[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

QuickVPN connecting to WRV200 gets 'End of file' error.

Posted on 2006-05-26
20
Medium Priority
?
2,793 Views
Last Modified: 2012-08-13
i just set up a Linksys WRV200. works fine. THen i set up the VPN part of the router.
I loaded all the current firmware, and also downloaded/installed the latest version of QuickVPN from Linksys. When i connect to the router from a WIn XP SP2 computer, to the VPN router, the wget_error.txt file (log file) in the quickvpn directory, says:
Connecting to questnovato.dyndns.org[69.3.237.129]:60443... connected.
HTTP request sent, awaiting response...
End of file while parsing headers.
Giving up.

===
any idea what this means? i tried all troubleshooting tips from Linksys and others.
0
Comment
Question by:randydoddaccounts
  • 10
  • 10
20 Comments
 
LVL 78

Expert Comment

by:Rob Williams
ID: 16773657
It should mean the client connected to your IP, using your DDNS service, to port 60443 which is the default port, if port 443 is not available (being used by another service)
Did you get a connection? If you hold the mouse over the icon on the task bar it should say connected. If so, try pinging the LAN/private (not public) IP address of the WRV200 as a basic test.
I assume questnovato.dyndns.org is you DDNS domain name ?
0
 

Author Comment

by:randydoddaccounts
ID: 16773818
after clicking "connect", it says "failed to establish a connection./ and gives alist of reasons.
(firewall, ip, etc etc.) and the system tray icon says "disconnected.".

that is when i found the log info.

yes, my ddns name. i also used the ip address, and it does smae thing. i have confirmed that router WAN address is as staed in the log, etc. Not sure why its using 60443, instead of 443. (?) DOn't really care as long as the router can handle 60443.

0
 
LVL 78

Expert Comment

by:Rob Williams
ID: 16773838
If you are not using port 443 it should use that first, but 60443 is fine.
The QuickVPN often seems to have problems with the router at the site you are connecting from. Would be worth testing to try to narrow down the problem by connecting the PC directly to the modem for a couple of minutes.
Note: This of course increase the risk of attacks from outside sources, so for safety sake make sure virus software and Windows patches are up to date, virus and firewall software enabled and file an print sharing is switched off.

You might also want to have a look at the QuickVPN check list. The site seems to be down, so I will post the whole thing. From:  http://www.linksysinfo.org/modules.php?name=Forums&file=viewtopic&t=11664

QUICKVPN CONNECTION FOR WRV54G/RV0XX SERIES ROUTERS
NOTE: There may be variances in some areas of web interface, but this document is proven to work!  

ON THE WRV54G/RV0XX ROUTERS:
1) Setup Page
Internet Connection Type: Automatic Configuration (DHCP)
MTU: Auto
DHCP Server: Disable
Time Setting: (GMT) England [Obviously set this to your own zone or leave at default]

NOTE: If your ISP has recently changed from “data” to “ipstream” you may have to change the MTU from “auto” to “manual” in order to allow vpn data transfer. A common symptom of change in Ethernet technology is when you try to transfer information across a tunnel and you get “Network is no longer available.” In this instance, the MTU is set “too high” (i.e., 1492) and isn’t able to “pass through” the segment at the distant end. Think of a 6 foot tall man trying to fit through a door made for a 4 foot child. By adjusting the MTU to suit the situation, you now have a means of assuring data gets through. (Doc/1 Aug 05)

2) Security ---> VPN Page
Ipsec: Enable
PPTP: Enable
L2TP: Disable

NOTE: This goes away from previous advice I’ve given but we’re trying something new. People were able to connect before, so this slight change really shouldn’t alter that much. Furthermore, the 50 vpn tunnels that come with the WRV54G/RV0XX routers are designed to work with third party vpn clients (i.e., SSH Sentinel, Greenbow, Logmein, etc...) and "not" with quickvpn. Quickvpn handles all aspects of negotiation by itself (now that the mystery is solved, it's a clever little tool to me )
Also, in the WRV54G/RV0XX manual, where it shows you how to create an IPSEC policy, if you're using quickvpn, this, by default of installation is already done for you by Quickvpn (look in the Program Files\Linksys\Linksys VPN Client directory on your computer and you will see this.) If you are "not" going to use Quickvpn, you could try this (yes, some people have been able to do it). Also, as noted by Chris Watts (a..k.a. Chris547), quickvpn uses a randomly created pre shared key everytime it connects. I think I may love quickvpn now...

