[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

vpn connection error

Posted on 2006-05-04
30
Medium Priority
?
459 Views
Last Modified: 2008-03-17
I'm troubleshooting a connection failure using checkpoint vpn client.  I'm using XP and installed the client and am getting a connection failure.

To give a little background.  Initially, I was going thru a linksys router, with IPSEC enabled.  I didn't work.  Then I tried a DLINK with IPSEC enabled.  It didn't work.  So, I took the router out of the equation and connected my DSL modem directly to my PC, established a PPPoE connection to the Intranet...no problem.  Again, tried to establish a connection using the VPN client...connection failed.  The VPN client has been tested on other PC's running XP and it works no problem.  I'm using the same version.  The problem seems to point to my ISP, so I called them.  I thought there might be some port blocking or added security on their end that doesn't allow checkpoint vpn through their firewall.  They informed me that there was nothing on their end to prevent me from connecting.  Ports were open, the DSL modem I was using was a bridge or non-bridged modem (can't remember), but basically the modem wouldn't have anything that would cause me not to be able to connect.  So, I'm stumped?  I don't know what else to try?

Has anyone had any suggestions?  I still think this is something to do with my ISP, but have nothing to come back with to say hey, could it possibly be this?

Any help with this would be greatly appreciated.  I'm not sure what to try next?

Thanks,
-D-
0
Comment
Question by:-Dman100-
  • 12
  • 11
  • 6
  • +1
30 Comments
 
LVL 48

Expert Comment

by:Jay_Jay70
ID: 16611280
Hi -Dman100-,

whats the exact error you get when connecting
0
 

Expert Comment

by:packetblast
ID: 16611310
What is the error?  Does it point to a certain phase etc?

Do you have a static IP or internal IP from your ISP? If internal, I would also point to the ISP and possibly you could try a static IP.  

Personally, I stick with Sonicwalls with VPN's....they are great!  

0
 

Author Comment

by:-Dman100-
ID: 16611377
When I'm connected thru my router, which I am now (linksys).  I get the error: "can't resolve name!"

If I just connect directly from my modem to the PC, I get a connection error...it just times out and never makes the connection.

So, the router error is a gateway problem (not sure what is incorrect in my router setup)?
0
Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

 

Author Comment

by:-Dman100-
ID: 16611392
The error thru my router when trying from a Win 2000 server box shows this error:

"Error: Communication with gateway 204.249.115.140 at site fwng.compasslearning.com failed."

In XP, the error was: "Can't resolve name!"

0
 
LVL 78

Expert Comment

by:Rob Williams
ID: 16611416
CheckPoint has the ability to restrict access by client. If restrictions are in place, installing the same client with the same User Name and password on another machine, does not guarantee you access. Did you set up the VPN server/router end, or is there a system administrator you could talk to? The "can't resolve name!" might imply a restriction or wrong user name.
Just a thought.
0
 

Author Comment

by:-Dman100-
ID: 16611476
yeah, I've been working with our network administrators and they are stratching their heads?  They have no clue what is causing this.  Again, using the same version of the client on different PC's using the same OS, the connection works fine.

Only on my end does it not work.

0
 
LVL 48

Expert Comment

by:Jay_Jay70
ID: 16611528
hmm i use checkpoint and if its authentication issues then it is uaully very clear - but i know nothing compared to Rob on this

does the network admin get a record of you actually attempting to log on at his end?
0
 
LVL 78

Expert Comment

by:Rob Williams
ID: 16611529
Interesting. I assume compasslearning offers on-line training, and probably set up hundreds or thousands of these accounts. So unlikely you have been singled out. Though very rare, some ISP's and some modems do block IPSec traffic, though you mention yours say they do not. Any chance this is a laptop you could try from another location. It would isolate the problem quickly.
Do you have SP2 installed on the computer? There were changes to IPSec a while back on XP. There was an update, but installing SP2 ensures you have the updated files.
0
 

Author Comment

by:-Dman100-
ID: 16611588
I have several boxes I'm working off of on my home network...XP Pro, Win 2000 Pro and Win 2000 Server.  All receive the same error thru the router or directly connected to the modem.

I'll check with the admin tomorrow and see if they have a log of me attempting to log in.  I'm using a default username and password, so I don't know how many other folks would be using the same login?

I'm wondering if this is a firmware issue with my router?  Or possibly a MTU setting in my router that isn't correct?

