Solved

VPN: Stuck on Verifying Username and Password

Posted on 2007-04-03
8
6,191 Views
Last Modified: 2012-06-21
We're based in California and have a Firebox III/700 firewall, with about 10 VPN users, and I'm one of them. VPN connections seem to work great until now. Everyone's connection works except for mine - I'm on a trip to Washington, DC and for some reason I can't connect to the VPN.

My REAL external IP is 192.12.--.---. I've verified with the IT staff here that my network connection has unrestricted outbound access on all ports. My guess is that the 192 prefix is messing with the Firebox, but I'm not sure how or what to do about it.

Basically, when I connect to the VPN, it gets to the "Verifying username and password" stage and after about a minute, returns a 721 error (no response).

Our Firebox authenticates to a RADIUS server (Win2K server) inside our network in California. The log on the Firebox says that the Firebox is accepting the connection and assigning me to one of the PPTP slots, but nothing happens. I've been trying to figure this thing out, but I'm running out of ideas. Any help would be appreciated.

- Jonathan
0
Comment
Question by:gr8gonzo
  • 4
  • 4
8 Comments
 
LVL 77

Accepted Solution

by:
Rob Williams earned 500 total points
ID: 18846804
A 721 error is almost always a blocked GRE  error.
I would assume the problem is not the WatchGuard office as this is/was working for others. It may be that the site where you are located is blocking the GRE traffic. A few reasons that can happen:
-they have multiple NAT devices at the site between you and the modem
-the router is not GRE compatible. Some are not
-some routers only support 1 PPTP tunnel. Might others be using a VPN
-if a Cisco at the remote site you may need add "fixup protocol pptp 1723"
-sometimes enabling "PPTP pass-trough" on SOHO routers resolves the problem
0
 
LVL 34

Author Comment

by:gr8gonzo
ID: 18846911
1. There MAY be multiple NAT devices - I'm not sure. Any thoughts on how I could tell this? I ran a tracert from here to the VPN, but I'm not sure what I'm looking for. My internal IP starts with 10.1, which I'm pretty sure is an internal NAT address, but after that, it goes to the 192.12.--.1 address, which seems to be the main gateway / router for the public IPs. I've been behind multiple NATs before (my own wireless router hooked up to a hotel connection), and VPN has still worked. Do multiple NAT levels normally break things?

2. I asked the IT staff here a while ago what kind of router they had and they said it was Cisco, but I don't know anything further. Does the "fixup protocol pptp 1723" change something beyond allowing unrestricted outbound traffic from my IP? And also, does it affect any particular models of Cisco? I don't know how knowledgeable the staff here is, and I need to know how best to communicate this to them.

Thanks for the quick response!
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 18846986
1) Not to suggest PPTP VPN's won't work with 2 NAT devices, but it definitely often blocks it. Try the tracert rout just to the Internet with out the VPN. Technically with the VPN it is a closed tunnel with 2 ends. In the Tracert you are looking for 2 private IP's (other than your PC, before it hits the public IP's.

2) I am not a "Cisco guy" so I am not a lot of help there. But to the best of my knowledge Cisco's do not allow outgoing GRE traffic by default. They need to have the fixup command added to allow GRE. Perhaps someone will be along to verify that. If that is the problem, is it an option to have that changed/added, by the local support staff? Perhaps they could even verify if it is already in the config.
0
 
LVL 34

Author Comment

by:gr8gonzo
ID: 18847377
1. Only 1 private IP  - the 10.1.x.x one.

2. I'll cross my fingers and hope a Cisco person can come along to verify that and give me a little more instruction on what to say to the IT staff.
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 77

Expert Comment

by:Rob Williams
ID: 18847405
I'll see if I can 'flag' some attention for you. I assume you are wanting to resolve as soon as possible.
--Rob
0
 
LVL 34

Author Comment

by:gr8gonzo
ID: 18847663
If possible, yes. :) Thanks!
0
 
LVL 34

Author Comment

by:gr8gonzo
ID: 18995146
Still hasn't been resolved, but I don't want to keep this question open. I'll assign it for the "fixup" suggestion.
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 18995228
Thanks gr8gonzo.
I did send a couple of e-mails, but see they didn't respond. Sorry.
--Rob
0

Featured Post

Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

Join & Write a Comment

Using Windows 2008 RRAS, I was able to successfully VPN into the network, but I was having problems restricting my test user from accessing certain things on the network.  I used Google in order to try to find out how to stop people from accessing c…
Overview Often, we set up VPN appliances where the connected clients are on a separate subnet and the company will have alternate internet connections and do not use this particular device as the gateway for certain servers or clients. In this case…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now