Solved

Error 807 - VPN connection

Posted on 2007-11-23
29
17,258 Views
Last Modified: 2010-05-18
Hi,

I have windows server 2003. I could connect to remote servers overseas using VPN connection. I had no problem yesterday but today when I tried to connect, I kept getting error message:
"
Disconnected Error 806: a connection between your comuter and the VPN server has been established, but the VPN connection cannot be completed. The most command cause for this is that at least one internet device (for example firewall or router) between your computer and the VPN server is not configured to allow GRE protocal packets. Verify that protocal 47 GRE is allowed on all personal firewall devices or routers.."

No changes has happended to the router configuration and I am not sure why suddenly I can not connect?

Thanks in advance
0
Comment
Question by:shmz
  • 17
  • 12
29 Comments
 
LVL 77

Expert Comment

by:Rob Williams
Comment Utility
806 error, or 807? I assume the former.
Though an 806 error can be GRE you are more likely to get a 721 error, I wouldn't focus on GRE to much as the problem, especially where it was working.
Have you added a software firewall at either site?
Have you changed the local subnet at either site?
Are you connecting from the same site?
Are you connecting using a wired or wireless connection. If wireless try wired.
Are you connecting to a domain name or an IP?
0
 

Author Comment

by:shmz
Comment Utility
806 error.
No changes has happened at this end.

I have to check for:
If they have added a software firewall at the other site and
if they have changed the local subnet at the other site?

what would be the solution if they have?



Thanks
0
 

Author Comment

by:shmz
Comment Utility
and I am connecting to an IP.
0
 
LVL 77

Expert Comment

by:Rob Williams
Comment Utility
The important thing about the subnets is they must be different at both sites, for example they both cannot use on their LAN's something like 192.168.0.x

Software firewall will definitely do it. A few apps that can have the same effect are Zone Alarm, Symantec or McAfee Security suites, Symantec Anti-virus with "Internet worm Protection" enabled, Windows Live One Care and Trend Micro's Office Connect (I think it's called Connect)

Can you verify if the remote connection is open using a telnet command:
telnet 66.66.66.66 1723

Are you connecting from the same site as the other day?
0
 

Author Comment

by:shmz
Comment Utility
Thanks Rob,

The remote connection is open.
I am connecting to the same site (IP address).
They think the problem may have been related to password being locked up. They reset a new password. I created a new vpn connection and tried to login but same 806 error.

I am not sure if this helps, since they have set up the VPN connection I have lost my access to our exchange site for web mail. I get the wrong username or password message. (and this was happening even when the VPN worked first time.)

I am going to ask about firewall software. Given that they did open VPN port, they might have installed new software. I let you know.


0
 
LVL 77

Expert Comment

by:Rob Williams
Comment Utility
I am skeptical about the password. You should have received a different error code.

Do you loose the Exchange connection only while the VPN is connected? i.e is it fine other wise? If so where is the exchange server located. 1) If it is at the remote VPN site it is probably a DNS issue,. 2) If it is hosted elsewhere it is the default gateway option in the VPN client configuration.
Solutions:
1) Try moving the VPN adapter as the first adapter in the binding order. To do so go to; control panel | Network Connections | on the menu bar advanced | advanced settings | adapters and binding order
2)There is a security feature in the VPN client that blocks local connections, including local Internet access, to protect the office/remote network. You can disable this if you wish. To do so on the client/connecting PC, go to:
control panel | network connections | right click on the VPN/Virtual adapter and choose properties | Networking | TCP/IP -properties | Advanced | General | un-check  "Use default gateway on remote network"
0
 

Author Comment

by:shmz
Comment Utility
before doing anything.
Th eperson who fixes the issues on the remote site has fixed the issue with logging to mail server. it is working fine now. I don't know what he has done, He think the issue may be related to the windows server 2003.

I could stablish a VPN connection from another machine running on XP using same username and password he provided me. Does this help to trace the problem?
0
 
LVL 77

Expert Comment

by:Rob Williams
Comment Utility
>>"I could establish a VPN connection from another machine "
Was the machine at a different site?
The subnets at both sites must be different. If a different site perhaps that is the case.
Also some routers, and ISP's do not support VPN connections, but you were able to connect before.
Any software firewalls added to the connecting site with a problem?
0
 

Author Comment

by:shmz
Comment Utility
I used my colleague's XP machine from the other room to connect to the same IP, same username and password and it did work fine.

No, they told me they haven't installed anything. The only issue I had yesterday when we did the testing was not being able to ping their IP, the error message was: request timed out, but they fixed it and I could get response.

