We help IT Professionals succeed at work.

I have 2 people who get an error 721 if either one of the 2 people are connected.

HI,

I have 2 people who authenticate to a Windows 2000 VPN server. Both client systems are Windows XP.  I have them set up to connect via a unique static IP address, which works fine if one or the other is not connected.  If either one is connected, the other one gets an error 721.  No one else of the potential 18 VPN users have any problems.  Do you have any suggestions as to what can cause this?  All help greatly appreciated!
Comment
Watch Question

Could it be a duplicate computer name?
Robert Sutton JrSenior Network Manager
BRONZE EXPERT

Commented:
There could be a few different reasons, but im thinking you are using PPTP? Is this correct? If so, read below...

> ports 1723 and 47
It's not port 47, it is protocol #47, GRE that needs to be forwarded. Since GRE has no concept of ports, you can't forward it to an inside host on the low-end routers like the Netopia.

Microsoft VPN Network Server

Microsoft's story:
PPTP traffic consists of a TCP connection for tunnel maintenance and GRE encapsulation for tunneled data. The TCP connection is NAT-translatable because the source TCP port numbers can be transparently translated. However, the GRE-encapsulated data is not NAT-translatable

From Cisco documentation:
Because the connection is initiated as TCP on one port and the response is GRE protocol, it is necessary to configure ACLs to allow the return traffic into the PIX, as the PIX Adaptive Security Algorithm (ASA) does not know the traffic flows are related. PPTP through the PIX with NAT (one-to-one address mapping) works because the PIX uses the port information in the TCP or User Datagram Protocol (UDP) header to keep track of translation. PPTP through the PIX with Port Address Translation (PAT) does not work because there is no concept of ports in GRE.


Setting up VPN server behind ICS system:
http://support.microsoft.com/default.aspx?scid=kb%3Ben-us%3B309524


References:
http://www.labmice.net/networking/vpn.htm
http://www.microsoft.com/windows2000/technologies/communications/vpn/default.asp
http://support.microsoft.com/default.aspx?scid=kb;en-us;308208
http://www.microsoft.com/windows2000/techinfo/reskit/en-us/default.asp?url=/windows2000/techinfo/reskit/en-us/intwork/inbe_vpn_hidv.asp
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/columns/cableguy/cg0103.asp
http://www.microsoft.com/technet/treeview/default.asp?url=/TechNet/columns/tips/15tipsfo.asp

VPN w/ 2003 Server
http://www.microsoft.com/windowsserver2003/technologies/networking/vpn/default.mspx


Please read this post:
http://www.experts-exchange.com/Networking/Broadband/VPN/Q_21104260.html

Author

Commented:
Hi jlanderson1, The computer names are different.  

Hi Warlock, if there was any problem with the Gre or 1723 port which is open on both as all other VPN uses can connect fine.  The 2 people in question are only denied when one or the other individual is already connected.  I also have more PPTP ports available than I have users, so that would not be an issue either. Do you have any others suggestions?
Senior Network Manager
BRONZE EXPERT
Commented:
Map them to different ports.?? I would try anything at this point, but Im still leaning towards PPTP with the error:721

Author

Commented:
Although the problem was not about ports, it did have to do with PPTP in that the VPN connection was set for Automatic and not PPTP as it was supposed to be.  This seemed to have solved the problem.
Robert Sutton JrSenior Network Manager
BRONZE EXPERT

Commented:
Im glad I could point you in the right direction. Typically any 721 error points to PPTP. If it wasn't evident at first look, always go back and double check the settings.... Im glad you have it working now.

Author

Commented:
Thanks again!

Explore More ContentExplore courses, solutions, and other research materials related to this topic.