Remaining settings on this page should be disabled.

3) Access Restrictions:
- Start off by using a simple name and password combination such as
username: test
password: tester

4) Apps & Gaming
"NO" vpn port forwarding settings of any kind (500, 1701, 1723, etc...) are required for quickvpn to work. It establishes its own tunnel.

Additionally:
- Try using firmware 2.37.13, 2.38 (you can download 2.38 from linksysinfo.org), or 2.38.6. I’m currently using the 50 user license upgrade from Linksys (firmware version 2.37E) and it works perfectly!

- SNMP & UPNP are disabled.

- Make sure the ipsec service under settings is started. If you’ve ever loaded SSH Sentinel, SSH knocks ipsec offline and you never even know it unless you happen to be checking services to see why your tunnel doesn’t come up (I found this information out surfing forums).

- "DO NOT" have any other vpn application "LOADED" on your machine other than quickvpn; even if you have another vpn application loaded and its process is shut off in the back ground, quickvpn still "will--not--run" if it's loaded. If you happen to be able to do this, you're quite fortunate, otherwise, load quickvpn only to avoid conflict.

- Disable any firewall that you currently have running for the moment (again, we're establishing a baseline). I use Norton Internet Security 2003 and can connect to Dave's vpn segment with my firewall up so you might want to consider a new firewall in the event you can't connect with your current firewall running. Incidentally, when I’m at a wireless internet café, I have to drop my firewall on my laptop to make the connection to vpn, but I’m sure this is just something to do with how the router policies of that local business’s router are enforced. Other than that, I connect to a remote vpn host (from my home”) with my firewall up. Once you’ve made the connection, just turn your firewall back on.

- Copy and paste this link into your browser to get your WAN IP address if you don’t know it for sure (http://remote.12dt.com/rns/) to place in quickvpn's "Server Address" field.

Here's one more thing. Copy and paste this link into your browser (http://www.dslreports.com/drtcp). This application will allow you to adjust the MTU setting of your NIC "on the fly" if you bump into a problem with the MTU causing tunnel drops. Make your MTU setting "On The Client" 1458 “if” there are problems with tunnel connectivity.

REASONS YOU CANNOT CONNECT WITH QUICKVPN (NEW)

1. The quickvpn client is not the only vpn client loaded on the client machine.

2. MTU on the WRV54G you are connecting to isn't set at "auto" and/or the packets being sent from the client computer are too large (should this be the case, download "DrTCP" and set the MTU of the client's NIC to 1458). Additionally, it doesn't hurt to check and see if the MTU on the client router is set at "auto" also.

3. You are trying to connect through a dialup or ISDN connection.
NOTE: I have never been able to connect from a dialup/ISDN connection with quickvpn. More power to those who can.

UPDATE: Recently, someone was able to connect over dialup in a highly "unusual" manner Basically, when connecting over ISDN, quickvpn hangs at “verifying network” but it will still negotiate the ip security portion and allow you access to your LAN. The only way to close the connection is to terminate it through task manager.

4. The firewall software on your computer is registering the "ACK" conversation from the distant-end device (wrv54g) as an "Invalid ICMP Type." In this instance you can either "shut down" the firewall for the session or, as I've done, uninstalled my firewall software (NIS 2004) and quickvpn, then reinstalled both (Norton first followed by quickvpn). After that, launch quickvpn, and once Norton detects it, it establishes all the proper rules to allow it to pass through the firewall. Hopefully your firewall software should do the same.

In the case of #4, I never caught this until I noticed after reloading one of my computers, I had to drop the firewall on one of them to access "the same damn share" as the others, but I didn't have to bring the firewall down on any of the others except that one particular machine.

