Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

VPN Confusion

Posted on 2007-11-29
8
Medium Priority
?
229 Views
Last Modified: 2010-04-12
Ok we have RRAS setup on a W2k server and all has been working fine. We have a Bristol office with clients that connect to the above metioned server. All of a sudden one of these clients has ceased to connect to the server, hanging when it reachs the 'Verifying username and password'. All of the other clients, that reside behind the same router, connect fine. It is also possible to connect to the server from any unrelated PC. Now to make this even more confusing, the same problem client will connect to any other site via VPN without a hitch. Please help me as this is driving me insane :)
0
Comment
Question by:m1ndg4m3
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 3
8 Comments
 
LVL 77

Expert Comment

by:Rob Williams
ID: 20378438
When the connection fails they should get an error with a number such as 800, 721, etc. Do you know what the error number is?
0
 

Author Comment

by:m1ndg4m3
ID: 20381176
Yes the error is 721 which relates to a GRE problem.
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 20381634
Interesting, especially since the client can connect to another VPN. As you mentioned 721 is a GRE issue and is usually caused by:
- the client ISP does not support (or blocks) GRE traffic. This is not common but it does occasionally happen and most often it is with residential accounts. You could call the ISP and verify, though the standard answer seems to be “we do not block any traffic”.
-the client's hardware (modem, or more likely router) does not support VPN pass-through. Most newer units are fine, but many older units and even some new units such as some D-Links do not support it. I would try another router or at least verify the specs. You could also by pass the router as a test but make sure the Windows firewall is enabled and Windows and virus updates are current
-if the user has a modem that is a combined modem and router, as well as a router you may have a dual NAT configuration. This can block GRE or have the same effect. Try by passing the router and connecting to the modem directly.
-most software firewalls on client machines allow all outgoing traffic as does the Windows firewall, but some do not
-there are some security applications that will block GRE on the client machine such as Symantec’s anti-virus with “Internet worm protection” enabled, TrendMicro’s OfficeConnect, and Windows One Care.

Can anyone else connect from the same site as the one client with the problem? If not, make sure the subnet at that site is different than the primary site.
0
Veeam Disaster Recovery in Microsoft Azure

Veeam PN for Microsoft Azure is a FREE solution designed to simplify and automate the setup of a DR site in Microsoft Azure using lightweight software-defined networking. It reduces the complexity of VPN deployments and is designed for businesses of ALL sizes.

 

Author Comment

by:m1ndg4m3
ID: 20381724
Ok i have been doing my own research also. Could it be that the router does not support mutliple VPN passthrough? What we are doing here is to try and connect 3 pc's to the same server through the same router. Now as i understand the outgoing will be fine, but when the gre signal comes back, surely it will be confused as to where to send that information as all the pc's are talking to the same server using NAT? When i say that it works fine when connecting to another server could this be ok as it is connecting to another endpoint and the returning traffic woudl not be confused by NAT?
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 20381855
Multiple software VPN clients all connecting to the same remote site, from the same location is a common problem for 2 reasons.
-I think I am safe in saying all routers have a limit as to the number of simultaneous VPN pass-through tunnels they can support. The limits I have seen run from 1 to 10 and it varies from router to router. Research may tell you how many your model supports. This is why one would usually create a site-to-site VPN in this case so that all users can seamlessly connect at the same time. There is also the advantage that they do not have to manually start the connection. As a result the tunnel is always available and group policy and logon scripts can be applied
-The other issue is all clients are connecting from the same public IP. The VPN server receives the packets but does not know to which client to return the packet. The work around for this is NAT-T (Network Address Translation - Traversal). Depending on what you are using for a VPN server it may not support NAT-T. Server 2003 does not, but for some reason it works on occasion. This in no way hinders multiple users connecting to multiple sites, only the above would affect that.

Can you shut down the other VPN users and try connecting only the problem user? This would help to isolate the problem.
0
 

Author Comment

by:m1ndg4m3
ID: 20381912
This is the problem. A site to site VPN solution using Watchguard hardware was what i origanally advised the customer to implement as this method had never posed a problem to me. But unfortunately they went with the advice of thier in house 'IT' guy. As a result they are now having problems which i have to deal with, he he. Rather than wasting any further time with the current situation i will now go back to them and tell them 'i told you so' (in a professional way of course) and make them see that my initial propsal was the best way. Thanks for all your help Rob, you clarified all that i was thinking and was great to get that second opinion.
0
 
LVL 77

Accepted Solution

by:
Rob Williams earned 2000 total points
ID: 20381983
Very welcome. site-to-site is always the best answer for multiple users at one site. The other is fraught with problems. It's also more secure and better performance. Software clients are best for single home users or mobile clients.
Watchguard is an excellent choice too.
If budget is a problem the Linksys RV042's are about $200 each and no licensing fees. They are actually very dependable. They have a less expensive unit, I believe the BEFVP41 but it's not considered to be a commercial unit.
Good luck with it.
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 20382321
Thanks m1ndg4m3.
Cheers !
--Rob
0

Featured Post

Looking for a new Web Host?

Lunarpages' assortment of hosting products and solutions ensure a perfect fit for anyone looking to get their vision or products to market. Our award winning customer support and 30-day money back guarantee show the pride we take in being the industry's premier MSP.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

When you try to share a printer , you may receive one of the following error messages. Error message when you use the Add Printer Wizard to share a printer: Windows could not share your printer. Operation could not be completed (Error 0x000006…
This article is in regards to the Cisco QSFP-4SFP10G-CU1M cables, which are designed to uplink/downlink 40GB ports to 10GB SFP ports. I recently experienced this and found very little configuration documentation on how these are supposed to be confi…
In this video we outline the Physical Segments view of NetCrunch network monitor. By following this brief how-to video, you will be able to learn how NetCrunch visualizes your network, how granular is the information collected, as well as where to f…
NetCrunch network monitor is a highly extensive platform for network monitoring and alert generation. In this video you'll see a live demo of NetCrunch with most notable features explained in a walk-through manner. You'll also get to know the philos…

609 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question