Improve company productivity with a Business Account.Sign Up

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 899
  • Last Modified:

PPTP VPN (forwarded through a router) only connects the first time

Symptoms:  VPN apparently works fine inside of firewall/router.  When connecting from outside, you can get through and authenticate one time, but subsequent times, even days later, you nearly always cannot.  You see "Connecting to X.X.X.X" as expected, then "Verifying Username and Password" as expected, but you do not connect, and it finally asks if you want to redial in 60-seconds.   Error is 721 "The remote computer did not respond."

I see no entries in the logfile (C:\Winnt\system32\logfiles\iaslog.log) after a connection attempt unless the person successfully authenticates, even with logging set to maximum.

Configuration:
      Router:  DLink DI-524 with TCP1723 and GRE47 forwarded to private address.  This is replacing a Netgear router which also only connected part of the time, but Netgear 2nd Level support said PPTP pass-through may work but is not supported!  (D-Link swears this model supports PPTP pass-through, and their 2nd level person kept saying "it should work"...  Is there a 3rd level support tier??)
      Server:  Win2K Server.  
Static IP of 192.168.1.4
There was an "Internal" IP of 192.168.1.210 per RRAS IP Routing General Properties in addition to loopback - was operational, but had these sympoms - I've since removed it, have same symptoms and it won't let me add it back
DHCP Relay Agent enabled (at this moment:  8 requests received, 0 requests discarded, 0 replies received or discarded)
      RRAS Properties:  Enable computer as a Router, LAN routing only, Remote Access Server enabled
Windows Authentication,  IP Routing Enabled, and Allow IP-based remote access and demand-dial connections enabled
IP Address assignment from static address pool (same private LAN, with a range not issued by LAN DHCP server specifically 192.168.1.210-229.  On the IP assignment block of RRAS Property's IP tab, it put in 192.168.1.192 next to that range automatically?)
No difference when I changed it to assign addresses using DHCP.

0
orhiker
Asked:
orhiker
  • 7
  • 5
1 Solution
 
Rob WilliamsCommented:
No need to forward port 47, GRE is protocol 47, not port 47, however a 721 error is usually caused by GRE being blocked. On the DI-524, this is configured by enabling PPTP pass-through, on the tools/misc web page of the router configuration console.

Another cause of blocked GRE can be the router being behind another NAT (Network Address Translation) device, such as a modem that is a combined modem and router. Might this be the case? You can verify by checking the router's status page, and looking at the WAN/Internet  interface to see if it has a private IP such as 192.168.x.x, 10.x.x.x or 172.16-31.x.x. If it does then it the modem will need to be put in bridged mode and the D-link configured with the ISP configuration so that it receives a true public IP.

You may also want to review your configuration with the following links:
Server 2003 configuration:
http://www.onecomputerguy.com/networking/w3k_vpn_server.htm
Windows XP client configuration:
http://www.onecomputerguy.com/networking/xp_vpn.htm
0
 
orhikerAuthor Commented:
Good suggestions, but this doesn't seem to cover it.  The DSL modem is already doing transparent bridging so the D-Link router has the public address.  Port 1723 is forwarded, and PPTP_GRE is being allowed to forward to the same host.  Deleting the RRAS server and re-creating did not fix

I did find that RRAS ports were set to the default 128 for PPTP and 128 for L2TP, while I had only allowed 30 IPs for VPN hosts - the one link recommended setting the ports to the same number as allowed IPs (why?).  Making them match didn't help.

I again verified immediate, multiple simultaneous VPN sessions initiated inside the LAN again.  The symptom of "Remote computer did not respond" and no log activity from outside really seems to indicate lack of forwarding through the D-Link.  I just changed to it from a Netgear firewall for giving similar intermittent connections, yet here we are - what could I be missing here?
0
 
Rob WilliamsCommented:
Number of available ports can be what ever you like, however a best practice option is to open no more than you need. You are likely not using L2TP, a lot of folks set this to 1, and then the most PPTP ports you would ever need is the number of IP's you have allocated, that is why they say set to the same number. Windows often defaults to 128 if you do not specify. This shouldn't have anything to do with your problem.

You could confirm port 1723 is being forwarded properly, though it sounds like it is configured correctly. To do so from the RRAS server  connect to:
http://www.canyouseeme.com
and test for port 1723.

However, that doesn't verify GRE. There is a pair of GRE test tools available as part of the windows Resource kit; Pptpsrv.exe and Pptpclnt.exe  You run these from the command line on the server and client. I usually use remote desktop to one of the connections and run the other locally. The client sends a set of packets to the server. You will see it show up on the server as received. It is also supposed to respond to the sender, but I have never had that work correctly. If the first part works, you should be OK. Following article has sections that briefly explain the process:
http://www.microsoft.com/technet/community/columns/cableguy/cg0105.mspx

As you suggested, it is also possible the D-Link doesn't work properly with GRE, however it is advertised as doing so. Also some ISP's and some modems do not support PPTP tunnels. If you were able to connect once then it is not likely GRE causing the problem.

