We help IT Professionals succeed at work.

One user can't connect to VPN, all others can

lukeca
lukeca asked
on
4,559 Views
Last Modified: 2008-01-09
I have a user that can not access our VPN server.  We are just using a Windows 2003 server with routing and remote access.  All users connect with PPTP VPN.  Our router is a linksys RV082 with PPTP passthrough enabled and port 1723 forwarded to the server.  Everyone can access the VPN server with no problems except for this one user.  Now on the user's end he does have a firewall, I think just a linksys wrt54g.  We did try taking his home firewall out of the picture, it made no difference.  Also he can connect to other VPN network with no issues.  One thing I had tried to resolve this was just reset power on our firewall in the office, after I did that he could actually connect with VPN and we though everything was good to go, but then a couple days ago this happened again, and this time reseting the firewall did not fix it.  So does anyone have any idea what could cause this?
Comment
Watch Question

CERTIFIED EXPERT
Top Expert 2013
Commented:
This one is on us!
(Get your first solution completely free - no credit card required)
UNLOCK SOLUTION

Author

Commented:
Thanks for the comments, you made me think of some more things I should mention:

- We took his laptop to another location and it connects to the VPN fine, so his user account is ok and his laptop is ok
- So he only has trouble connecting at home, but I don't believe his firewall or ISP is blocking any sort of VPN traffic because we can use VPN at his home to connect to multiple other sites (I work for a IT consulting firm so we have many other VPN's that are available to connect to for testing)
-  The point where it stops when connecting to his company is at "Verifying username and password" but the error returned is that it timed out waiting for a response, not anything about incorrect credentials, so he does make the initial connection, it just never fully connects

RobWill - to answer your questions:  The subnets are different, he is the only user attempting to connect, it's a company laptop so we control the antivirus, although we do use TrendMicro client/server antivirus, but there are about 10 other employees that don't have any problems, and like I said the laptop connects when it's not at his house, and yes we did try taking his home router out of the picture, he just has the local cable company for an ISP, they just have standard ethernet cable modems from motorola

So, any ideas now?  
CERTIFIED EXPERT
Top Expert 2013

Commented:
>>"So, any ideas now?  "
No  :-)

>>"point where it stops when connecting to his company is at "Verifying username and password" "
Any error number reported at the same time, such as 721, 691, 800 or similar ?

Have you "tinkered" with the MTU ? Usually to high an MTU value results in an unstable or dropped connection, but can cause connection issues. I could see that possibly being related to the router reboot. If you are not familiar, it is recommended you change this on the connecting/client computer and when possible, it's local router. The easiest way to change the MTU on the PC is using the DrTCP tool:
http://www.dslreports.com/drtcp
As for where to set it, if not using automatic, it has to be 1430 or less for a Windows VPN which uses PPTP if using the basic client (1460 for L2TP). There are ways to test for the optimum size of the MTU such as:
http://www.dslreports.com/faq/5793
However, this is not accurate over a VPN due to additional overhead. The best bet is to set it to 1300 or less, and if it improves the situation, gradually increase it to a a maximum of 1430.
A couple of related links:
http://www.dslreports.com/faq/7752
http://www.chicagotech.net/vpnissues/vpndorp1.htm

If the MTU was locked at 1500 you might experience the problem you describe above. As mentioned it needs to be 1430 or lower, but is usually automatically set to 1430.

Commented:
I would check the end user PC for any spyware/viruses first. You can use Webroot spysweeper trial version to remove any, if present. Reboot PC. Create VPN connection again and reconnect.
Which firewall are you using at your office which on turning off allowed the connection??
:)

Author

Commented:
saviturb - thanks for the ideas, I'm pretty sure the PC is running good, like I said I can successfully connect to the VPN if I'm not at this user's home, it works fine elsewhere.  I did not turn off any firewall at the office, I just reset it by unplugging it and plugging back in again, that seemed to cure the problem for a few weeks, but now it will not cure the problem.

robwill - your MTU idea got me poking around in the firewall, and I noticed some other options such as the SPI firewall and an option to block anonymous wan requests, I did some searching on my own and found others that have had this problem and resolved it by turning off those options, I disabled those options and when this user goes home tonight he is going to give it another shot, I will keep you posted
CERTIFIED EXPERT
Top Expert 2013

Commented:
You can try without those options, and I agree I have read where some say they have solved by disabling "block anonymous wan requests", but I am very skeptical. Both of those features are important firewall protection items, and should have nothing to do with PPTP. Can't hurt to try, even if it is to narrow down the problem.

