Solved

VPN Server - Routing and Remote Access - steps after adding this role to make connection?

Posted on 2006-11-26
15
879 Views
Last Modified: 2012-05-05
I've installed Routing and Remote using the Manage Roles Console to enable VPN access to a Windows 2003 Server. Then checked Allow Access in the User's permissions and opened the firewall port.

I created a VPN Connection on a XP machine and It gets all the way to Verify User name and Password and times out with Error 721: The remote computer did not respond.

I don't see any logs created on the Server, although I'm not sure where VPN logs would be and I'm not sure how to troubleshoot the connection.

0
Comment
Question by:Ryman1
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 6
15 Comments
 
LVL 9

Expert Comment

by:robjeeves
ID: 18016080
G'day mate

I had a quick search for you and found this

http://www.experts-exchange.com/Networking/Broadband/VPN/Q_21175424.html

Is your SBS a single or dual nic machine?  Is the SBS Server behind another firewall?  If so you would need to forward 1723 and allow the GRE (generic routing encapsulation) through as well on the firewall that is in front of the SBS (if applicable).

Rob
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 18016271
As robjeeves suggested a 721 error almost always indicates the GRE protocol is being blocked. On many routers this is enabled with an option on your router "enable PPTP pass-through". If this is not an option on your router please provide the make and model, and perhaps we can be more specific.

GRE can also be blocked by software firewalls such as Symantec, Zone alarm and such. If possible disable them for testing.
Finally Symantic's Virus software has an option called "Internet worm protection" which can block GRE traffic. If that is present try disabling that feature within Symantic's virus protection.
0
 

Author Comment

by:Ryman1
ID: 18048086
When I test the VPN *inside* the network, I can authenticate and connect with no problem from my laptop. This make me thinks it's either my Linksys firewall or some policy on the server that won't allow a connection from outside.

I've forwarded 1723 (both UDP and TCP) to the Windows 2003 Server, but it fails when verifying name and password from an outside connection.

Currently, there is no Antivirus or Firewall running on the Server.
0
Free eBook: Backup on AWS

Everything you need to know about backup and disaster recovery with AWS, for FREE!

 
LVL 77

Expert Comment

by:Rob Williams
ID: 18048454
As mentioned above, it is likely the router is blocking GRE, that is why you can connect from inside. Is there a "PPTP pass-through" or "VPN pass-through" option on the router? The router needs both port forwarding of 1723 for PPTP and PPTP pass-through for GRE to work.

It's also possible that the modem, router, or ISP doesn't support  PPTP/GRE, but that is unlikely.
0
 

Author Comment

by:Ryman1
ID: 18051849
Yeah, I have a Linksys WRT54GR which supports it.

I have 1723 forwarding both UDP and TCP.

Any thoughts on how to troubleshoot? Could it be a server setting since it's receiving a request from outside the firewall?
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 18053261
On the security / VPN page make sure PPTP pass-through is enabled. Wasn't sure if "Linksys WRT54GR which supports it." meant it was enabled.

The other possibility is the modem may be blocking it. Does your router provide NAT (Network Address Translation) services? Many do. If so the router will be assigned a private IP address. Does the routers WAN page have you public IP that you are trying to connect to, or a private address such as 192.168.x.x, 10.x.x.x, or 172.16-32.x.x  If the latter the modem will need to be put in bridge mode.

Finally at the client site it could be blocking GRE. Try connecting directly to the modem at that site. Make sure Windows firewall is enabled and Windows and virus definitions are current.
0
 

Author Comment

by:Ryman1
ID: 18055204
Yep, the pass-through is enabled. In fact, other services pass through with no problem. SSH and Remote Desktop work offsite no problem. Would the modem block VPN traffic, but not others?

I have a Comcast Broadband Modem (dumb modem that does no routing) and a Linksys WRT54GR.

0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 18055945
Some modems do not support GRE the encapsulation protocol. It's not common, but it is a possibility. Also a few ISP's block it intentionally as they want to use their paid VPN service. However the ISP's most often block it by blocking port 1723 rather than the GRE protocol.You can verify port 1723 is OK by connecting to http://www.canyouseme.org  from the VPN server. I am doubtful the port is block as you would get a different error # than 721.
0
 

Author Comment

by:Ryman1
ID: 18057981
Are you sure that link is right? It's some a ad site, but if it is, what do I do once I've browsed to it?
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 18057990
Very sorry, typo. Try:
http://www.canyouseeme.org/
0
 

Author Comment

by:Ryman1
ID: 18059974
Okay, I went to the sight and 1723 seemed to check out just fine.

Success: I can see your service on 24.18.252.13 on port (1723)
Your ISP is not blocking port 1723

Also, when I turn off port forwarding, I get error 678: There was no answer. Further confirming you theory that it's not a port issue with 1723.

Robwill, What's my next step?
0
 
LVL 77

Accepted Solution

by:
Rob Williams earned 250 total points
ID: 18060713
As suggested by that article, it is always good to update to the latest firmware. Some of the earlier Linksys definitely had problems with GRE, but yours is a relatively new unit, so it shouldn't have a problem. I have set up RRAS before with a WRT54G, without a problem. Still I would update the firmware.
I have also seen on some Linksys where you make changes and they appear to apply, but do not really until you disconnect the power for a couple of minutes and re-boot. There was one issue here a few months ago, where a fellow did a hard reset of his router and re-configured it the exact same way, and it worked. I am wondering if a few of the Linksys may have issues from time to time applying policy changes.

There is a way to test GRE pass-through if you like:
Microsoft has a pair of test tools pptpsrv and pptpclnt, to test for GRE pass-through, which are available as part of the Windows resource kit or from:
http://www.microsoft.com/downloads/details.aspx?amp;displaylang=en&familyid=49ae8576-9bb9-4126-9761-ba8011fabf38&displaylang=en

Log onto the client or VPN server machine and connect to the other with remote desktop, or a similar remote management tool. At a command line on the client machine, run pptpclnt and on the server run pptpsrv. The client machine will send a set of GRE packets to the server and it should show as received if GRE is able to pass. The server is then supposed to respond and the client indicate received, but I have never had that part work. The one direction client to server is usually enough to test.

Following links outline the use of the test tools:
http://www.howtonetworking.com/Tools/testgre.htm
See VPN traffic:
http://www.microsoft.com/technet/community/columns/cableguy/cg0105.mspx
 
 
0

Featured Post

SharePoint Admin?

Enable Your Employees To Focus On The Core With Intuitive Onscreen Guidance That is With You At The Moment of Need.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Recently, I had the need to build a standalone system to run a point-of-sale system. I’m running this on a low-voltage Atom processor, so I wanted a light-weight operating system, but still needed Windows. I chose to use Microsoft Windows Server 200…
This article provides a convenient collection of links to Microsoft provided Security Patches for operating systems that have reached their End of Life support cycle. Included operating systems covered by this article are Windows XP,  Windows Server…
This is a high-level webinar that covers the history of enterprise open source database use. It addresses both the advantages companies see in using open source database technologies, as well as the fears and reservations they might have. In this…
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question