gr8gonzo
asked on
VPN: Stuck on Verifying Username and Password
We're based in California and have a Firebox III/700 firewall, with about 10 VPN users, and I'm one of them. VPN connections seem to work great until now. Everyone's connection works except for mine - I'm on a trip to Washington, DC and for some reason I can't connect to the VPN.
My REAL external IP is 192.12.--.---. I've verified with the IT staff here that my network connection has unrestricted outbound access on all ports. My guess is that the 192 prefix is messing with the Firebox, but I'm not sure how or what to do about it.
Basically, when I connect to the VPN, it gets to the "Verifying username and password" stage and after about a minute, returns a 721 error (no response).
Our Firebox authenticates to a RADIUS server (Win2K server) inside our network in California. The log on the Firebox says that the Firebox is accepting the connection and assigning me to one of the PPTP slots, but nothing happens. I've been trying to figure this thing out, but I'm running out of ideas. Any help would be appreciated.
- Jonathan
My REAL external IP is 192.12.--.---. I've verified with the IT staff here that my network connection has unrestricted outbound access on all ports. My guess is that the 192 prefix is messing with the Firebox, but I'm not sure how or what to do about it.
Basically, when I connect to the VPN, it gets to the "Verifying username and password" stage and after about a minute, returns a 721 error (no response).
Our Firebox authenticates to a RADIUS server (Win2K server) inside our network in California. The log on the Firebox says that the Firebox is accepting the connection and assigning me to one of the PPTP slots, but nothing happens. I've been trying to figure this thing out, but I'm running out of ideas. Any help would be appreciated.
- Jonathan
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
1) Not to suggest PPTP VPN's won't work with 2 NAT devices, but it definitely often blocks it. Try the tracert rout just to the Internet with out the VPN. Technically with the VPN it is a closed tunnel with 2 ends. In the Tracert you are looking for 2 private IP's (other than your PC, before it hits the public IP's.
2) I am not a "Cisco guy" so I am not a lot of help there. But to the best of my knowledge Cisco's do not allow outgoing GRE traffic by default. They need to have the fixup command added to allow GRE. Perhaps someone will be along to verify that. If that is the problem, is it an option to have that changed/added, by the local support staff? Perhaps they could even verify if it is already in the config.
2) I am not a "Cisco guy" so I am not a lot of help there. But to the best of my knowledge Cisco's do not allow outgoing GRE traffic by default. They need to have the fixup command added to allow GRE. Perhaps someone will be along to verify that. If that is the problem, is it an option to have that changed/added, by the local support staff? Perhaps they could even verify if it is already in the config.
ASKER
1. Only 1 private IP - the 10.1.x.x one.
2. I'll cross my fingers and hope a Cisco person can come along to verify that and give me a little more instruction on what to say to the IT staff.
2. I'll cross my fingers and hope a Cisco person can come along to verify that and give me a little more instruction on what to say to the IT staff.
I'll see if I can 'flag' some attention for you. I assume you are wanting to resolve as soon as possible.
--Rob
--Rob
ASKER
If possible, yes. :) Thanks!
ASKER
Still hasn't been resolved, but I don't want to keep this question open. I'll assign it for the "fixup" suggestion.
Thanks gr8gonzo.
I did send a couple of e-mails, but see they didn't respond. Sorry.
--Rob
I did send a couple of e-mails, but see they didn't respond. Sorry.
--Rob
ASKER
2. I asked the IT staff here a while ago what kind of router they had and they said it was Cisco, but I don't know anything further. Does the "fixup protocol pptp 1723" change something beyond allowing unrestricted outbound traffic from my IP? And also, does it affect any particular models of Cisco? I don't know how knowledgeable the staff here is, and I need to know how best to communicate this to them.
Thanks for the quick response!