We help IT Professionals succeed at work.

PPTP VPN (forwarded through a router) only connects the first time

orhiker used Ask the Experts™
Symptoms:  VPN apparently works fine inside of firewall/router.  When connecting from outside, you can get through and authenticate one time, but subsequent times, even days later, you nearly always cannot.  You see "Connecting to X.X.X.X" as expected, then "Verifying Username and Password" as expected, but you do not connect, and it finally asks if you want to redial in 60-seconds.   Error is 721 "The remote computer did not respond."

I see no entries in the logfile (C:\Winnt\system32\logfiles\iaslog.log) after a connection attempt unless the person successfully authenticates, even with logging set to maximum.

      Router:  DLink DI-524 with TCP1723 and GRE47 forwarded to private address.  This is replacing a Netgear router which also only connected part of the time, but Netgear 2nd Level support said PPTP pass-through may work but is not supported!  (D-Link swears this model supports PPTP pass-through, and their 2nd level person kept saying "it should work"...  Is there a 3rd level support tier??)
      Server:  Win2K Server.  
Static IP of
There was an "Internal" IP of per RRAS IP Routing General Properties in addition to loopback - was operational, but had these sympoms - I've since removed it, have same symptoms and it won't let me add it back
DHCP Relay Agent enabled (at this moment:  8 requests received, 0 requests discarded, 0 replies received or discarded)
      RRAS Properties:  Enable computer as a Router, LAN routing only, Remote Access Server enabled
Windows Authentication,  IP Routing Enabled, and Allow IP-based remote access and demand-dial connections enabled
IP Address assignment from static address pool (same private LAN, with a range not issued by LAN DHCP server specifically  On the IP assignment block of RRAS Property's IP tab, it put in next to that range automatically?)
No difference when I changed it to assign addresses using DHCP.

Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Top Expert 2013

No need to forward port 47, GRE is protocol 47, not port 47, however a 721 error is usually caused by GRE being blocked. On the DI-524, this is configured by enabling PPTP pass-through, on the tools/misc web page of the router configuration console.

Another cause of blocked GRE can be the router being behind another NAT (Network Address Translation) device, such as a modem that is a combined modem and router. Might this be the case? You can verify by checking the router's status page, and looking at the WAN/Internet  interface to see if it has a private IP such as 192.168.x.x, 10.x.x.x or 172.16-31.x.x. If it does then it the modem will need to be put in bridged mode and the D-link configured with the ISP configuration so that it receives a true public IP.

You may also want to review your configuration with the following links:
Server 2003 configuration:
Windows XP client configuration:


Good suggestions, but this doesn't seem to cover it.  The DSL modem is already doing transparent bridging so the D-Link router has the public address.  Port 1723 is forwarded, and PPTP_GRE is being allowed to forward to the same host.  Deleting the RRAS server and re-creating did not fix

I did find that RRAS ports were set to the default 128 for PPTP and 128 for L2TP, while I had only allowed 30 IPs for VPN hosts - the one link recommended setting the ports to the same number as allowed IPs (why?).  Making them match didn't help.

I again verified immediate, multiple simultaneous VPN sessions initiated inside the LAN again.  The symptom of "Remote computer did not respond" and no log activity from outside really seems to indicate lack of forwarding through the D-Link.  I just changed to it from a Netgear firewall for giving similar intermittent connections, yet here we are - what could I be missing here?
Top Expert 2013
Number of available ports can be what ever you like, however a best practice option is to open no more than you need. You are likely not using L2TP, a lot of folks set this to 1, and then the most PPTP ports you would ever need is the number of IP's you have allocated, that is why they say set to the same number. Windows often defaults to 128 if you do not specify. This shouldn't have anything to do with your problem.

You could confirm port 1723 is being forwarded properly, though it sounds like it is configured correctly. To do so from the RRAS server  connect to:
and test for port 1723.

