Solved

PPTP VPN (forwarded through a router) only connects the first time

Posted on 2006-10-19
12
779 Views
Last Modified: 2008-01-09
Symptoms:  VPN apparently works fine inside of firewall/router.  When connecting from outside, you can get through and authenticate one time, but subsequent times, even days later, you nearly always cannot.  You see "Connecting to X.X.X.X" as expected, then "Verifying Username and Password" as expected, but you do not connect, and it finally asks if you want to redial in 60-seconds.   Error is 721 "The remote computer did not respond."

I see no entries in the logfile (C:\Winnt\system32\logfiles\iaslog.log) after a connection attempt unless the person successfully authenticates, even with logging set to maximum.

Configuration:
      Router:  DLink DI-524 with TCP1723 and GRE47 forwarded to private address.  This is replacing a Netgear router which also only connected part of the time, but Netgear 2nd Level support said PPTP pass-through may work but is not supported!  (D-Link swears this model supports PPTP pass-through, and their 2nd level person kept saying "it should work"...  Is there a 3rd level support tier??)
      Server:  Win2K Server.  
Static IP of 192.168.1.4
There was an "Internal" IP of 192.168.1.210 per RRAS IP Routing General Properties in addition to loopback - was operational, but had these sympoms - I've since removed it, have same symptoms and it won't let me add it back
DHCP Relay Agent enabled (at this moment:  8 requests received, 0 requests discarded, 0 replies received or discarded)
      RRAS Properties:  Enable computer as a Router, LAN routing only, Remote Access Server enabled
Windows Authentication,  IP Routing Enabled, and Allow IP-based remote access and demand-dial connections enabled
IP Address assignment from static address pool (same private LAN, with a range not issued by LAN DHCP server specifically 192.168.1.210-229.  On the IP assignment block of RRAS Property's IP tab, it put in 192.168.1.192 next to that range automatically?)
No difference when I changed it to assign addresses using DHCP.

0
Comment
Question by:orhiker
  • 7
  • 5
12 Comments
 
LVL 77

Expert Comment

by:Rob Williams
Comment Utility
No need to forward port 47, GRE is protocol 47, not port 47, however a 721 error is usually caused by GRE being blocked. On the DI-524, this is configured by enabling PPTP pass-through, on the tools/misc web page of the router configuration console.

Another cause of blocked GRE can be the router being behind another NAT (Network Address Translation) device, such as a modem that is a combined modem and router. Might this be the case? You can verify by checking the router's status page, and looking at the WAN/Internet  interface to see if it has a private IP such as 192.168.x.x, 10.x.x.x or 172.16-31.x.x. If it does then it the modem will need to be put in bridged mode and the D-link configured with the ISP configuration so that it receives a true public IP.

You may also want to review your configuration with the following links:
Server 2003 configuration:
http://www.onecomputerguy.com/networking/w3k_vpn_server.htm
Windows XP client configuration:
http://www.onecomputerguy.com/networking/xp_vpn.htm
0
 

Author Comment

by:orhiker
Comment Utility
Good suggestions, but this doesn't seem to cover it.  The DSL modem is already doing transparent bridging so the D-Link router has the public address.  Port 1723 is forwarded, and PPTP_GRE is being allowed to forward to the same host.  Deleting the RRAS server and re-creating did not fix

I did find that RRAS ports were set to the default 128 for PPTP and 128 for L2TP, while I had only allowed 30 IPs for VPN hosts - the one link recommended setting the ports to the same number as allowed IPs (why?).  Making them match didn't help.

I again verified immediate, multiple simultaneous VPN sessions initiated inside the LAN again.  The symptom of "Remote computer did not respond" and no log activity from outside really seems to indicate lack of forwarding through the D-Link.  I just changed to it from a Netgear firewall for giving similar intermittent connections, yet here we are - what could I be missing here?
0
 
LVL 77

Accepted Solution

by:
Rob Williams earned 500 total points
Comment Utility
Number of available ports can be what ever you like, however a best practice option is to open no more than you need. You are likely not using L2TP, a lot of folks set this to 1, and then the most PPTP ports you would ever need is the number of IP's you have allocated, that is why they say set to the same number. Windows often defaults to 128 if you do not specify. This shouldn't have anything to do with your problem.

You could confirm port 1723 is being forwarded properly, though it sounds like it is configured correctly. To do so from the RRAS server  connect to:
http://www.canyouseeme.com
and test for port 1723.

However, that doesn't verify GRE. There is a pair of GRE test tools available as part of the windows Resource kit; Pptpsrv.exe and Pptpclnt.exe  You run these from the command line on the server and client. I usually use remote desktop to one of the connections and run the other locally. The client sends a set of packets to the server. You will see it show up on the server as received. It is also supposed to respond to the sender, but I have never had that work correctly. If the first part works, you should be OK. Following article has sections that briefly explain the process:
http://www.microsoft.com/technet/community/columns/cableguy/cg0105.mspx

As you suggested, it is also possible the D-Link doesn't work properly with GRE, however it is advertised as doing so. Also some ISP's and some modems do not support PPTP tunnels. If you were able to connect once then it is not likely GRE causing the problem.