5. IPSEC Passthru is not enabled on the client/distant end router.

6. You have communication software loaded that is preventing quickvpn authentication with the wrv54g router

Note: I loaded software from motorola cellphone that installed its own "liveupdate" software that blocked quickvpn from talking to my wrv54g router. I knew there was a program I'd recently loaded that was most likely the problem because I had just used quickvpn an hour prior.

7. You have installed two nic’s on the client computer and quickvpn is trying to utilize the connection that is not assigned an ip address. Simply disable the card that is not being used.

8. IPSEC is not running on the client computer you’re connecting with. To remedy this, go into control panel, administrative tools, then click on services. If IPSEC isn’t started, set it to automatic and start the service. If you’ve ever used ssh sentinel, this knocks your ipsec out and you have to go into windows services to restart it.

9. The user account and password is not created or has not been typed in correctly.

10. Large downloads will disrupt the routers tables causing quickvpn to not respond every so often.

11. Quickvpn terminates in the middle of a quickvpn session. Just like #10, this hoses up the routing tables for vpn. The answer is to delete all existing accounts and recreate them (don’t create the same username and passwords twice) or reset the router to factory default and start from scratch.

These configurations are just what I’ve noticed when having quickvpn problems. People world wide have been following this guide with and have had success with the WRV54G, RV042 and the RV082 routers. Again, this is just a baseline. When you figure out what you need, just vary things as needed.
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:randydoddaccounts
ID: 16774060
tweaked the heck out of the router. no clue as to which one of the bazillion things i changed, actually worked, but now it gets to "Verifying Network". and hangs. cannot ping anything in remote "local" networkj.
0
 
LVL 78

Expert Comment

by:Rob Williams
ID: 16775352
Can you ping even the LAN side of the WRV54G itself ? This is a good test as it bypasses any possible network or firewall issues of the WRV200.
Did you try taking the router at the client site out of the picture as a test?
Looking at the manual, unlike other models of Linksys, this one doesn't seem to give you a connection indicator on the management page.
Anything in the router's logs indicating it tried to establish a connection.

By the way always make sure you have the latest firmware when setting up Linksys routers, especially where this is a new model. They continuously repair problems and  add features. The latest version was the 11th of this month:
http://www.linksys.com/servlet/Satellite?c=L_Download_C2&childpagename=US%2FLayout&cid=1115417109974&packedargs=sku%3D1147187335899&pagename=Linksys%2FCommon%2FVisitorWrapper
0
 

Author Comment

by:randydoddaccounts
ID: 16776522
ok. i bypassed the router (linksys BEFSr41), and turned off the windows firewall. pinged the remote local router (wrv200). finally.
of course, i am now totally unprotected. there are no WRV54G involved.

logs show a connection at the wrv200.
all latest firmware in all.

so now 2 issues: how to get befsr41 to work and windows firewall to work.
2nd: how to connect file shares.

i tried opening port 500 udp on win FW. when i did that, i could connect, but cannot ping wrv200. (192.168.10.1).
so i turned off FW again.

then i tried to connect to net shares. 192.168.10.102\accounting  just errors. not found, etc.
i can ping 4 devices on the remote local net.
0
 
LVL 78

Expert Comment

by:Rob Williams
ID: 16776555
>>"how to get befsr41 to work and windows firewall to work."
On the BEFSR41 there should be an option "enable IPSec pass-through" on the Security\VPN pass=through page. If not you made need to update the firmware.
-If still no luck, connect the BEFSR41 to the modem. Once it is working go to the status page of the router and see what the assigned WAN/Public IP is. If it is a private IP address like 192168.x.x, 10.x.x.x, or 172.16-31.x.x it means the modem is a combined modem and router. If so it will have to be put in Bridge mode, and the WAN section of the BEFSR41 configured with your ISP connection information.