0
 
LVL 77

Expert Comment

by:Rob Williams
Comment Utility
Very odd.

-Not replying to a ping is common. That is an enabled security feature.
-If a software firewall is enabled on the PC from which you are trying to connect that will often block the connection, as well as some of the other software mentioned above
-If you are trying to connect with a wireless connection, it may not work depending on the network adapter, encryption configuration, and/or driver
-Most often 2 users cannot connect from the same site

Other than that I am out of ideas.
Check the event log when you get the 806 error and see if there is a matching 2029 error. If so maybe it is a GRE problem. It is possible to test GR, but you need access to PC/Server at both ends. I don't know if that is an option for you. If so see below:

Microsoft has a pair of test tools pptpsrv and pptpclnt, to test for GRE pass-through, which are available as part of the Windows resource kit or from:
http://www.microsoft.com/downloads/details.aspx?amp;displaylang=en&familyid=49ae8576-9bb9-4126-9761-ba8011fabf38&displaylang=en

Log onto the client or VPN server machine and connect to the other with remote desktop, or a similar remote management tool. At a command line on the client machine, run pptpclnt and on the server run pptpsrv. The client machine will send a set of GRE packets to the server and it should show as received if GRE is able to pass. The server is then supposed to respond and the client indicate received, but I have never had that part work. The one direction client to server is usually enough to test.

Following links outline the use of the test tools:
http://www.howtonetworking.com/Tools/testgre.htm
0
 

Author Comment

by:shmz
Comment Utility
- The WS2003 Pc I use, have spybot and calmwin, I exit both of them before connecting. They didn't cause problem first time.
- I am ot suing Wireless connection.
- I am the only one who tries to connect to the remote server.
- The link yo provided is only for XP and does not run on WS2003.

- The GRE pass through must be happening as I can connect using computers running on XP. The only issue I experienced on this PC is error 721. If I disconnect the network cable (while VPN connection is stablished) then I keep getting error 721 and can not have VPN connection. I let the guy know at the other side but he is not providing much information about fixes. He just asked me to keep trying and then I could get connection. He also mentioned sometimes I may even need to restart my computer to get it working but I don't think that fixes the problem... Based on my experience I must disconnect it (rather than the connection breaks..) otherwise error 721 keep coming. I am not sure if this behavior helps in tracing the problem.? Could this be related to some sort of connection time out or usename lock out..?
0
 
LVL 77

Expert Comment

by:Rob Williams
Comment Utility
You mention you keep getting the 721 error even though the cable is unplugged. Is this without trying to connect? If so it must being set to automatically try to reconnect. No chance their are 2 connections to the same site (in Network Connections) and 1 is already established, perhaps automatically?

To confirm, no other computers from this location are having problems?
And, there are no routers between you and the primary Internet router that are not in the path from the other PC's?
0
 

Author Comment

by:shmz
Comment Utility
NO, I don't get error 721 when cable is unplugged.

I explain what I did this morning.
I turned on the Windows XP. In view network connections, I could see the local area network connection icon (ON) and VPN connectionicon (OFF).
So I tried to stablish VPN connection and It all worked fine. I could connect to remote servers and could connect to remote databases using EM.
In the view network connections window, the VPN was ON and a new Internet gateway connection icon is also displayed in the list which is ON.

 I disconnected the VPN. Now I have three connections displayed in the list. The local area network (ON), VPN(off) and internet gateway(ON). If I try stablish VPN connection again, I get error 721 and I lost my database connections as well.

I don't know how this inetrnet gateway is working, and how I can disconnect and try to connect or if this is the cause of the problem...?
0
 

Author Comment

by:shmz
Comment Utility
One more thing.
I am told that on remote server (where I am trying to connect to)  the DHCP assigned IP address will expires in 12 hours. When I connect to their VPN again, I will get a new IP address which last for another 12 hour...
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 

Author Comment

by:shmz
Comment Utility
Also in the status of Default gateway, the duration is 12 days.
0
 
LVL 77

Expert Comment

by:Rob Williams
Comment Utility
The Internet Gateway feature may well be causing the problem, and that is likely specific to your machine. This is only enabled manually in add/remove programs, or more likely by running the Networking Wizard. To remove go to: control panel | add/remove programs | Windows components | Networking services | Details | un-check Internet Gateway | save
If interested in details see:
http://support.microsoft.com/default.aspx?scid=kb;en-us;821980&Product=winxp

12 hour lease is fine. There is always a limit. As for a new IP it depends if anyone else took it during the expired period. They are handed out in order.
0
 

Author Comment

by:shmz
Comment Utility
Sorry I don't have the XP machine for testing today and the setting may have been done in the past.

