?
Solved

VPN: Stuck on Verifying Username and Password

Posted on 2007-04-03
8
Medium Priority
?
6,211 Views
Last Modified: 2012-06-21
We're based in California and have a Firebox III/700 firewall, with about 10 VPN users, and I'm one of them. VPN connections seem to work great until now. Everyone's connection works except for mine - I'm on a trip to Washington, DC and for some reason I can't connect to the VPN.

My REAL external IP is 192.12.--.---. I've verified with the IT staff here that my network connection has unrestricted outbound access on all ports. My guess is that the 192 prefix is messing with the Firebox, but I'm not sure how or what to do about it.

Basically, when I connect to the VPN, it gets to the "Verifying username and password" stage and after about a minute, returns a 721 error (no response).

Our Firebox authenticates to a RADIUS server (Win2K server) inside our network in California. The log on the Firebox says that the Firebox is accepting the connection and assigning me to one of the PPTP slots, but nothing happens. I've been trying to figure this thing out, but I'm running out of ideas. Any help would be appreciated.

- Jonathan
0
Comment
Question by:gr8gonzo
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 4
8 Comments
 
LVL 77

Accepted Solution

by:
Rob Williams earned 1500 total points
ID: 18846804
A 721 error is almost always a blocked GRE  error.
I would assume the problem is not the WatchGuard office as this is/was working for others. It may be that the site where you are located is blocking the GRE traffic. A few reasons that can happen:
-they have multiple NAT devices at the site between you and the modem
-the router is not GRE compatible. Some are not
-some routers only support 1 PPTP tunnel. Might others be using a VPN
-if a Cisco at the remote site you may need add "fixup protocol pptp 1723"
-sometimes enabling "PPTP pass-trough" on SOHO routers resolves the problem
0
 
LVL 35

Author Comment

by:gr8gonzo
ID: 18846911
1. There MAY be multiple NAT devices - I'm not sure. Any thoughts on how I could tell this? I ran a tracert from here to the VPN, but I'm not sure what I'm looking for. My internal IP starts with 10.1, which I'm pretty sure is an internal NAT address, but after that, it goes to the 192.12.--.1 address, which seems to be the main gateway / router for the public IPs. I've been behind multiple NATs before (my own wireless router hooked up to a hotel connection), and VPN has still worked. Do multiple NAT levels normally break things?

2. I asked the IT staff here a while ago what kind of router they had and they said it was Cisco, but I don't know anything further. Does the "fixup protocol pptp 1723" change something beyond allowing unrestricted outbound traffic from my IP? And also, does it affect any particular models of Cisco? I don't know how knowledgeable the staff here is, and I need to know how best to communicate this to them.

Thanks for the quick response!
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 18846986
1) Not to suggest PPTP VPN's won't work with 2 NAT devices, but it definitely often blocks it. Try the tracert rout just to the Internet with out the VPN. Technically with the VPN it is a closed tunnel with 2 ends. In the Tracert you are looking for 2 private IP's (other than your PC, before it hits the public IP's.

2) I am not a "Cisco guy" so I am not a lot of help there. But to the best of my knowledge Cisco's do not allow outgoing GRE traffic by default. They need to have the fixup command added to allow GRE. Perhaps someone will be along to verify that. If that is the problem, is it an option to have that changed/added, by the local support staff? Perhaps they could even verify if it is already in the config.
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 35

Author Comment

by:gr8gonzo
ID: 18847377
1. Only 1 private IP  - the 10.1.x.x one.

2. I'll cross my fingers and hope a Cisco person can come along to verify that and give me a little more instruction on what to say to the IT staff.
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 18847405
I'll see if I can 'flag' some attention for you. I assume you are wanting to resolve as soon as possible.
--Rob
0
 
LVL 35

Author Comment

by:gr8gonzo
ID: 18847663
If possible, yes. :) Thanks!
0
 
LVL 35

Author Comment

by:gr8gonzo
ID: 18995146
Still hasn't been resolved, but I don't want to keep this question open. I'll assign it for the "fixup" suggestion.
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 18995228
Thanks gr8gonzo.
I did send a couple of e-mails, but see they didn't respond. Sorry.
--Rob
0

Featured Post

Need protection from advanced malware attacks?

Look no further than WatchGuard's Total Security Suite, providing defense in depth against today's most headlining attacks like Petya 2.0 and WannaCry. Keep your organization out of the news with protection from known and unknown threats.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I've had to do a bit of research to setup my VPN connection so that Clients can access Windows Server 2008 network shares.  I have a Cisco ASA 5510 firewall.  I found an article which was extremely useful: It had a solution if you use ASDM to config…
Juniper VPN devices are a popular alternative to using Cisco products. Last year I needed to set up an international site-to-site VPN over the Internet, but the client had high security requirements -- FIPS 140. What and Why of FIPS 140 Federa…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question