>>"how to connect file shares"
Name resolution often doesn't work with VPN's. So try connecting by IP such as  \\192.168.123.123\ShareName  or you can map a share at a command prompt using
net  use  Z:  \\192.168.123.123\ShareName  
If this works and you wish to use names I can supply some workarounds with LMHosts files, DNS or WINS

By the way the remote and local subnets need to be different in order to connect. So if site one is using 192.168.0.x the other site will have to use something else such as 192.168.2.x

0
 
LVL 78

Expert Comment

by:Rob Williams
ID: 16776560
Sorry, some how I missed your last 2 lines.
Do not enable any port forwarding. VPN's have all ports open through the tunnel by default.

When connecting to shares note the syntax, you need the \\  as in my previous post.
0
 
LVL 78

Expert Comment

by:Rob Williams
ID: 16776653
Work-a-rounds for using NetBIOS names over a VPN:
1) Use the IP address (of the computer you are connecting to) when connecting to devices such as;   \\123.123.123.123\ShareName   or map a drive at a  command prompt using  
 Net  Use  U:  \\123.123.123.123\ShareName
2) An option is to use the LMHosts file which creates a table of IP's and computer names. LMHosts is located in the Windows directory under c:\Windows (or WINNT)\System32\Drivers\Etc\LMHosts.sam , instructions are included within the file. Any line starting with # is just a comment and is ignored. Open the file with Notepad and add entries for your computers as below;
192.168.0.101      CompName       #PRE
Hit enter when each line is complete (important), then save the file without a file extension. To be sure there is no extension ,when saving enclose in quotations like "LMHosts". Now when you try to connect to a computer name it should find it as it will search the LMHosts file for the record before connecting.
More details regarding LMHosts file:
http://www.microsoft.com/resources/documentation/Windows/2000/server/reskit/en-us/Default.asp?url=/resources/documentation/windows/2000/server/reskit/en-us/cnet/cnfd_lmh_QXQQ.asp
The drawback of the LMHosts file is you have to maintain a static list of computernames and IP addresses. Also if the remote end uses DHCP assigned IP's it is not a feasible option. Thus in order to be able to use computer names dynamically try to enable with some of the following options:
3) under the WINS configuration on the network adapter make sure NetBIOS over TCP/IP is selected
If you are in a corporate environent or have DNS or WINS servers at the main site:
3) if you have a WINS server add that to the network cards configuration
5) try adding the remote DNS server to your local DNS servers in your network card's TCP/IP configuration
6) verify your router does not have a "block NetBIOS broadcast" option enabled
7) test if you can connect with the full computer and domain name as  \\ComputerName.domain.local  If so, add the suffix DomainName.local to the DNS configuration of the virtual private adapter/connection [ right click virtual adapter | properties | TCP/IP properties | Advanced | DNS | "Append these DNS suffixes (in order)" | Add ]
0
 

Author Comment

by:randydoddaccounts
ID: 16776669
ipsec passthru enabled. westell 6100 is a combined modem/router. already set to bridge mode. WAN section of BEFSR41 set to "obtain IP", so verizon using DHCP. with 2 hr lease.

remote site 192.168.10.x
locval 192.168.1.x

also tried this using anohter client. win xp home/pro. earthlink; no router; just modem. removed FW. can ping remote LAN.
but still the \\192.168.10.102\accounting\ does not show the folder. tried the Dirve Map.

0
 

Author Comment

by:randydoddaccounts
ID: 16776687
on the BEFSR41, should i turn off "block wan request"? also, should i mess with the MTU? (this is the CLient-home side, not the remote/office side).
just to confirm. i am connecting from a Win XP Pro home network, using quickVPN, thru a BEFSR41. to a office Local Net, with the WRV200, that has 3 Win XP PRo systems. both networks are Workgroups, and are Different Workgroup Names.
0
 

Author Comment

by:randydoddaccounts
ID: 16776719
getting closer.... i got the befsr41 to now work in the connection. can still ping remote net. cannot connect to share. let me confirm on this share thing: the remote pc is XP pro i think, maybe xp Home. network is workgroup with name abc1. i ran file share wiz. shared 3 folders. works fine with other computers on remote lan. same workgroup, etc.

is there some type of username/password issue? we do not use passwords on any computers.

my win firewall on the client is still turned off. (??)
0
 

Author Comment

by:randydoddaccounts
ID: 16776745
no WINS servers, no DNS servers, no MSWIN servers (i wish). just 3 computers in a workgroup.
0
 
LVL 78

Accepted Solution

by:
Rob Williams earned 2000 total points
ID: 16776805
Interesting, usually the problem with the QuickVPN is getting it to connect. Once connected shares are usually straight forward, by IP.

