Solved

VPN Server - Routing and Remote Access - steps after adding this role to make connection?

Posted on 2006-11-26
15
866 Views
Last Modified: 2012-05-05
I've installed Routing and Remote using the Manage Roles Console to enable VPN access to a Windows 2003 Server. Then checked Allow Access in the User's permissions and opened the firewall port.

I created a VPN Connection on a XP machine and It gets all the way to Verify User name and Password and times out with Error 721: The remote computer did not respond.

I don't see any logs created on the Server, although I'm not sure where VPN logs would be and I'm not sure how to troubleshoot the connection.

0
Comment
Question by:Ryman1
  • 6
  • 6
15 Comments
 
LVL 9

Expert Comment

by:robjeeves
Comment Utility
G'day mate

I had a quick search for you and found this

http://www.experts-exchange.com/Networking/Broadband/VPN/Q_21175424.html

Is your SBS a single or dual nic machine?  Is the SBS Server behind another firewall?  If so you would need to forward 1723 and allow the GRE (generic routing encapsulation) through as well on the firewall that is in front of the SBS (if applicable).

Rob
0
 
LVL 77

Expert Comment

by:Rob Williams
Comment Utility
As robjeeves suggested a 721 error almost always indicates the GRE protocol is being blocked. On many routers this is enabled with an option on your router "enable PPTP pass-through". If this is not an option on your router please provide the make and model, and perhaps we can be more specific.

GRE can also be blocked by software firewalls such as Symantec, Zone alarm and such. If possible disable them for testing.
Finally Symantic's Virus software has an option called "Internet worm protection" which can block GRE traffic. If that is present try disabling that feature within Symantic's virus protection.
0
 

Author Comment

by:Ryman1
Comment Utility
When I test the VPN *inside* the network, I can authenticate and connect with no problem from my laptop. This make me thinks it's either my Linksys firewall or some policy on the server that won't allow a connection from outside.

I've forwarded 1723 (both UDP and TCP) to the Windows 2003 Server, but it fails when verifying name and password from an outside connection.

Currently, there is no Antivirus or Firewall running on the Server.
0
 
LVL 77

Expert Comment

by:Rob Williams
Comment Utility
As mentioned above, it is likely the router is blocking GRE, that is why you can connect from inside. Is there a "PPTP pass-through" or "VPN pass-through" option on the router? The router needs both port forwarding of 1723 for PPTP and PPTP pass-through for GRE to work.

It's also possible that the modem, router, or ISP doesn't support  PPTP/GRE, but that is unlikely.
0
 

Author Comment

by:Ryman1
Comment Utility
Yeah, I have a Linksys WRT54GR which supports it.

I have 1723 forwarding both UDP and TCP.

Any thoughts on how to troubleshoot? Could it be a server setting since it's receiving a request from outside the firewall?
0
 
LVL 77

Expert Comment

by:Rob Williams
Comment Utility
On the security / VPN page make sure PPTP pass-through is enabled. Wasn't sure if "Linksys WRT54GR which supports it." meant it was enabled.

The other possibility is the modem may be blocking it. Does your router provide NAT (Network Address Translation) services? Many do. If so the router will be assigned a private IP address. Does the routers WAN page have you public IP that you are trying to connect to, or a private address such as 192.168.x.x, 10.x.x.x, or 172.16-32.x.x  If the latter the modem will need to be put in bridge mode.

Finally at the client site it could be blocking GRE. Try connecting directly to the modem at that site. Make sure Windows firewall is enabled and Windows and virus definitions are current.
0
What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 

Author Comment

by:Ryman1
Comment Utility
Yep, the pass-through is enabled. In fact, other services pass through with no problem. SSH and Remote Desktop work offsite no problem. Would the modem block VPN traffic, but not others?

I have a Comcast Broadband Modem (dumb modem that does no routing) and a Linksys WRT54GR.

0
 
LVL 77

Expert Comment

by:Rob Williams
Comment Utility
Some modems do not support GRE the encapsulation protocol. It's not common, but it is a possibility. Also a few ISP's block it intentionally as they want to use their paid VPN service. However the ISP's most often block it by blocking port 1723 rather than the GRE protocol.You can verify port 1723 is OK by connecting to http://www.canyouseme.org  from the VPN server. I am doubtful the port is block as you would get a different error # than 721.
0
 

Author Comment

by:Ryman1
Comment Utility
Are you sure that link is right? It's some a ad site, but if it is, what do I do once I've browsed to it?
0
 
LVL 77

Expert Comment

by:Rob Williams
Comment Utility
Very sorry, typo. Try:
http://www.canyouseeme.org/
0
 

Author Comment

by:Ryman1
Comment Utility
Okay, I went to the sight and 1723 seemed to check out just fine.

Success: I can see your service on 24.18.252.13 on port (1723)
Your ISP is not blocking port 1723

Also, when I turn off port forwarding, I get error 678: There was no answer. Further confirming you theory that it's not a port issue with 1723.

Robwill, What's my next step?
0
 

Author Comment

by:Ryman1
Comment Utility
0
 
LVL 77

Accepted Solution

by:
Rob Williams earned 250 total points
Comment Utility
As suggested by that article, it is always good to update to the latest firmware. Some of the earlier Linksys definitely had problems with GRE, but yours is a relatively new unit, so it shouldn't have a problem. I have set up RRAS before with a WRT54G, without a problem. Still I would update the firmware.
I have also seen on some Linksys where you make changes and they appear to apply, but do not really until you disconnect the power for a couple of minutes and re-boot. There was one issue here a few months ago, where a fellow did a hard reset of his router and re-configured it the exact same way, and it worked. I am wondering if a few of the Linksys may have issues from time to time applying policy changes.

There is a way to test GRE pass-through if you like:
Microsoft has a pair of test tools pptpsrv and pptpclnt, to test for GRE pass-through, which are available as part of the Windows resource kit or from:
http://www.microsoft.com/downloads/details.aspx?amp;displaylang=en&familyid=49ae8576-9bb9-4126-9761-ba8011fabf38&displaylang=en

Log onto the client or VPN server machine and connect to the other with remote desktop, or a similar remote management tool. At a command line on the client machine, run pptpclnt and on the server run pptpsrv. The client machine will send a set of GRE packets to the server and it should show as received if GRE is able to pass. The server is then supposed to respond and the client indicate received, but I have never had that part work. The one direction client to server is usually enough to test.

Following links outline the use of the test tools:
http://www.howtonetworking.com/Tools/testgre.htm
See VPN traffic:
http://www.microsoft.com/technet/community/columns/cableguy/cg0105.mspx
 
 
0

Featured Post

Complete Microsoft Windows PC® & Mac Backup

Backup and recovery solutions to protect all your PCs & Mac– on-premises or in remote locations. Acronis backs up entire PC or Mac with patented reliable disk imaging technology and you will be able to restore workstations to a new, dissimilar hardware in minutes.

Join & Write a Comment

Organizations create, modify, and maintain huge amounts of data to help their businesses earn money and generally function.  Typically every network user within an organization has a bit of disk space to store in process items and personal files.   …
A quick step-by-step overview of installing and configuring Carbonite Server Backup.
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
You have products, that come in variants and want to set different prices for them? Watch this micro tutorial that describes how to configure prices for Magento super attributes. Assigning simple products to configurable: We assigned simple products…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now