Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 6213
  • Last Modified:

VPN: Stuck on Verifying Username and Password

We're based in California and have a Firebox III/700 firewall, with about 10 VPN users, and I'm one of them. VPN connections seem to work great until now. Everyone's connection works except for mine - I'm on a trip to Washington, DC and for some reason I can't connect to the VPN.

My REAL external IP is 192.12.--.---. I've verified with the IT staff here that my network connection has unrestricted outbound access on all ports. My guess is that the 192 prefix is messing with the Firebox, but I'm not sure how or what to do about it.

Basically, when I connect to the VPN, it gets to the "Verifying username and password" stage and after about a minute, returns a 721 error (no response).

Our Firebox authenticates to a RADIUS server (Win2K server) inside our network in California. The log on the Firebox says that the Firebox is accepting the connection and assigning me to one of the PPTP slots, but nothing happens. I've been trying to figure this thing out, but I'm running out of ideas. Any help would be appreciated.

- Jonathan
0
gr8gonzo
Asked:
gr8gonzo
  • 4
  • 4
1 Solution
 
Rob WilliamsCommented:
A 721 error is almost always a blocked GRE  error.
I would assume the problem is not the WatchGuard office as this is/was working for others. It may be that the site where you are located is blocking the GRE traffic. A few reasons that can happen:
-they have multiple NAT devices at the site between you and the modem
-the router is not GRE compatible. Some are not
-some routers only support 1 PPTP tunnel. Might others be using a VPN
-if a Cisco at the remote site you may need add "fixup protocol pptp 1723"
-sometimes enabling "PPTP pass-trough" on SOHO routers resolves the problem
0
 
gr8gonzoConsultantAuthor Commented:
1. There MAY be multiple NAT devices - I'm not sure. Any thoughts on how I could tell this? I ran a tracert from here to the VPN, but I'm not sure what I'm looking for. My internal IP starts with 10.1, which I'm pretty sure is an internal NAT address, but after that, it goes to the 192.12.--.1 address, which seems to be the main gateway / router for the public IPs. I've been behind multiple NATs before (my own wireless router hooked up to a hotel connection), and VPN has still worked. Do multiple NAT levels normally break things?

2. I asked the IT staff here a while ago what kind of router they had and they said it was Cisco, but I don't know anything further. Does the "fixup protocol pptp 1723" change something beyond allowing unrestricted outbound traffic from my IP? And also, does it affect any particular models of Cisco? I don't know how knowledgeable the staff here is, and I need to know how best to communicate this to them.

Thanks for the quick response!
0
 
Rob WilliamsCommented:
1) Not to suggest PPTP VPN's won't work with 2 NAT devices, but it definitely often blocks it. Try the tracert rout just to the Internet with out the VPN. Technically with the VPN it is a closed tunnel with 2 ends. In the Tracert you are looking for 2 private IP's (other than your PC, before it hits the public IP's.

2) I am not a "Cisco guy" so I am not a lot of help there. But to the best of my knowledge Cisco's do not allow outgoing GRE traffic by default. They need to have the fixup command added to allow GRE. Perhaps someone will be along to verify that. If that is the problem, is it an option to have that changed/added, by the local support staff? Perhaps they could even verify if it is already in the config.
0
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

 
gr8gonzoConsultantAuthor Commented:
1. Only 1 private IP  - the 10.1.x.x one.

2. I'll cross my fingers and hope a Cisco person can come along to verify that and give me a little more instruction on what to say to the IT staff.
0
 
Rob WilliamsCommented:
I'll see if I can 'flag' some attention for you. I assume you are wanting to resolve as soon as possible.
--Rob
0
 
gr8gonzoConsultantAuthor Commented:
If possible, yes. :) Thanks!
0
 
gr8gonzoConsultantAuthor Commented:
Still hasn't been resolved, but I don't want to keep this question open. I'll assign it for the "fixup" suggestion.
0
 
Rob WilliamsCommented:
Thanks gr8gonzo.
I did send a couple of e-mails, but see they didn't respond. Sorry.
--Rob
0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

  • 4
  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now