Erratic connections can often be to large an  MTU (Maximum Transfer Unit) packet sizes. You can reduce this on the client PC using the DrTCP tool from:
http://www.dslreports.com/drtcp
you should also lower the router at that end as well. Start at 1300 and if successful gradually increase to the default of 1500.
0
 

Author Comment

by:orhiker
Comment Utility
You're a smart fella, RobWill - thanks.   I'll try all this & report back.
0
 
LVL 77

Expert Comment

by:Rob Williams
Comment Utility
>>"You're a smart fella,"
Hardly, just dealt with a lot of problems over the years.
To be honest, I'd be tempted to try another router first if you have one available. Your configuration sounds good. Have you tried updating the firmware on the D-Link. That is always a worthwhile step.
Let us know how it goes, good luck with it.
0
 

Author Comment

by:orhiker
Comment Utility
FASCINATING results.  When I cut-out the Internet and DSL Modem by making my laptop the router's gateway, PPTP connects properly time after time, both using the D-Link and Netgear routers.  I called the ISP and they swear the only thing they block is NetBIOS over TCPIP, no other ports.  (DSL circuit is provided by someone else, but that is irrelevant, correct?  I didn't call them.)  The DSL Modem is an Actiontec GT-704 with firmware 3.0.1.0.6.0 in transparent bridging mode.  This points me to the DSL Modem, but it's doing transparent bridging, so (!?!)

Then I assigned the public IP to the Actiontec, forwarded ports to the firewall over private IP range#1.  The firewall OIP was in range#1, then it forwarded to the PPTP server inside private IP  range#2.  I didn't expect this to work, but both Actiontec & DLink support PPTP forwarding (1723 & GRE)j, and RDP and SMTP did work properly in this config.  Very similar symptoms - connected via PPTP twice rather than once, but then no more connections, and no log activity w/o a succesful connection.

The ISP rep checked w/a higher-up on port blocking, so I believe him.  The only unusual setting in the Actiontec is a VPI/VCI of 0/32 rather than most other folks requiring 0/35.  (This should be extraneous data, but it's the only thing I see different from other clients.)  Yikes - any further ideas?
0
What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

 
LVL 77

Expert Comment

by:Rob Williams
Comment Utility
>>"When I cut-out the Internet and DSL Modem by making my laptop the router's gateway, PPTP connects properly time after time, both using the D-Link and Netgear routers.:"
Sorry I don't follow the configuration here.

>>"then it forwarded to the PPTP server inside private IP  range#2."
How did you forward GRE?

0
 

Author Comment

by:orhiker
Comment Utility
Here's the new test config (  ----- symbol means a patch cable):

                                                    Actiontec DSL Modem                                 ROUTER
Laptop w/ISP Gateway IP -------- Public IP        192.168.0.1  ------------ 192.168.0.5    192.168.1.1  ---------------- Switch on LAN

As to forwarding GRE,  both the Actiontec and Router doesn't allow you to specify the destination, it forwards them to the same address you put in for 1723 traffic.  You can see that it automatically made that firewall rule.  I have the Actiontec forward 1723 to 192.168.0.5, and I have the router forward it to 192.168.1.6, my Win2K VPN server.

I've just purchased a combo DSL Modem/Router (in this case Diamond, since it was the only thing available locally).  The package says it "supports VPNs".  :^)     Hopefully I can install & test it tomorrow.
0
 
LVL 77

Expert Comment

by:Rob Williams
Comment Utility
Ok, the laptop is connecting to the ISP/Gateway. I am surprised it works with the Actiontec performing NAT. Usually if you have a NAT modem (one that is a combined router and modem) it needs to be put in bridge mode and the router assigned the public IP.

As for the GRE forwarding, that makes sense,. I was just wondering as usually you cannot manually create a rule to forward it.
0
 
LVL 77

Expert Comment

by:Rob Williams
Comment Utility
orhiker, how did it go with the new modem ? Any luck?
--Rob
0
 

Author Comment

by:orhiker
Comment Utility
I purchased a combo router/DSL modem, hoping the combination would allow PPTP traffic.  It was the Diamond brand unit, the only model of which they made (for whatever reason), selected as it was the only one available locally.  Nonetheless, the problem remained.  My solution was to change the setup to eliminate the VPN and have everyone use RDP through the firewall until we do a technology/server refresh.   Lets mark this topic as closed.
0
 
LVL 77

Expert Comment

by:Rob Williams
Comment Utility
Ok, sorry to hear we couldn't resolve.
Thanks orhiker,
--Rob
0

Featured Post

Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

Join & Write a Comment

Overview Often, we set up VPN appliances where the connected clients are on a separate subnet and the company will have alternate internet connections and do not use this particular device as the gateway for certain servers or clients. In this case…
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now