Solved

VPN Confusion

Posted on 2007-11-29
8
224 Views
Last Modified: 2010-04-12
Ok we have RRAS setup on a W2k server and all has been working fine. We have a Bristol office with clients that connect to the above metioned server. All of a sudden one of these clients has ceased to connect to the server, hanging when it reachs the 'Verifying username and password'. All of the other clients, that reside behind the same router, connect fine. It is also possible to connect to the server from any unrelated PC. Now to make this even more confusing, the same problem client will connect to any other site via VPN without a hitch. Please help me as this is driving me insane :)
0
Comment
Question by:m1ndg4m3
  • 5
  • 3
8 Comments
 
LVL 77

Expert Comment

by:Rob Williams
ID: 20378438
When the connection fails they should get an error with a number such as 800, 721, etc. Do you know what the error number is?
0
 

Author Comment

by:m1ndg4m3
ID: 20381176
Yes the error is 721 which relates to a GRE problem.
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 20381634
Interesting, especially since the client can connect to another VPN. As you mentioned 721 is a GRE issue and is usually caused by:
- the client ISP does not support (or blocks) GRE traffic. This is not common but it does occasionally happen and most often it is with residential accounts. You could call the ISP and verify, though the standard answer seems to be “we do not block any traffic”.
-the client's hardware (modem, or more likely router) does not support VPN pass-through. Most newer units are fine, but many older units and even some new units such as some D-Links do not support it. I would try another router or at least verify the specs. You could also by pass the router as a test but make sure the Windows firewall is enabled and Windows and virus updates are current
-if the user has a modem that is a combined modem and router, as well as a router you may have a dual NAT configuration. This can block GRE or have the same effect. Try by passing the router and connecting to the modem directly.
-most software firewalls on client machines allow all outgoing traffic as does the Windows firewall, but some do not
-there are some security applications that will block GRE on the client machine such as Symantec’s anti-virus with “Internet worm protection” enabled, TrendMicro’s OfficeConnect, and Windows One Care.

Can anyone else connect from the same site as the one client with the problem? If not, make sure the subnet at that site is different than the primary site.
0
Free learning courses: Active Directory Deep Dive

Get a firm grasp on your IT environment when you learn Active Directory best practices with Veeam! Watch all, or choose any amount, of this three-part webinar series to improve your skills. From the basics to virtualization and backup, we got you covered.

 

Author Comment

by:m1ndg4m3
ID: 20381724
Ok i have been doing my own research also. Could it be that the router does not support mutliple VPN passthrough? What we are doing here is to try and connect 3 pc's to the same server through the same router. Now as i understand the outgoing will be fine, but when the gre signal comes back, surely it will be confused as to where to send that information as all the pc's are talking to the same server using NAT? When i say that it works fine when connecting to another server could this be ok as it is connecting to another endpoint and the returning traffic woudl not be confused by NAT?
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 20381855
Multiple software VPN clients all connecting to the same remote site, from the same location is a common problem for 2 reasons.
-I think I am safe in saying all routers have a limit as to the number of simultaneous VPN pass-through tunnels they can support. The limits I have seen run from 1 to 10 and it varies from router to router. Research may tell you how many your model supports. This is why one would usually create a site-to-site VPN in this case so that all users can seamlessly connect at the same time. There is also the advantage that they do not have to manually start the connection. As a result the tunnel is always available and group policy and logon scripts can be applied
-The other issue is all clients are connecting from the same public IP. The VPN server receives the packets but does not know to which client to return the packet. The work around for this is NAT-T (Network Address Translation - Traversal). Depending on what you are using for a VPN server it may not support NAT-T. Server 2003 does not, but for some reason it works on occasion. This in no way hinders multiple users connecting to multiple sites, only the above would affect that.

Can you shut down the other VPN users and try connecting only the problem user? This would help to isolate the problem.
0
 

Author Comment

by:m1ndg4m3
ID: 20381912
This is the problem. A site to site VPN solution using Watchguard hardware was what i origanally advised the customer to implement as this method had never posed a problem to me. But unfortunately they went with the advice of thier in house 'IT' guy. As a result they are now having problems which i have to deal with, he he. Rather than wasting any further time with the current situation i will now go back to them and tell them 'i told you so' (in a professional way of course) and make them see that my initial propsal was the best way. Thanks for all your help Rob, you clarified all that i was thinking and was great to get that second opinion.
0
 
LVL 77

Accepted Solution

by:
Rob Williams earned 500 total points
ID: 20381983
Very welcome. site-to-site is always the best answer for multiple users at one site. The other is fraught with problems. It's also more secure and better performance. Software clients are best for single home users or mobile clients.
Watchguard is an excellent choice too.
If budget is a problem the Linksys RV042's are about $200 each and no licensing fees. They are actually very dependable. They have a less expensive unit, I believe the BEFVP41 but it's not considered to be a commercial unit.
Good luck with it.
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 20382321
Thanks m1ndg4m3.
Cheers !
--Rob
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
When it comes to security, there are always trade-offs between security and convenience/ease of administration. This article examines some of the main pros and cons of using key authentication vs password authentication for hosting an SFTP server.
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…
Internet Business Fax to Email Made Easy - With  eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, f…

860 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question