If no WINS or DNS servers stick with using the IP for now. Once working if you want to use names you can configure the LMHosts file. Yo will not be able to browse the network and see all the computers, regardless.

No you don't need to turn off "block WAN request". That is on several sites but has nothing to do with the tunnel and is a security risk. If disabled it just allows you to ping the public side of the router.

The shares do work from the local network you say. Make sure the firewall on the PC's you are connecting to is disabled, as well as any other software firewalls, such as Norton, McAfee, Zone alarm etc. Also If you are using Norton/Symantec for virus protection you need to disable Internet worm Protection. Also computer should be a member of the same workgroup, and have the same user account installed with the same password. The password should not be blank. However, if a user name and password issue you should be prompted for them.

You can try adjusting the MTU but that doesn't sound like the issue her. MTU most often is an issue when you actually try to browse a share or download information. If you want to test or try changing you should do so on the BEFSR41 and the client machine. See the following:
http://www.chicagotech.net/vpnslow.htm
http://www.dslreports.com/faq/7752
0
 

Author Comment

by:randydoddaccounts
ID: 16776819
will try all these things. thanks for the assistance.
0
 
LVL 78

Expert Comment

by:Rob Williams
ID: 16776907
Thanks randydoddaccounts,
Good luck with it.
If really stuck take the remote computer to the main site to verify it has access to the shares.
--Rob
0
 

Author Comment

by:randydoddaccounts
ID: 16779404
What finally worked for the XP SP2 firewall issue was:

http://support.microsoft.com/kb/889527/ 

i had to load a MS patch, then added LinksysVPN Client to firewall exceptions.
Also added Linksys QUickVPN Client to Startup folder.




0
 
LVL 78

Expert Comment

by:Rob Williams
ID: 16779418
You had to add the patch even with the firewall turned off ?

I was aware of that patch,but didn't know it even had to be installed with the firewall enabled, although if enabled the firewall has to be configured for QuickVPN.
Did you have to install the patch on the machine to which you were connecting, or the client machine?
0
 

Author Comment

by:randydoddaccounts
ID: 16779441
i had firewall off. QuickVPN worked fine. i wanted to turn on firewall. needed a solution. felt unsecure with firewall off.
found the patch. did as stated above. quickvpn continued to work. (whereas, before, without the patch, it did not work.)

client machine.

If you are loading Linksys QuickVPN Client onto a WIndows XP Pro SP2 PC, and use the default software Windows Firewall, and you want to leave it on all the time especially when running the QuickVPN client, then you need to take some steps.

1. Verify that your problem is solved by turning off the WIndows firewall.
2. If you can connect with the firewall off, then turn on the firewall and Install the MS Patch.
http://support.microsoft.com/kb/889527/en-us 

3. Restart the computer.
4. Add the Linksys QuickVPN Client to the Windows Firewall Program Exceptions.
5. Add the Linksys QuickVPN Client to the startup folder for ease of use.
6. Verify that your problem is solved by connecting with the QuickVPN client.

0
 
LVL 78

Expert Comment

by:Rob Williams
ID: 16779507
>>"i wanted to turn on firewall. needed a solution. felt unsecure with firewall off."
Definitely agree. Just usually try disabling for test purpose, once working configure the firewall. You can do so manually or it should prompt you.

Good to know about the patch though. I appreciate the update. Thanks,
--Rob
0

Featured Post

 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I've written this article to illustrate how we can implement a Dynamic Multipoint VPN (DMVPN) with both hub and spokes having a dynamically assigned non-broadcast multiple-access (NBMA) network IP (public IP). Here is the basic setup of DMVPN Pha…
Let’s list some of the technologies that enable smooth teleworking. 
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…
Suggested Courses

829 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question