Erratic connections can often be to large an  MTU (Maximum Transfer Unit) packet sizes. You can reduce this on the client PC using the DrTCP tool from:
http://www.dslreports.com/drtcp
you should also lower the router at that end as well. Start at 1300 and if successful gradually increase to the default of 1500.
0
Worried about phishing attacks?

90% of attacks start with a phish. It’s critical that IT admins and MSSPs have the right security in place to protect their end users from these phishing attacks. Check out our latest feature brief for tips and tricks to keep your employees off a hackers line!

 
orhikerAuthor Commented:
You're a smart fella, RobWill - thanks.   I'll try all this & report back.
0
 
Rob WilliamsCommented:
>>"You're a smart fella,"
Hardly, just dealt with a lot of problems over the years.
To be honest, I'd be tempted to try another router first if you have one available. Your configuration sounds good. Have you tried updating the firmware on the D-Link. That is always a worthwhile step.
Let us know how it goes, good luck with it.
0
 
orhikerAuthor Commented:
FASCINATING results.  When I cut-out the Internet and DSL Modem by making my laptop the router's gateway, PPTP connects properly time after time, both using the D-Link and Netgear routers.  I called the ISP and they swear the only thing they block is NetBIOS over TCPIP, no other ports.  (DSL circuit is provided by someone else, but that is irrelevant, correct?  I didn't call them.)  The DSL Modem is an Actiontec GT-704 with firmware 3.0.1.0.6.0 in transparent bridging mode.  This points me to the DSL Modem, but it's doing transparent bridging, so (!?!)

Then I assigned the public IP to the Actiontec, forwarded ports to the firewall over private IP range#1.  The firewall OIP was in range#1, then it forwarded to the PPTP server inside private IP  range#2.  I didn't expect this to work, but both Actiontec & DLink support PPTP forwarding (1723 & GRE)j, and RDP and SMTP did work properly in this config.  Very similar symptoms - connected via PPTP twice rather than once, but then no more connections, and no log activity w/o a succesful connection.

The ISP rep checked w/a higher-up on port blocking, so I believe him.  The only unusual setting in the Actiontec is a VPI/VCI of 0/32 rather than most other folks requiring 0/35.  (This should be extraneous data, but it's the only thing I see different from other clients.)  Yikes - any further ideas?
0
 
Rob WilliamsCommented:
>>"When I cut-out the Internet and DSL Modem by making my laptop the router's gateway, PPTP connects properly time after time, both using the D-Link and Netgear routers.:"
Sorry I don't follow the configuration here.

>>"then it forwarded to the PPTP server inside private IP  range#2."
How did you forward GRE?

0
 
orhikerAuthor Commented:
Here's the new test config (  ----- symbol means a patch cable):

                                                    Actiontec DSL Modem                                 ROUTER
Laptop w/ISP Gateway IP -------- Public IP        192.168.0.1  ------------ 192.168.0.5    192.168.1.1  ---------------- Switch on LAN

As to forwarding GRE,  both the Actiontec and Router doesn't allow you to specify the destination, it forwards them to the same address you put in for 1723 traffic.  You can see that it automatically made that firewall rule.  I have the Actiontec forward 1723 to 192.168.0.5, and I have the router forward it to 192.168.1.6, my Win2K VPN server.

I've just purchased a combo DSL Modem/Router (in this case Diamond, since it was the only thing available locally).  The package says it "supports VPNs".  :^)     Hopefully I can install & test it tomorrow.
0
 
Rob WilliamsCommented:
Ok, the laptop is connecting to the ISP/Gateway. I am surprised it works with the Actiontec performing NAT. Usually if you have a NAT modem (one that is a combined router and modem) it needs to be put in bridge mode and the router assigned the public IP.

As for the GRE forwarding, that makes sense,. I was just wondering as usually you cannot manually create a rule to forward it.
0
 
Rob WilliamsCommented:
orhiker, how did it go with the new modem ? Any luck?
--Rob
0
 
orhikerAuthor Commented:
I purchased a combo router/DSL modem, hoping the combination would allow PPTP traffic.  It was the Diamond brand unit, the only model of which they made (for whatever reason), selected as it was the only one available locally.  Nonetheless, the problem remained.  My solution was to change the setup to eliminate the VPN and have everyone use RDP through the firewall until we do a technology/server refresh.   Lets mark this topic as closed.
0
 
Rob WilliamsCommented:
Ok, sorry to hear we couldn't resolve.
Thanks orhiker,
--Rob
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

NEW Internet Security Report Now Available!

WatchGuard’s Threat Lab is a group of dedicated threat researchers committed to helping you stay ahead of the bad guys by providing in-depth analysis of the top security threats to your network.  Check out this quarters report on the threats that shook the industry in Q4 2017.

  • 7
  • 5
Tackle projects and never again get stuck behind a technical roadblock.
Join Now