problems.
2000pro doesn't have any internal software. I don't recall if server 2000 has some NAT filtering if RRAS is enabled. We can follow that up if you have Server 2000 , let us know.
Windows XP SP1, Sp2 and Server 2003 with SP2 have firewalls that are enabled by default . These will block the VPN. You can configure them but for test purposes I would disable them for sure, for test purposes. [ Control panel | Windows Firewall | Off ]
If you should still have XP with sp1 is not as "effective" and is disabled differently, try Control Panel | Network connections | Right click on the network adapter | choose advance. Firewall configuration should be there if you have XPsp1.
Only way I think you can prove it is the ISP is take one of your computers to another site, or bring one home from the other site. This will prove the only difference is the connection.
2000pro doesn't have any internal software. I don't recall if server 2000 has some NAT filtering if RRAS is enabled. We can follow that up if you have Server 2000 , let us know.
Windows XP SP1, Sp2 and Server 2003 with SP2 have firewalls that are enabled by default . These will block the VPN. You can configure them but for test purposes I would disable them for sure, for test purposes. [ Control panel | Windows Firewall | Off ]
If you should still have XP with sp1 is not as "effective" and is disabled differently, try Control Panel | Network connections | Right click on the network adapter | choose advance. Firewall configuration should be there if you have XPsp1.
Only way I think you can prove it is the ISP is take one of your computers to another site, or bring one home from the other site. This will prove the only difference is the connection.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Actually pleas ignore my comments above, about the Windows firewall. Just catching up tonight and I forgot you were using Checkpoint. The Windows firewall is an issue only with incoming connections such as with a PPTP VPN on a Windows server. Your connections are out going ( to a router rather than Windows VPN server) and Jay_Jay70 is 100% correct, if there was an issue it would send up a flag/warning as soon as you started the connection.
Though I am surprised it didn't, most clients the first time you try to connect have a window that pops up and says application xyz is trying to connect to the Internet, do you wish to allow or block the connection. This is only on XP with service pack 2. If using XPsp2, there should be no issue, unless you choose block.
Though I am surprised it didn't, most clients the first time you try to connect have a window that pops up and says application xyz is trying to connect to the Internet, do you wish to allow or block the connection. This is only on XP with service pack 2. If using XPsp2, there should be no issue, unless you choose block.
ASKER
I have three PC's behind my linksys router with a home LAN setup. I'm running one box with XP Sp1, another box with Win 2000 Pro and the last box is 2000 Server.
I've tried on all PC's and can't make the connection. I'm trying to get it to work on the 2000 Server box because that is where I will setup my SQL Server instance to work with the remote server database.
I've tried disabling the firewall on the XP box and still getting the same error. We are using standard port 500 for vpn.
My ISP has been very adament that the problem isn't on their end. I kind of got the brush off from them. They said they have lots of VPN connections through their network and it simply isn't an issue from their side. I've taken it to their tier 2 support and that's what they are telling me?
I hate getting stumped like this. Something is certainly amiss?
I've tried on all PC's and can't make the connection. I'm trying to get it to work on the 2000 Server box because that is where I will setup my SQL Server instance to work with the remote server database.
I've tried disabling the firewall on the XP box and still getting the same error. We are using standard port 500 for vpn.
My ISP has been very adament that the problem isn't on their end. I kind of got the brush off from them. They said they have lots of VPN connections through their network and it simply isn't an issue from their side. I've taken it to their tier 2 support and that's what they are telling me?
I hate getting stumped like this. Something is certainly amiss?
As much as it sounds like an ISP issue I have to agree it is not common. Only thing I can suggest at this point is to try to narrow it down. Easiest way, as suggested above, is find a laptop or PC that works somewhere else and try it at your site.
ASKER
yeah, that is what our network administrators are suggesting to try as a next step. We'll give that a shot and see what happens.
Nuisance, but at least yo can be sure.
Let us know how you make out.
--Rob
Let us know how you make out.
--Rob
ASKER
Thanks Rob...I will post back with whatever solution we finally arrive at.
I was thinking about it last night and not sure this would cause any problem, but it was just a thought. From my wall, I have a splitter, so I can plug in my DSL line and the phone line. The phone line has the filter, so I don't get the noise on the line. I'm wondering if the splitter or the filter could cause any kind of disruption??
It was just a consideration to try and eliminate that as a possible cause.
I was thinking about it last night and not sure this would cause any problem, but it was just a thought. From my wall, I have a splitter, so I can plug in my DSL line and the phone line. The phone line has the filter, so I don't get the noise on the line. I'm wondering if the splitter or the filter could cause any kind of disruption??
It was just a consideration to try and eliminate that as a possible cause.
Is it a splitter or a filter? All DSL lines have to have a filter installed somewhere on the line unless it is a dedicated line for the DSL, i.e no phone connection available. Shouldn't be an issue whether splitter or filter.
ASKER
I have a two plug splitter that plugs into the phone jack and then I plug the DSL line into one jack on the splitter and the filter plugs into the other jack on the splitter and phone line plugs into the filter.
Well, it was wishful thinking anyway :)
Well, it was wishful thinking anyway :)
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Thanks Dman100,
--Rob
--Rob
whats the exact error you get when connecting