However, that doesn't verify GRE. There is a pair of GRE test tools available as part of the windows Resource kit; Pptpsrv.exe and Pptpclnt.exe  You run these from the command line on the server and client. I usually use remote desktop to one of the connections and run the other locally. The client sends a set of packets to the server. You will see it show up on the server as received. It is also supposed to respond to the sender, but I have never had that work correctly. If the first part works, you should be OK. Following article has sections that briefly explain the process:

As you suggested, it is also possible the D-Link doesn't work properly with GRE, however it is advertised as doing so. Also some ISP's and some modems do not support PPTP tunnels. If you were able to connect once then it is not likely GRE causing the problem.

Erratic connections can often be to large an  MTU (Maximum Transfer Unit) packet sizes. You can reduce this on the client PC using the DrTCP tool from:
you should also lower the router at that end as well. Start at 1300 and if successful gradually increase to the default of 1500.


You're a smart fella, RobWill - thanks.   I'll try all this & report back.
Top Expert 2013

>>"You're a smart fella,"
Hardly, just dealt with a lot of problems over the years.
To be honest, I'd be tempted to try another router first if you have one available. Your configuration sounds good. Have you tried updating the firmware on the D-Link. That is always a worthwhile step.
Let us know how it goes, good luck with it.


FASCINATING results.  When I cut-out the Internet and DSL Modem by making my laptop the router's gateway, PPTP connects properly time after time, both using the D-Link and Netgear routers.  I called the ISP and they swear the only thing they block is NetBIOS over TCPIP, no other ports.  (DSL circuit is provided by someone else, but that is irrelevant, correct?  I didn't call them.)  The DSL Modem is an Actiontec GT-704 with firmware in transparent bridging mode.  This points me to the DSL Modem, but it's doing transparent bridging, so (!?!)

Then I assigned the public IP to the Actiontec, forwarded ports to the firewall over private IP range#1.  The firewall OIP was in range#1, then it forwarded to the PPTP server inside private IP  range#2.  I didn't expect this to work, but both Actiontec & DLink support PPTP forwarding (1723 & GRE)j, and RDP and SMTP did work properly in this config.  Very similar symptoms - connected via PPTP twice rather than once, but then no more connections, and no log activity w/o a succesful connection.

The ISP rep checked w/a higher-up on port blocking, so I believe him.  The only unusual setting in the Actiontec is a VPI/VCI of 0/32 rather than most other folks requiring 0/35.  (This should be extraneous data, but it's the only thing I see different from other clients.)  Yikes - any further ideas?
Top Expert 2013

>>"When I cut-out the Internet and DSL Modem by making my laptop the router's gateway, PPTP connects properly time after time, both using the D-Link and Netgear routers.:"
Sorry I don't follow the configuration here.

>>"then it forwarded to the PPTP server inside private IP  range#2."
How did you forward GRE?


Here's the new test config (  ----- symbol means a patch cable):

                                                    Actiontec DSL Modem                                 ROUTER
Laptop w/ISP Gateway IP -------- Public IP  ------------  ---------------- Switch on LAN

As to forwarding GRE,  both the Actiontec and Router doesn't allow you to specify the destination, it forwards them to the same address you put in for 1723 traffic.  You can see that it automatically made that firewall rule.  I have the Actiontec forward 1723 to, and I have the router forward it to, my Win2K VPN server.

I've just purchased a combo DSL Modem/Router (in this case Diamond, since it was the only thing available locally).  The package says it "supports VPNs".  :^)     Hopefully I can install & test it tomorrow.
Top Expert 2013

Ok, the laptop is connecting to the ISP/Gateway. I am surprised it works with the Actiontec performing NAT. Usually if you have a NAT modem (one that is a combined router and modem) it needs to be put in bridge mode and the router assigned the public IP.

As for the GRE forwarding, that makes sense,. I was just wondering as usually you cannot manually create a rule to forward it.
Top Expert 2013

orhiker, how did it go with the new modem ? Any luck?


I purchased a combo router/DSL modem, hoping the combination would allow PPTP traffic.  It was the Diamond brand unit, the only model of which they made (for whatever reason), selected as it was the only one available locally.  Nonetheless, the problem remained.  My solution was to change the setup to eliminate the VPN and have everyone use RDP through the firewall until we do a technology/server refresh.   Lets mark this topic as closed.
Top Expert 2013

Ok, sorry to hear we couldn't resolve.
Thanks orhiker,