Solved

VPN Server - Routing and Remote Access - steps after adding this role to make connection?

Posted on 2006-11-26
15
872 Views
Last Modified: 2012-05-05
I've installed Routing and Remote using the Manage Roles Console to enable VPN access to a Windows 2003 Server. Then checked Allow Access in the User's permissions and opened the firewall port.

I created a VPN Connection on a XP machine and It gets all the way to Verify User name and Password and times out with Error 721: The remote computer did not respond.

I don't see any logs created on the Server, although I'm not sure where VPN logs would be and I'm not sure how to troubleshoot the connection.

0
Comment
Question by:Ryman1
  • 6
  • 6
15 Comments
 
LVL 9

Expert Comment

by:robjeeves
ID: 18016080
G'day mate

I had a quick search for you and found this

http://www.experts-exchange.com/Networking/Broadband/VPN/Q_21175424.html

Is your SBS a single or dual nic machine?  Is the SBS Server behind another firewall?  If so you would need to forward 1723 and allow the GRE (generic routing encapsulation) through as well on the firewall that is in front of the SBS (if applicable).

Rob
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 18016271
As robjeeves suggested a 721 error almost always indicates the GRE protocol is being blocked. On many routers this is enabled with an option on your router "enable PPTP pass-through". If this is not an option on your router please provide the make and model, and perhaps we can be more specific.

GRE can also be blocked by software firewalls such as Symantec, Zone alarm and such. If possible disable them for testing.
Finally Symantic's Virus software has an option called "Internet worm protection" which can block GRE traffic. If that is present try disabling that feature within Symantic's virus protection.
0
 

Author Comment

by:Ryman1
ID: 18048086
When I test the VPN *inside* the network, I can authenticate and connect with no problem from my laptop. This make me thinks it's either my Linksys firewall or some policy on the server that won't allow a connection from outside.

I've forwarded 1723 (both UDP and TCP) to the Windows 2003 Server, but it fails when verifying name and password from an outside connection.

Currently, there is no Antivirus or Firewall running on the Server.
0
Optimizing Cloud Backup for Low Bandwidth

With cloud storage prices going down a growing number of SMBs start to use it for backup storage. Unfortunately, business data volume rarely fits the average Internet speed. This article provides an overview of main Internet speed challenges and reveals backup best practices.

 
LVL 77

Expert Comment

by:Rob Williams
ID: 18048454
As mentioned above, it is likely the router is blocking GRE, that is why you can connect from inside. Is there a "PPTP pass-through" or "VPN pass-through" option on the router? The router needs both port forwarding of 1723 for PPTP and PPTP pass-through for GRE to work.

It's also possible that the modem, router, or ISP doesn't support  PPTP/GRE, but that is unlikely.
0
 

Author Comment

by:Ryman1
ID: 18051849
Yeah, I have a Linksys WRT54GR which supports it.

I have 1723 forwarding both UDP and TCP.

Any thoughts on how to troubleshoot? Could it be a server setting since it's receiving a request from outside the firewall?
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 18053261
On the security / VPN page make sure PPTP pass-through is enabled. Wasn't sure if "Linksys WRT54GR which supports it." meant it was enabled.

The other possibility is the modem may be blocking it. Does your router provide NAT (Network Address Translation) services? Many do. If so the router will be assigned a private IP address. Does the routers WAN page have you public IP that you are trying to connect to, or a private address such as 192.168.x.x, 10.x.x.x, or 172.16-32.x.x  If the latter the modem will need to be put in bridge mode.

Finally at the client site it could be blocking GRE. Try connecting directly to the modem at that site. Make sure Windows firewall is enabled and Windows and virus definitions are current.
0
 

Author Comment

by:Ryman1
ID: 18055204
Yep, the pass-through is enabled. In fact, other services pass through with no problem. SSH and Remote Desktop work offsite no problem. Would the modem block VPN traffic, but not others?

I have a Comcast Broadband Modem (dumb modem that does no routing) and a Linksys WRT54GR.

0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 18055945
Some modems do not support GRE the encapsulation protocol. It's not common, but it is a possibility. Also a few ISP's block it intentionally as they want to use their paid VPN service. However the ISP's most often block it by blocking port 1723 rather than the GRE protocol.You can verify port 1723 is OK by connecting to http://www.canyouseme.org  from the VPN server. I am doubtful the port is block as you would get a different error # than 721.
0
 

Author Comment

by:Ryman1
ID: 18057981
Are you sure that link is right? It's some a ad site, but if it is, what do I do once I've browsed to it?
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 18057990
Very sorry, typo. Try:
http://www.canyouseeme.org/
0
 

Author Comment

by:Ryman1
ID: 18059974
Okay, I went to the sight and 1723 seemed to check out just fine.

Success: I can see your service on 24.18.252.13 on port (1723)
Your ISP is not blocking port 1723

Also, when I turn off port forwarding, I get error 678: There was no answer. Further confirming you theory that it's not a port issue with 1723.

Robwill, What's my next step?
0
 

Author Comment

by:Ryman1
ID: 18059984
0
 
LVL 77

Accepted Solution

by:
Rob Williams earned 250 total points
ID: 18060713
As suggested by that article, it is always good to update to the latest firmware. Some of the earlier Linksys definitely had problems with GRE, but yours is a relatively new unit, so it shouldn't have a problem. I have set up RRAS before with a WRT54G, without a problem. Still I would update the firmware.
I have also seen on some Linksys where you make changes and they appear to apply, but do not really until you disconnect the power for a couple of minutes and re-boot. There was one issue here a few months ago, where a fellow did a hard reset of his router and re-configured it the exact same way, and it worked. I am wondering if a few of the Linksys may have issues from time to time applying policy changes.

There is a way to test GRE pass-through if you like:
Microsoft has a pair of test tools pptpsrv and pptpclnt, to test for GRE pass-through, which are available as part of the Windows resource kit or from:
http://www.microsoft.com/downloads/details.aspx?amp;displaylang=en&familyid=49ae8576-9bb9-4126-9761-ba8011fabf38&displaylang=en

Log onto the client or VPN server machine and connect to the other with remote desktop, or a similar remote management tool. At a command line on the client machine, run pptpclnt and on the server run pptpsrv. The client machine will send a set of GRE packets to the server and it should show as received if GRE is able to pass. The server is then supposed to respond and the client indicate received, but I have never had that part work. The one direction client to server is usually enough to test.

Following links outline the use of the test tools:
http://www.howtonetworking.com/Tools/testgre.htm
See VPN traffic:
http://www.microsoft.com/technet/community/columns/cableguy/cg0105.mspx
 
 
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Preface Having the need * to contact many different companies with different infrastructures * do remote maintenance in their network required us to implement a more flexible routing solution. As RAS, PPTP, L2TP and VPN Client connections are no…
Many of us need to configure DHCP server(s) in their environment. We can do that simply via DHCP console on server or using MMC snap-in on each computer with Administrative Tools installed in a network. But what if we have to configure many DHCP ser…
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.

831 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question