BUT the good news is that yesterday, I noticed I have three connections on my Windows 2003 server: 1394 connection(ON), local area connection(ON), VPN(off).
I turned off the 1394 and then I set  the VPN as default connection and It worked!!!...today when I tried to connect, again I got error 806....So, I tried to log in with a wrong password, and then another window poped up, notifying wrong password. When I entered the right password, I could get the connection!!!...how is that?...I am suspecious that this problem have something to do with the remote server recognizing users...(given that when they gave me VPN I started to have problem logging in to my web mail)....could this be somehow related to active drirectory....?
0
 
LVL 77

Expert Comment

by:Rob Williams
Comment Utility
Shouldn't have to disable 1394 connection that is for firewire, but won't hurt.

Odd that Active directory would authenticate once and not another time. It is possible you may have an MTU (Maximum Transfer Unit) size problem. This can lead to slow or dropped connections. It is recommended you change this on the connecting/client computer and when possible, it's local router. The easiest way to change the MTU on the client is using the DrTCP tool:
http://www.dslreports.com/drtcp
As for where to set it, if not using automatic, it has to be 1430 or less for a Windows VPN which uses PPTP. There are ways to test for the optimum size of the MTU such as:
http://www.dslreports.com/faq/5793
However, this is not accurate over a VPN due to additional overhead. The best bet is to set it to 1300, and if it improves the situation, gradually increase it.
A couple of related links:
http://www.dslreports.com/faq/7752
http://www.chicagotech.net/vpnissues/vpndorp1.htm
0
 

Author Comment

by:shmz
Comment Utility
strange, trying to find optimum size for MTU, if I go lower than 1464 I get 'request timed out'...
0
 
LVL 77

Expert Comment

by:Rob Williams
Comment Utility
Very odd. If standard Windows PPTP VPN it shouldn't work above 1430. This is usually set automatically but as you are doing, you can override it. It is occasionally necessary.
The typical symptoms for MTU issues are the VPN connects, but drops when you try to copy mid to large size files. Lowering it as low as 1260 shouldn't break it, but may improve stability at the expense of performance.
0
 

Author Comment

by:shmz
Comment Utility
if I ping www.dslreports.com -f -l 147 I can go as low as 1300 but when I ping the IP of our remote server, I get request timed out message on 1463.....?
0
 

Author Comment

by:shmz
Comment Utility
if I ping www.dslreports.com -f -l 1472
 I can go as low as 1300 but when I ping the IP of our remote server, I get request timed out message on 1463.....?
0
 

Author Comment

by:shmz
Comment Utility
0
 
LVL 77

Accepted Solution

by:
Rob Williams earned 500 total points
Comment Utility
Interesting there is "overhead" when pinging, about 28 bytes so your 1464 + 28 is 1492, which is the setting for a PPPoE Internet connection. There must be some restriction somewhere between you and the remote end. I wonder if they are using a PPPoE and that is causing the problem with lowering. Afraid I don't know, but I'm surprised.

As for the Linksys suggestion, I have never heard of using trigger ports with a VPN. Regardless I assume that is for the receiving end, the remote site.
0
 

Author Comment

by:shmz
Comment Utility
The linksys router in our side is set to PPPoE by default.
0
 

Author Comment

by:shmz
Comment Utility
just correcting myself.....
using  ping xxx.xx.xx.xx -f -l 1472 , I can lower to 1463 (this is the IP of the remote side)
using ping www.xxxx.com -f -l 142, I can lower it to 1250.

0
 

Author Comment

by:shmz
Comment Utility
and my VPN connection is created using their IP.
0
 
LVL 77

Expert Comment

by:Rob Williams
Comment Utility
I don't know why IP and domain name make a difference.
0
 
LVL 77

Expert Comment

by:Rob Williams
Comment Utility
Thanks shmz.
Cheers !
--Rob
0

Featured Post

How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

Join & Write a Comment

One of the Top 10  common Cisco VPN problems are not-matching shared keys. This is an easy one to fix, but not always easy to notice, see the case below. A simple IPsec tunnel between fast Ethernet interfaces of routers SW1 (f1/1) and R1(f0/0). …
Like many others, when I created a Windows 2008 RRAS VPN server, I connected via PPTP, and still do, but there are problems that can arise from solely using PPTP.  One particular problem was that the CFO of the company used a Virgin Broadband Wirele…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now