jmattson30
asked on
I have 2 people who get an error 721 if either one of the 2 people are connected.
HI,
I have 2 people who authenticate to a Windows 2000 VPN server. Both client systems are Windows XP. I have them set up to connect via a unique static IP address, which works fine if one or the other is not connected. If either one is connected, the other one gets an error 721. No one else of the potential 18 VPN users have any problems. Do you have any suggestions as to what can cause this? All help greatly appreciated!
I have 2 people who authenticate to a Windows 2000 VPN server. Both client systems are Windows XP. I have them set up to connect via a unique static IP address, which works fine if one or the other is not connected. If either one is connected, the other one gets an error 721. No one else of the potential 18 VPN users have any problems. Do you have any suggestions as to what can cause this? All help greatly appreciated!
jlanderson1
Could it be a duplicate computer name?
There could be a few different reasons, but im thinking you are using PPTP? Is this correct? If so, read below...
> ports 1723 and 47
It's not port 47, it is protocol #47, GRE that needs to be forwarded. Since GRE has no concept of ports, you can't forward it to an inside host on the low-end routers like the Netopia.
Microsoft VPN Network Server
Microsoft's story:
PPTP traffic consists of a TCP connection for tunnel maintenance and GRE encapsulation for tunneled data. The TCP connection is NAT-translatable because the source TCP port numbers can be transparently translated. However, the GRE-encapsulated data is not NAT-translatable
From Cisco documentation:
Because the connection is initiated as TCP on one port and the response is GRE protocol, it is necessary to configure ACLs to allow the return traffic into the PIX, as the PIX Adaptive Security Algorithm (ASA) does not know the traffic flows are related. PPTP through the PIX with NAT (one-to-one address mapping) works because the PIX uses the port information in the TCP or User Datagram Protocol (UDP) header to keep track of translation. PPTP through the PIX with Port Address Translation (PAT) does not work because there is no concept of ports in GRE.
Setting up VPN server behind ICS system:
http://support.microsoft.com/default.aspx?scid=kb%3Ben-us%3B309524
References:
http://www.labmice.net/networking/vpn.htm
http://www.microsoft.com/windows2000/technologies/communications/vpn/default.asp
http://support.microsoft.com/default.aspx?scid=kb;en-us;308208
http://www.microsoft.com/windows2000/techinfo/reskit/en-us/default.asp?url=/windows2000/techinfo/reskit/en-us/intwork/inbe_vpn_hidv.asp
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/columns/cableguy/cg0103.asp
http://www.microsoft.com/technet/treeview/default.asp?url=/TechNet/columns/tips/15tipsfo.asp
VPN w/ 2003 Server
http://www.microsoft.com/windowsserver2003/technologies/networking/vpn/default.mspx
Please read this post:
https://www.experts-exchange.com/questions/21104260/Error-721-VPN-from-XP-desktop-to-Win2k-SBS-Server.html
> ports 1723 and 47
It's not port 47, it is protocol #47, GRE that needs to be forwarded. Since GRE has no concept of ports, you can't forward it to an inside host on the low-end routers like the Netopia.
Microsoft VPN Network Server
Microsoft's story:
PPTP traffic consists of a TCP connection for tunnel maintenance and GRE encapsulation for tunneled data. The TCP connection is NAT-translatable because the source TCP port numbers can be transparently translated. However, the GRE-encapsulated data is not NAT-translatable
From Cisco documentation:
Because the connection is initiated as TCP on one port and the response is GRE protocol, it is necessary to configure ACLs to allow the return traffic into the PIX, as the PIX Adaptive Security Algorithm (ASA) does not know the traffic flows are related. PPTP through the PIX with NAT (one-to-one address mapping) works because the PIX uses the port information in the TCP or User Datagram Protocol (UDP) header to keep track of translation. PPTP through the PIX with Port Address Translation (PAT) does not work because there is no concept of ports in GRE.
Setting up VPN server behind ICS system:
http://support.microsoft.com/default.aspx?scid=kb%3Ben-us%3B309524
References:
http://www.labmice.net/networking/vpn.htm
http://www.microsoft.com/windows2000/technologies/communications/vpn/default.asp
http://support.microsoft.com/default.aspx?scid=kb;en-us;308208
http://www.microsoft.com/windows2000/techinfo/reskit/en-us/default.asp?url=/windows2000/techinfo/reskit/en-us/intwork/inbe_vpn_hidv.asp
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/columns/cableguy/cg0103.asp
http://www.microsoft.com/technet/treeview/default.asp?url=/TechNet/columns/tips/15tipsfo.asp
VPN w/ 2003 Server
http://www.microsoft.com/windowsserver2003/technologies/networking/vpn/default.mspx
Please read this post:
https://www.experts-exchange.com/questions/21104260/Error-721-VPN-from-XP-desktop-to-Win2k-SBS-Server.html
ASKER
Hi jlanderson1, The computer names are different.
Hi Warlock, if there was any problem with the Gre or 1723 port which is open on both as all other VPN uses can connect fine. The 2 people in question are only denied when one or the other individual is already connected. I also have more PPTP ports available than I have users, so that would not be an issue either. Do you have any others suggestions?
Hi Warlock, if there was any problem with the Gre or 1723 port which is open on both as all other VPN uses can connect fine. The 2 people in question are only denied when one or the other individual is already connected. I also have more PPTP ports available than I have users, so that would not be an issue either. Do you have any others suggestions?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Although the problem was not about ports, it did have to do with PPTP in that the VPN connection was set for Automatic and not PPTP as it was supposed to be. This seemed to have solved the problem.
Im glad I could point you in the right direction. Typically any 721 error points to PPTP. If it wasn't evident at first look, always go back and double check the settings.... Im glad you have it working now.
ASKER
Thanks again!