Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 884
  • Last Modified:

VPN Server - Routing and Remote Access - steps after adding this role to make connection?

I've installed Routing and Remote using the Manage Roles Console to enable VPN access to a Windows 2003 Server. Then checked Allow Access in the User's permissions and opened the firewall port.

I created a VPN Connection on a XP machine and It gets all the way to Verify User name and Password and times out with Error 721: The remote computer did not respond.

I don't see any logs created on the Server, although I'm not sure where VPN logs would be and I'm not sure how to troubleshoot the connection.

0
Ryman1
Asked:
Ryman1
  • 6
  • 6
1 Solution
 
robjeevesCommented:
G'day mate

I had a quick search for you and found this

http://www.experts-exchange.com/Networking/Broadband/VPN/Q_21175424.html

Is your SBS a single or dual nic machine?  Is the SBS Server behind another firewall?  If so you would need to forward 1723 and allow the GRE (generic routing encapsulation) through as well on the firewall that is in front of the SBS (if applicable).

Rob
0
 
Rob WilliamsCommented:
As robjeeves suggested a 721 error almost always indicates the GRE protocol is being blocked. On many routers this is enabled with an option on your router "enable PPTP pass-through". If this is not an option on your router please provide the make and model, and perhaps we can be more specific.

GRE can also be blocked by software firewalls such as Symantec, Zone alarm and such. If possible disable them for testing.
Finally Symantic's Virus software has an option called "Internet worm protection" which can block GRE traffic. If that is present try disabling that feature within Symantic's virus protection.
0
 
Ryman1Author Commented:
When I test the VPN *inside* the network, I can authenticate and connect with no problem from my laptop. This make me thinks it's either my Linksys firewall or some policy on the server that won't allow a connection from outside.

I've forwarded 1723 (both UDP and TCP) to the Windows 2003 Server, but it fails when verifying name and password from an outside connection.

Currently, there is no Antivirus or Firewall running on the Server.
0
Microsoft Certification Exam 74-409

VeeamĀ® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

 
Rob WilliamsCommented:
As mentioned above, it is likely the router is blocking GRE, that is why you can connect from inside. Is there a "PPTP pass-through" or "VPN pass-through" option on the router? The router needs both port forwarding of 1723 for PPTP and PPTP pass-through for GRE to work.

It's also possible that the modem, router, or ISP doesn't support  PPTP/GRE, but that is unlikely.
0
 
Ryman1Author Commented:
Yeah, I have a Linksys WRT54GR which supports it.

I have 1723 forwarding both UDP and TCP.

Any thoughts on how to troubleshoot? Could it be a server setting since it's receiving a request from outside the firewall?
0
 
Rob WilliamsCommented:
On the security / VPN page make sure PPTP pass-through is enabled. Wasn't sure if "Linksys WRT54GR which supports it." meant it was enabled.

The other possibility is the modem may be blocking it. Does your router provide NAT (Network Address Translation) services? Many do. If so the router will be assigned a private IP address. Does the routers WAN page have you public IP that you are trying to connect to, or a private address such as 192.168.x.x, 10.x.x.x, or 172.16-32.x.x  If the latter the modem will need to be put in bridge mode.

Finally at the client site it could be blocking GRE. Try connecting directly to the modem at that site. Make sure Windows firewall is enabled and Windows and virus definitions are current.
0
 
Ryman1Author Commented:
Yep, the pass-through is enabled. In fact, other services pass through with no problem. SSH and Remote Desktop work offsite no problem. Would the modem block VPN traffic, but not others?

I have a Comcast Broadband Modem (dumb modem that does no routing) and a Linksys WRT54GR.

0
 
Rob WilliamsCommented:
Some modems do not support GRE the encapsulation protocol. It's not common, but it is a possibility. Also a few ISP's block it intentionally as they want to use their paid VPN service. However the ISP's most often block it by blocking port 1723 rather than the GRE protocol.You can verify port 1723 is OK by connecting to http://www.canyouseme.org  from the VPN server. I am doubtful the port is block as you would get a different error # than 721.
0
 
Ryman1Author Commented:
Are you sure that link is right? It's some a ad site, but if it is, what do I do once I've browsed to it?
0
 
Rob WilliamsCommented:
Very sorry, typo. Try:
http://www.canyouseeme.org/
0
 
Ryman1Author Commented:
Okay, I went to the sight and 1723 seemed to check out just fine.

Success: I can see your service on 24.18.252.13 on port (1723)
Your ISP is not blocking port 1723

Also, when I turn off port forwarding, I get error 678: There was no answer. Further confirming you theory that it's not a port issue with 1723.

Robwill, What's my next step?
0
 
Ryman1Author Commented:
0
 
Rob WilliamsCommented:
As suggested by that article, it is always good to update to the latest firmware. Some of the earlier Linksys definitely had problems with GRE, but yours is a relatively new unit, so it shouldn't have a problem. I have set up RRAS before with a WRT54G, without a problem. Still I would update the firmware.
I have also seen on some Linksys where you make changes and they appear to apply, but do not really until you disconnect the power for a couple of minutes and re-boot. There was one issue here a few months ago, where a fellow did a hard reset of his router and re-configured it the exact same way, and it worked. I am wondering if a few of the Linksys may have issues from time to time applying policy changes.

There is a way to test GRE pass-through if you like:
Microsoft has a pair of test tools pptpsrv and pptpclnt, to test for GRE pass-through, which are available as part of the Windows resource kit or from:
http://www.microsoft.com/downloads/details.aspx?amp;displaylang=en&familyid=49ae8576-9bb9-4126-9761-ba8011fabf38&displaylang=en

Log onto the client or VPN server machine and connect to the other with remote desktop, or a similar remote management tool. At a command line on the client machine, run pptpclnt and on the server run pptpsrv. The client machine will send a set of GRE packets to the server and it should show as received if GRE is able to pass. The server is then supposed to respond and the client indicate received, but I have never had that part work. The one direction client to server is usually enough to test.

Following links outline the use of the test tools:
http://www.howtonetworking.com/Tools/testgre.htm
See VPN traffic:
http://www.microsoft.com/technet/community/columns/cableguy/cg0105.mspx
 
 
0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

  • 6
  • 6
Tackle projects and never again get stuck behind a technical roadblock.
Join Now