VPN Confusion

Posted on 2007-11-29
Last Modified: 2010-04-12
Ok we have RRAS setup on a W2k server and all has been working fine. We have a Bristol office with clients that connect to the above metioned server. All of a sudden one of these clients has ceased to connect to the server, hanging when it reachs the 'Verifying username and password'. All of the other clients, that reside behind the same router, connect fine. It is also possible to connect to the server from any unrelated PC. Now to make this even more confusing, the same problem client will connect to any other site via VPN without a hitch. Please help me as this is driving me insane :)
Question by:m1ndg4m3
  • 5
  • 3
LVL 77

Expert Comment

by:Rob Williams
ID: 20378438
When the connection fails they should get an error with a number such as 800, 721, etc. Do you know what the error number is?

Author Comment

ID: 20381176
Yes the error is 721 which relates to a GRE problem.
LVL 77

Expert Comment

by:Rob Williams
ID: 20381634
Interesting, especially since the client can connect to another VPN. As you mentioned 721 is a GRE issue and is usually caused by:
- the client ISP does not support (or blocks) GRE traffic. This is not common but it does occasionally happen and most often it is with residential accounts. You could call the ISP and verify, though the standard answer seems to be “we do not block any traffic”.
-the client's hardware (modem, or more likely router) does not support VPN pass-through. Most newer units are fine, but many older units and even some new units such as some D-Links do not support it. I would try another router or at least verify the specs. You could also by pass the router as a test but make sure the Windows firewall is enabled and Windows and virus updates are current
-if the user has a modem that is a combined modem and router, as well as a router you may have a dual NAT configuration. This can block GRE or have the same effect. Try by passing the router and connecting to the modem directly.
-most software firewalls on client machines allow all outgoing traffic as does the Windows firewall, but some do not
-there are some security applications that will block GRE on the client machine such as Symantec’s anti-virus with “Internet worm protection” enabled, TrendMicro’s OfficeConnect, and Windows One Care.

Can anyone else connect from the same site as the one client with the problem? If not, make sure the subnet at that site is different than the primary site.

Author Comment

ID: 20381724
Ok i have been doing my own research also. Could it be that the router does not support mutliple VPN passthrough? What we are doing here is to try and connect 3 pc's to the same server through the same router. Now as i understand the outgoing will be fine, but when the gre signal comes back, surely it will be confused as to where to send that information as all the pc's are talking to the same server using NAT? When i say that it works fine when connecting to another server could this be ok as it is connecting to another endpoint and the returning traffic woudl not be confused by NAT?
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

LVL 77

Expert Comment

by:Rob Williams
ID: 20381855
Multiple software VPN clients all connecting to the same remote site, from the same location is a common problem for 2 reasons.
-I think I am safe in saying all routers have a limit as to the number of simultaneous VPN pass-through tunnels they can support. The limits I have seen run from 1 to 10 and it varies from router to router. Research may tell you how many your model supports. This is why one would usually create a site-to-site VPN in this case so that all users can seamlessly connect at the same time. There is also the advantage that they do not have to manually start the connection. As a result the tunnel is always available and group policy and logon scripts can be applied
-The other issue is all clients are connecting from the same public IP. The VPN server receives the packets but does not know to which client to return the packet. The work around for this is NAT-T (Network Address Translation - Traversal). Depending on what you are using for a VPN server it may not support NAT-T. Server 2003 does not, but for some reason it works on occasion. This in no way hinders multiple users connecting to multiple sites, only the above would affect that.

Can you shut down the other VPN users and try connecting only the problem user? This would help to isolate the problem.

Author Comment

ID: 20381912
This is the problem. A site to site VPN solution using Watchguard hardware was what i origanally advised the customer to implement as this method had never posed a problem to me. But unfortunately they went with the advice of thier in house 'IT' guy. As a result they are now having problems which i have to deal with, he he. Rather than wasting any further time with the current situation i will now go back to them and tell them 'i told you so' (in a professional way of course) and make them see that my initial propsal was the best way. Thanks for all your help Rob, you clarified all that i was thinking and was great to get that second opinion.
LVL 77

Accepted Solution

Rob Williams earned 500 total points
ID: 20381983
Very welcome. site-to-site is always the best answer for multiple users at one site. The other is fraught with problems. It's also more secure and better performance. Software clients are best for single home users or mobile clients.
Watchguard is an excellent choice too.
If budget is a problem the Linksys RV042's are about $200 each and no licensing fees. They are actually very dependable. They have a less expensive unit, I believe the BEFVP41 but it's not considered to be a commercial unit.
Good luck with it.
LVL 77

Expert Comment

by:Rob Williams
ID: 20382321
Thanks m1ndg4m3.
Cheers !

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Join & Write a Comment

Suggested Solutions

This is an article about my experiences with remote access to my clients (so that I may serve them) and eventually to my home office system via Radmin Remote Control. I have been using remote access for over 10 years and have been improving my metho…
When it comes to security, there are always trade-offs between security and convenience/ease of administration. This article examines some of the main pros and cons of using key authentication vs password authentication for hosting an SFTP server.
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now