As you pointed out, ISP's can block IPSec traffic, which all of this was pointing to my ISP, but when we called they said there was nothing on our end.  They more or less gave me the brush off and didn't want to deal with the problem.  I'd like to get some information that I might be able to come back to them with, that potentially does point to a problem on their side.
0
 
LVL 48

Expert Comment

by:Jay_Jay70
ID: 16611604
on your vpn client - does it actually hit the server before erroring or the name resolution error comes up straight away? have you got an ip set or a name as the destination?
0
 

Author Comment

by:-Dman100-
ID: 16611675
The name resolution error does not come up straight away.  I type in the URL and I'm prompted to authenticate.  I type in the username and password, it says "Getting data from the site"

Waits about 30 seconds and then I get the error:

"Error: Communication with gateway 204.249.115.140 at site fwng.compasslearning.com failed."
0
 
LVL 48

Expert Comment

by:Jay_Jay70
ID: 16611684
then it doesnt look like your ISP as you are reaching the the site and being asked to authenticate

your admin need to give you a "why" its being rejected
0
 
LVL 78

Expert Comment

by:Rob Williams
ID: 16611767
Jay_Jay70, do you know at what point IPSec kicks in with the CheckPoint connection? Initial connection might be pre-IPSec, so it could still possibly be an ISP IPSec issue.

-Dman100- what is the public IP of your router? Don't publish it here for security reasons, but just let us know the first 2 octets like 123.123.xxx.xxx  Some ISP's perform NAT (Network Address Translation), mostly in rural areas, resulting in a private, rather than public IP. This could cause problems.
0
 
LVL 48

Expert Comment

by:Jay_Jay70
ID: 16611793
your correct as usual Rob, just confirmed that IPSec is phase 2 with Checkpoint -  A handshake and a tunnel phase.  
0
 

Author Comment

by:-Dman100-
ID: 16611809
Do you mean the dynamic IP I get from my ISP?

If so,

207.119.xx.xx

0
 

Author Comment

by:-Dman100-
ID: 16611813
Is this a solvable problem?  What does IPSec in phase 2 with CheckPoint mean?  I'm lost with this?
0
 
LVL 78

Expert Comment

by:Rob Williams
ID: 16611851
>"your correct as usual Rob"
James, if I send you my wife's e-mail, I would greatly appreciate it if you would forward that to her. <G>

>"207.119.xx.xx"
That's it -Dman100-, and that is fine, shouldn't be any problem with that.

This really sounds like ISP related, though it is not common. The fact that your IP is OK, you have tried connecting directly to the modem, and you have tried multiple computers only leaves human error in setting up the client ( I don't mean to be insulting) or the ISP. As I understand it, the beauty of the CheckPoint client is it's ease of installation, so I am doubtful that is the problem. However, most ISP help desk technicians I have talked to, do know what IPSec is, so they may honestly not know if there is a problem. If you could get one of your computers to work at another location, or bring a working computer from another location to your connection it would verify the issue and give you some ammunition to use against the ISP. Very odd though.

I'm about to pack it in for the night. But will check in tomorrow.

ps- This is the article I was referring to earlier pertaining to IPSec. The update was superseded with SP2, so if installed please ignore.
http://support.microsoft.com/kb/818043

pps- >" What does IPSec in phase 2 with CheckPoint mean?  I'm lost with this?"
Authentication, with a CheckPoint VPN and most others,is in 2 stages. Phase one is basically an introduction agreeing upon terms and who is who, phase two sets up the encryption and access. Really just means we cannot rule out the ISP.
0
 

Author Comment

by:-Dman100-
ID: 16618525
I'v spoken to my ISP again and I have a bridged modem and they are telling me nothing could be blocking it on their end.  We are using standard ports for VPN.

Does Windows 2000 Server, 2000 Pro and XP have any firewall software automatically run that could cause the VPN connection to fail?

Everything points to the ISP, but again, I don't know what to tell them to get them to investigate further?

0
 
LVL 78

Expert Comment

by:Rob Williams
ID: 16619733
If modem is "bridged" it should pass all traffic of any sort through, assuming it is working properly. Likely is or there would be other problems.

2000pro doesn't have any internal software. I don't recall if server 2000 has some NAT filtering if RRAS is enabled. We can follow that up if you have Server 2000 , let us know.
Windows XP SP1, Sp2 and Server 2003 with SP2 have firewalls that are enabled by default . These will block the VPN. You can configure them but for test purposes I would disable them for sure, for test purposes. [ Control panel | Windows Firewall | Off ]
If you should still have XP with sp1 is not as "effective" and is disabled differently, try Control Panel | Network connections | Right click on the network adapter | choose advance. Firewall configuration should be there if you have XPsp1.

