Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

VPN: Stuck on Verifying Username and Password

Posted on 2007-04-03
8
6,205 Views
Last Modified: 2012-06-21
We're based in California and have a Firebox III/700 firewall, with about 10 VPN users, and I'm one of them. VPN connections seem to work great until now. Everyone's connection works except for mine - I'm on a trip to Washington, DC and for some reason I can't connect to the VPN.

My REAL external IP is 192.12.--.---. I've verified with the IT staff here that my network connection has unrestricted outbound access on all ports. My guess is that the 192 prefix is messing with the Firebox, but I'm not sure how or what to do about it.

Basically, when I connect to the VPN, it gets to the "Verifying username and password" stage and after about a minute, returns a 721 error (no response).

Our Firebox authenticates to a RADIUS server (Win2K server) inside our network in California. The log on the Firebox says that the Firebox is accepting the connection and assigning me to one of the PPTP slots, but nothing happens. I've been trying to figure this thing out, but I'm running out of ideas. Any help would be appreciated.

- Jonathan
0
Comment
Question by:gr8gonzo
  • 4
  • 4
8 Comments
 
LVL 77

Accepted Solution

by:
Rob Williams earned 500 total points
ID: 18846804
A 721 error is almost always a blocked GRE  error.
I would assume the problem is not the WatchGuard office as this is/was working for others. It may be that the site where you are located is blocking the GRE traffic. A few reasons that can happen:
-they have multiple NAT devices at the site between you and the modem
-the router is not GRE compatible. Some are not
-some routers only support 1 PPTP tunnel. Might others be using a VPN
-if a Cisco at the remote site you may need add "fixup protocol pptp 1723"
-sometimes enabling "PPTP pass-trough" on SOHO routers resolves the problem
0
 
LVL 34

Author Comment

by:gr8gonzo
ID: 18846911
1. There MAY be multiple NAT devices - I'm not sure. Any thoughts on how I could tell this? I ran a tracert from here to the VPN, but I'm not sure what I'm looking for. My internal IP starts with 10.1, which I'm pretty sure is an internal NAT address, but after that, it goes to the 192.12.--.1 address, which seems to be the main gateway / router for the public IPs. I've been behind multiple NATs before (my own wireless router hooked up to a hotel connection), and VPN has still worked. Do multiple NAT levels normally break things?

2. I asked the IT staff here a while ago what kind of router they had and they said it was Cisco, but I don't know anything further. Does the "fixup protocol pptp 1723" change something beyond allowing unrestricted outbound traffic from my IP? And also, does it affect any particular models of Cisco? I don't know how knowledgeable the staff here is, and I need to know how best to communicate this to them.

Thanks for the quick response!
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 18846986
1) Not to suggest PPTP VPN's won't work with 2 NAT devices, but it definitely often blocks it. Try the tracert rout just to the Internet with out the VPN. Technically with the VPN it is a closed tunnel with 2 ends. In the Tracert you are looking for 2 private IP's (other than your PC, before it hits the public IP's.

2) I am not a "Cisco guy" so I am not a lot of help there. But to the best of my knowledge Cisco's do not allow outgoing GRE traffic by default. They need to have the fixup command added to allow GRE. Perhaps someone will be along to verify that. If that is the problem, is it an option to have that changed/added, by the local support staff? Perhaps they could even verify if it is already in the config.
0
Connect further...control easier

With the ATEN CE624, you can now enjoy a high-quality visual experience powered by HDBaseT technology and the convenience of a single Cat6 cable to transmit uncompressed video with zero latency and multi-streaming for dual-view applications where remote access is required.

 
LVL 34

Author Comment

by:gr8gonzo
ID: 18847377
1. Only 1 private IP  - the 10.1.x.x one.

2. I'll cross my fingers and hope a Cisco person can come along to verify that and give me a little more instruction on what to say to the IT staff.
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 18847405
I'll see if I can 'flag' some attention for you. I assume you are wanting to resolve as soon as possible.
--Rob
0
 
LVL 34

Author Comment

by:gr8gonzo
ID: 18847663
If possible, yes. :) Thanks!
0
 
LVL 34

Author Comment

by:gr8gonzo
ID: 18995146
Still hasn't been resolved, but I don't want to keep this question open. I'll assign it for the "fixup" suggestion.
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 18995228
Thanks gr8gonzo.
I did send a couple of e-mails, but see they didn't respond. Sorry.
--Rob
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Some of you may have heard that SonicWALL has finally released an app for iOS devices giving us long awaited connectivity for our iPhone's, iPod's, and iPad's. This guide is just a quick rundown on how to get up and running quickly using the app. …
How to set-up an On Demand, IPSec, Site to SIte, VPN from a Draytek Vigor Router to a Cyberoam UTM Appliance. A concise guide to the settings required on both devices
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…

808 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question