Commented:
lukeca - Which firewall are you using? Sonic or something else and please specify model number. I would be happy to research on it and provide you solution.
:)

Author

Commented:
saviturb I mentioned it in my original question, a linksys RV082

Author

Commented:
The error number the user receives is 721.  And he still couldn't get in even with the changes I made, so I don't know what's going on.

Commented:
Error 721 means Remote PPP peer or computer is not responding...
A connection between the VPN server and the VPN client <WAN IP ADDRESS> has been established, but the VPN connection cannot be completed. The most common cause for this is that a firewall or router between the VPN server and the VPN client is not configured to allow Generic Routing Encapsulation (GRE) packets (protocol 47). Verify that the firewalls and routers between your VPN server and the Internet allow GRE packets.
I will suggest to check the router settings and make sure TCP Port 1723, IP Protocol 47 (GRE) are opened. Also make sure that the router has the PPTP enabled and not firewall block the traffic at both ends.
Also, very important - Upgrade to latest Linksys firmware at user's end (WRT54g) on router. What is the current firmware?
Hopefully, this will complete the vpn connection.
:)
CERTIFIED EXPERT
Top Expert 2013

Commented:
No question a 721 error is usually blocked GRE. However, this is very interesting as other users can connect to your PPTP server, indicating GRE is OK on the server end, and the user can connect to other PPTP servers/sites indicating GRE is OK on the client end. The most common causes of blocked GRE are:
-PPTP pass-through is not enabled on one or the other routers
-one site has multiple NAT (Network Address Translation) devices such as 2 routers or a modem that is a combined router and modem as well as a separate router (modem should be in bridged mode)
-software firewall such as Zone Alarm, McAfee firewall, or Symantec Security suite is enabled
-additional applications such as Windows One Care, Trend Micro, or Symantec’s Virus software with “internet worm protection” is enabled and blocing GRE

Microsoft has a pair of test tools pptpsrv and pptpclnt, to test for GRE pass-through, which are available as part of the Windows resource kit or from:
http://www.microsoft.com/downloads/details.aspx?amp;displaylang=en&familyid=49ae8576-9bb9-4126-9761-ba8011fabf38&displaylang=en

Log onto the client or VPN server machine and connect to the other with remote desktop, or a similar remote management tool. At a command line on the client machine, run pptpclnt and on the server run pptpsrv. The client machine will send a set of GRE packets to the server and it should show as received if GRE is able to pass. The server is then supposed to respond and the client indicate received, but I have never had that part work. The one direction client to server is usually enough to test.

Following links outline the use of the test tools:
http://www.howtonetworking.com/Tools/testgre.htm
See VPN traffic:
http://www.microsoft.com/technet/community/columns/cableguy/cg0105.mspx

Author

Commented:
Well this ended up being a waste of time.  It was his router at his house.  He reset power to it and now he can VPN in, I gave the points to you RobWill because you pointed out that the wrt54g can sometimes be a problem.

Author

Commented:
Just realized that may sound confusing because I had said we took the firewall out of the picture, but that was when it happened the first time and reseting the company's firewall fixed the issue.  I never though to try it again the second time.
CERTIFIED EXPERT
Top Expert 2013

Commented:
Thanks lukeca. Glad to hear you were able to get it working one way or another.
Cheers !
--Rob
Unlock the solution to this question.
Join our community and discover your potential

Experts Exchange is the only place where you can interact directly with leading experts in the technology field. Become a member today and access the collective knowledge of thousands of technology experts.

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.