Only way I think you can prove it is the ISP is take one of your computers to another site, or bring one home from the other site. This will prove the only difference is the connection.
0
 
LVL 48

Assisted Solution

by:Jay_Jay70
Jay_Jay70 earned 1000 total points
ID: 16619787
i think windows firewall would kick up a stink well before you actually got as far as you do, i may be wrong but the firewall doesnt let anything out coz its crap..... and yes, that is the proffesional term for it, crap
0
 
LVL 78

Expert Comment

by:Rob Williams
ID: 16619800
Actually pleas ignore my comments above, about the Windows firewall. Just catching up tonight and I forgot you were using Checkpoint. The Windows firewall is an issue only with incoming connections such as with a PPTP VPN on a Windows server. Your connections are out going ( to a router rather than Windows VPN server) and Jay_Jay70 is 100% correct, if there was an issue it would send up a flag/warning as soon as you started the connection.  
Though I am surprised it didn't, most clients the first time you try to connect have a window that pops up and says application xyz is trying to connect to the Internet, do you wish to allow or block the connection. This is only on XP with service pack 2. If using XPsp2, there should be no issue, unless you choose block.
0
 

Author Comment

by:-Dman100-
ID: 16619862
I have three PC's behind my linksys router with a home LAN setup.  I'm running one box with XP Sp1, another box with Win 2000 Pro and the last box is 2000 Server.

I've tried on all PC's and can't make the connection.  I'm trying to get it to work on the 2000 Server box because that is where I will setup my SQL Server instance to work with the remote server database.

I've tried disabling the firewall on the XP box and still getting the same error.  We are using standard port 500 for vpn.

My ISP has been very adament that the problem isn't on their end.  I kind of got the brush off from them.  They said they have lots of VPN connections through their network and it simply isn't an issue from their side.  I've taken it to their tier 2 support and that's what they are telling me?

I hate getting stumped like this.  Something is certainly amiss?
0
 
LVL 78

Expert Comment

by:Rob Williams
ID: 16619911
As much as it sounds like an ISP issue I have to agree it is not common. Only thing I can suggest at this point is to try to narrow it down. Easiest way, as suggested above, is find a laptop or PC that works somewhere else and try it at your site.

0
 

Author Comment

by:-Dman100-
ID: 16619991
yeah, that is what our network administrators are suggesting to try as a next step.  We'll give that a shot and see what happens.
0
 
LVL 78

Expert Comment

by:Rob Williams
ID: 16620009
Nuisance, but at least yo can be sure.
Let us know how you make out.
--Rob
0
 

Author Comment

by:-Dman100-
ID: 16622195
Thanks Rob...I will post back with whatever solution we finally arrive at.

I was thinking about it last night and not sure this would cause any problem, but it was just a thought.  From my wall, I have a splitter, so I can plug in my DSL line and the phone line.  The phone line has the filter, so I don't get the noise on the line.  I'm wondering if the splitter or the filter could cause any kind of disruption??

It was just a consideration to try and eliminate that as a possible cause.
0
 
LVL 78

Expert Comment

by:Rob Williams
ID: 16622226
Is it a splitter or a filter? All DSL lines have to have a filter installed somewhere on the line unless it is a dedicated line for the DSL, i.e no phone connection available. Shouldn't be an issue whether splitter or filter.
0
 

Author Comment

by:-Dman100-
ID: 16622359
I have a two plug splitter that plugs into the phone jack and then I plug the DSL line into one jack on the splitter and the filter plugs into the other jack on the splitter and phone line plugs into the filter.

Well, it was wishful thinking anyway :)
0
 
LVL 78

Accepted Solution

by:
Rob Williams earned 1000 total points
ID: 16622497
As a rule there re 2 ways to install DSL in a residence:
1) they install a little box at the demarcation point (entrance point) of your home. This contains a low frequency filter and splits the incoming telephone line to a standard phone line and a DSL line. The phone line is connected to the phone circuits through the hose and the DSL/Data line is run to your modem
2) the line to your home is DSL enabled and left as is, and you install a low frequency filter everywhere there is a phone or fax. You can split the line where ever you want so long as:
  a) you do not filter the signal going to the modem
  b) you use a filter for each telephone/fax device
  c) insert the filter between the pone cord and the wall, not between the phone cord and the phone. The latter reverses the direction of the filter and not all filters are bi-directional.

So long as rules a,b, & c are followed that shouldn't cause a problem. However, if not followed, it will degrade the DSL connection
0
 
LVL 78

Expert Comment

by:Rob Williams
ID: 16703690
Thanks Dman100,
--Rob
0

Featured Post

Upgrade your Question Security!

Add Premium security features to your question to ensure its privacy or anonymity. Learn more about your ability to control Question Security today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article is in regards to the Cisco QSFP-4SFP10G-CU1M cables, which are designed to uplink/downlink 40GB ports to 10GB SFP ports. I recently experienced this and found very little configuration documentation on how these are supposed to be confi…
In this article, the configuration steps in Zabbix to monitor devices via SNMP will be discussed with some real examples on Cisco Router/Switch, Catalyst Switch, NAS Synology device.
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
Monitoring a network: how to monitor network services and why? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the philosophy behind service monitoring and why a handshake validation is critical in network monitoring. Software utilized …

834 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question