Solved

VPN Confusion

Posted on 2007-11-29
8
221 Views
Last Modified: 2010-04-12
Ok we have RRAS setup on a W2k server and all has been working fine. We have a Bristol office with clients that connect to the above metioned server. All of a sudden one of these clients has ceased to connect to the server, hanging when it reachs the 'Verifying username and password'. All of the other clients, that reside behind the same router, connect fine. It is also possible to connect to the server from any unrelated PC. Now to make this even more confusing, the same problem client will connect to any other site via VPN without a hitch. Please help me as this is driving me insane :)
0
Comment
Question by:m1ndg4m3
  • 5
  • 3
8 Comments
 
LVL 77

Expert Comment

by:Rob Williams
ID: 20378438
When the connection fails they should get an error with a number such as 800, 721, etc. Do you know what the error number is?
0
 

Author Comment

by:m1ndg4m3
ID: 20381176
Yes the error is 721 which relates to a GRE problem.
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 20381634
Interesting, especially since the client can connect to another VPN. As you mentioned 721 is a GRE issue and is usually caused by:
- the client ISP does not support (or blocks) GRE traffic. This is not common but it does occasionally happen and most often it is with residential accounts. You could call the ISP and verify, though the standard answer seems to be “we do not block any traffic”.
-the client's hardware (modem, or more likely router) does not support VPN pass-through. Most newer units are fine, but many older units and even some new units such as some D-Links do not support it. I would try another router or at least verify the specs. You could also by pass the router as a test but make sure the Windows firewall is enabled and Windows and virus updates are current
-if the user has a modem that is a combined modem and router, as well as a router you may have a dual NAT configuration. This can block GRE or have the same effect. Try by passing the router and connecting to the modem directly.
-most software firewalls on client machines allow all outgoing traffic as does the Windows firewall, but some do not
-there are some security applications that will block GRE on the client machine such as Symantec’s anti-virus with “Internet worm protection” enabled, TrendMicro’s OfficeConnect, and Windows One Care.

Can anyone else connect from the same site as the one client with the problem? If not, make sure the subnet at that site is different than the primary site.
0
 

Author Comment

by:m1ndg4m3
ID: 20381724
Ok i have been doing my own research also. Could it be that the router does not support mutliple VPN passthrough? What we are doing here is to try and connect 3 pc's to the same server through the same router. Now as i understand the outgoing will be fine, but when the gre signal comes back, surely it will be confused as to where to send that information as all the pc's are talking to the same server using NAT? When i say that it works fine when connecting to another server could this be ok as it is connecting to another endpoint and the returning traffic woudl not be confused by NAT?
0
Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

 
LVL 77

Expert Comment

by:Rob Williams
ID: 20381855
Multiple software VPN clients all connecting to the same remote site, from the same location is a common problem for 2 reasons.
-I think I am safe in saying all routers have a limit as to the number of simultaneous VPN pass-through tunnels they can support. The limits I have seen run from 1 to 10 and it varies from router to router. Research may tell you how many your model supports. This is why one would usually create a site-to-site VPN in this case so that all users can seamlessly connect at the same time. There is also the advantage that they do not have to manually start the connection. As a result the tunnel is always available and group policy and logon scripts can be applied
-The other issue is all clients are connecting from the same public IP. The VPN server receives the packets but does not know to which client to return the packet. The work around for this is NAT-T (Network Address Translation - Traversal). Depending on what you are using for a VPN server it may not support NAT-T. Server 2003 does not, but for some reason it works on occasion. This in no way hinders multiple users connecting to multiple sites, only the above would affect that.

Can you shut down the other VPN users and try connecting only the problem user? This would help to isolate the problem.
0
 

Author Comment

by:m1ndg4m3
ID: 20381912
This is the problem. A site to site VPN solution using Watchguard hardware was what i origanally advised the customer to implement as this method had never posed a problem to me. But unfortunately they went with the advice of thier in house 'IT' guy. As a result they are now having problems which i have to deal with, he he. Rather than wasting any further time with the current situation i will now go back to them and tell them 'i told you so' (in a professional way of course) and make them see that my initial propsal was the best way. Thanks for all your help Rob, you clarified all that i was thinking and was great to get that second opinion.
0
 
LVL 77

Accepted Solution

by:
Rob Williams earned 500 total points
ID: 20381983
Very welcome. site-to-site is always the best answer for multiple users at one site. The other is fraught with problems. It's also more secure and better performance. Software clients are best for single home users or mobile clients.
Watchguard is an excellent choice too.
If budget is a problem the Linksys RV042's are about $200 each and no licensing fees. They are actually very dependable. They have a less expensive unit, I believe the BEFVP41 but it's not considered to be a commercial unit.
Good luck with it.
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 20382321
Thanks m1ndg4m3.
Cheers !
--Rob
0

Featured Post

Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

OpenVPN is a great open source VPN server that is capable of providing quick and easy VPN access to your network on the cheap.  By default the software is configured to allow open access to your network.  But what if you want to restrict users to on…
Meet the world's only “Transparent Cloud™” from Superb Internet Corporation. Now, you can experience firsthand a cloud platform that consistently outperforms Amazon Web Services (AWS), IBM’s Softlayer, and Microsoft’s Azure when it comes to CPU and …
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

932 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now