VPN Confusion

Ok we have RRAS setup on a W2k server and all has been working fine. We have a Bristol office with clients that connect to the above metioned server. All of a sudden one of these clients has ceased to connect to the server, hanging when it reachs the 'Verifying username and password'. All of the other clients, that reside behind the same router, connect fine. It is also possible to connect to the server from any unrelated PC. Now to make this even more confusing, the same problem client will connect to any other site via VPN without a hitch. Please help me as this is driving me insane :)
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Rob WilliamsCommented:
When the connection fails they should get an error with a number such as 800, 721, etc. Do you know what the error number is?
m1ndg4m3Author Commented:
Yes the error is 721 which relates to a GRE problem.
Rob WilliamsCommented:
Interesting, especially since the client can connect to another VPN. As you mentioned 721 is a GRE issue and is usually caused by:
- the client ISP does not support (or blocks) GRE traffic. This is not common but it does occasionally happen and most often it is with residential accounts. You could call the ISP and verify, though the standard answer seems to be “we do not block any traffic”.
-the client's hardware (modem, or more likely router) does not support VPN pass-through. Most newer units are fine, but many older units and even some new units such as some D-Links do not support it. I would try another router or at least verify the specs. You could also by pass the router as a test but make sure the Windows firewall is enabled and Windows and virus updates are current
-if the user has a modem that is a combined modem and router, as well as a router you may have a dual NAT configuration. This can block GRE or have the same effect. Try by passing the router and connecting to the modem directly.
-most software firewalls on client machines allow all outgoing traffic as does the Windows firewall, but some do not
-there are some security applications that will block GRE on the client machine such as Symantec’s anti-virus with “Internet worm protection” enabled, TrendMicro’s OfficeConnect, and Windows One Care.

Can anyone else connect from the same site as the one client with the problem? If not, make sure the subnet at that site is different than the primary site.
Improve Your Query Performance Tuning

In this FREE six-day email course, you'll learn from Janis Griffin, Database Performance Evangelist. She'll teach 12 steps that you can use to optimize your queries as much as possible and see measurable results in your work. Get started today!

m1ndg4m3Author Commented:
Ok i have been doing my own research also. Could it be that the router does not support mutliple VPN passthrough? What we are doing here is to try and connect 3 pc's to the same server through the same router. Now as i understand the outgoing will be fine, but when the gre signal comes back, surely it will be confused as to where to send that information as all the pc's are talking to the same server using NAT? When i say that it works fine when connecting to another server could this be ok as it is connecting to another endpoint and the returning traffic woudl not be confused by NAT?
Rob WilliamsCommented:
Multiple software VPN clients all connecting to the same remote site, from the same location is a common problem for 2 reasons.
-I think I am safe in saying all routers have a limit as to the number of simultaneous VPN pass-through tunnels they can support. The limits I have seen run from 1 to 10 and it varies from router to router. Research may tell you how many your model supports. This is why one would usually create a site-to-site VPN in this case so that all users can seamlessly connect at the same time. There is also the advantage that they do not have to manually start the connection. As a result the tunnel is always available and group policy and logon scripts can be applied
-The other issue is all clients are connecting from the same public IP. The VPN server receives the packets but does not know to which client to return the packet. The work around for this is NAT-T (Network Address Translation - Traversal). Depending on what you are using for a VPN server it may not support NAT-T. Server 2003 does not, but for some reason it works on occasion. This in no way hinders multiple users connecting to multiple sites, only the above would affect that.

Can you shut down the other VPN users and try connecting only the problem user? This would help to isolate the problem.
m1ndg4m3Author Commented:
This is the problem. A site to site VPN solution using Watchguard hardware was what i origanally advised the customer to implement as this method had never posed a problem to me. But unfortunately they went with the advice of thier in house 'IT' guy. As a result they are now having problems which i have to deal with, he he. Rather than wasting any further time with the current situation i will now go back to them and tell them 'i told you so' (in a professional way of course) and make them see that my initial propsal was the best way. Thanks for all your help Rob, you clarified all that i was thinking and was great to get that second opinion.
Rob WilliamsCommented:
Very welcome. site-to-site is always the best answer for multiple users at one site. The other is fraught with problems. It's also more secure and better performance. Software clients are best for single home users or mobile clients.
Watchguard is an excellent choice too.
If budget is a problem the Linksys RV042's are about $200 each and no licensing fees. They are actually very dependable. They have a less expensive unit, I believe the BEFVP41 but it's not considered to be a commercial unit.
Good luck with it.

Experts Exchange Solution brought to you by ConnectWise

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Rob WilliamsCommented:
Thanks m1ndg4m3.
Cheers !
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.