Solved

PPTP VPN connection established but can't ping remote network.

Posted on 2007-04-10
11
2,246 Views
Last Modified: 2013-11-16
Hello experts,

I'm having a problem with a VPN connection that was working fine a couple of days ago. I'm using a 3com VPN Firewall that is setup as a PPTP VPN server to allow remote users to log in.

This is the problem: the users can connect to the VPN without any problems but they cannot reach anything on the remote network. The logs show that the remote clients get an IP address on my network. I cannot ping that IP address while they are connected. The remote clients cannot ping anything on my network by IP address. Everything was working fine a couple of days ago. Nothing that I know of was changed on either side of the connection. They are connecting fine, just can't reach anything. I tried completly disabling the firewall, deleting and then readding the login names - no luck.

Please help. What could be the problem?
Steven.
0
Comment
Question by:wdunski
  • 3
  • 3
  • 2
  • +2
11 Comments
 
LVL 2

Author Comment

by:wdunski
ID: 18884345
Here's what I see in the firewalls logs:
Apr 10 14:01:04 localhost kernel: PPTP Server: Remote user lawess1 has logged in. IP address 200.1.1.82 has been leased

and then when I asked them to dissconnect:
Apr 10 14:02:26 localhost kernel: PPTP Server: Remote user lawess1 has logged out. IP address 200.1.1.82 has been released
0
 
LVL 2

Expert Comment

by:couritech
ID: 18884517
Have you enabled ICMP in the local area connections properties on the client side? It may be you can ping them but the client quashes the response because of the rule to disallow ICMP ping on the client side NIC? Try to enbale one and then see if you are getting a response. Since you get an IP - most likely thi sis the reason for no ping (its talking - you just can't see the communications).

If you aren't getting a successful ping after allowing for it then the traffic is being stopped at the router most likely. Check the router interface then (log in) and select to allow the ping response for ICMP echo. Try to ping the router? Any luck there means you are talking and hearing - look at your VPN setup to be sure it hasn't changed the IP ports being used.

It is also possible if you are using McAfee, Norton or Zone Alarm that over the past few days they have locked down the program with an update (mine has done just that for McAfee just last week and I had to reset my corporate version to allow for specific port traffic for my VPN port even though this had previously been set up as a rule).
0
 
LVL 2

Author Comment

by:wdunski
ID: 18884679
I just called the client and they have no antivirus/internet security software running on their end. The connection was working fine a couple of days ago and then suddenly stopped working. Nothing to my knowledge was changed on either side. This beats me.
0
 
LVL 2

Expert Comment

by:couritech
ID: 18884734
They really need to allow for ICMP packets on the client machine to test the setup correctly (has this been allowed in Local Area Connection at the clinet end?

BTW - I only assume you have two static IP addresses... do you have a dyndns program maintaining port status for dyamnic IP endpoint connections instead? If so, have you logegd in lately to check the status of the account (most must be visited every 90 days to remain active).
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 18885103
A common cause for successful VPN connection but inability to ping is the local subnets at the two sites are the same. They must be different for routing to take place. However, you say it was working before, so perhaps this is not the case.
What is also interesting is the IP assigned to the client. This would usually be a private IP, the 200.x.x.x above is a public IP range. Is this what you are using as a LAN subnet?
0
Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

 

Expert Comment

by:raindave
ID: 18885506
I was wondering the same thing about the public IP, never seen a vpn client receive a routeable address, shouldn't be somthing closer to 192.168.x.x or 10.1.x.x and 172.16.x.x?
0
 
LVL 2

Expert Comment

by:couritech
ID: 18885551
I assumed (maybe wrobgly) that you have a class C subnet purchased as do we for the public IP and you are statically assigning based on that? If you aren't, then I agree with raindave and Robwill, you should be seeing a private IP on the client and not seeing a public IP endpoint?
0
 
LVL 2

Author Comment

by:wdunski
ID: 18885976
I fixed it! I reset the VPN Firewall back to it's factory defaults, upgraded the firmware to the newest available, and rebuilt the config and it works!

This was probably the strangest problem I've come across... I'm guessing it must have been a bug in the outdate firmware I was running (which worked perfectly fine up until a few days ago!).
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 18886016
Odd, but glad to hear you have resolved.
Thank you for updating.
Cheers !
--Rob
0
 
LVL 1

Accepted Solution

by:
Computer101 earned 0 total points
ID: 19421679
PAQed with points refunded (500)

Computer101
EE Admin
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Suggested Solutions

Don’t let your business fall victim to the coming apocalypse – use our Survival Guide for the Fax Apocalypse to identify the risks and signs of zombie fax activities at your business.
When it comes to security, there are always trade-offs between security and convenience/ease of administration. This article examines some of the main pros and cons of using key authentication vs password authentication for hosting an SFTP server.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now