Cannot connect to VPN on Windows 2003 Enterprise R2 Server. Client receives VPN connection error 733. Server receives VPN event id 20050

When a user tries to connect using Windows XP, he gets as far as registering computer on the network, then: TCP/IP CP reported error 733: A connection to the remote computer could not be completed.  You might need to adjust the protocols on this computer.

On the server, Event 20050 occurs, saying The User DOMAIN\username connected to port VPN4-23 has been disconnected because no network protocols were successfully negotiated.

These errors occur whether we are attempting a connection from internal, or external, so it does not appear to be firewall related.

We updated a few nights ago, 4/22/2008, applying all Windows updates from the last month.
Prior to doing this, the VPN connection itself was working great.  We thought this was the culprit.

We have uninstalled all updates applied 4/22, and no change in the results.

Server: Windows 2003 Enterprise R2
Clients:  Windows XP Pro, Windows Vista Business

What troubleshooting steps should I take?
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Which VPNs does the server offer, IPSEC+L2TP or PPTP? Check the networking tab of the wan miniport settings to see which options are checked tere and the tcp/ip protocol.  You may need to uncheck the enable LCP extenstions.  What about copression.  Do you specifically specify a PPTP or L2TP connection?  
pankisAuthor Commented:
The server appears to offer both.

I don't believe we specify a PPTP or L2TP connection.  They both appear to be available.

Can you tell me how to check the WAN miniport?  I'm not finding this.  (Newbie to VPN)

Under Administrative Tools > Routing and Remote Access > Ports Properties, it reads as follows:

Name                    Used By       Type     Number
WAN Miniport (L2TP)     RAS/Routing   L2TP     0
WAN Miniport (PPPOE)    Routing       PPPoE    1
WAN Miniport (PPTP)     RAS/Routing   Parallel 1

Open in new window

pankisAuthor Commented:
Let's try this again (ignore previous post of details):

The description of Administrative Tools > Routing and Remote Access > Ports Properties:
Name                     Used By        Type      Number
WAN Miniport (L2TP)      RAS/Routing    L2TP      0
WAN Miniport (PPPOE)     Routing        PPPoE     1
WAN Miniport (PPTP)      RAS/Routing    PPTP      24
Direct Parallel          Routing        Parallel  1

Open in new window

Determine the Perfect Price for Your IT Services

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden with our free interactive tool and use it to determine the right price for your IT services. Download your free eBook now!

On the windows XP or Vista system, in the network connections, you should have a wan miniport for PPTP or L2TP (this is the VPN connection)?  See my prior comment for checking the settings on the client side.

pankisAuthor Commented:
On the XP side, here is what is checked under Network Connections > WAN Miniport > Properties:

(CHECKED) Display Progress while connecting
(CHECKED) Prompt for name and password, certificate, etc.
(UN-CHECKED) Include WIndows Logon Domain

Redial attempts:  3
Time between redial attempts: 1 minute
Idle time before hanging up: never
There should be three other tabs there.  See options, security, networking and advanced.  Make sure your choices under each match what your server's configuration is.  Reference the prior comment ID:21412242.

How many PPTP tunnels can be established at one time on your server?
pankisAuthor Commented:
I think we need to troubleshoot this from a server perspective.  3 days ago 15 people could VPN into this server, no problem.  Then we installed Windows Updates (doh!), and they cannot.  After the updates were installed, Event ID 20050 began showing up in the logs, every time someone tried to connect.

Regarding connection settings on the client side XP machine, as you requested:

Options, are posted in  21413130.

Security: Typical (require secured password) and "Require Data Encryption" are both selected.

Networking Protocol:

Type of VPN:  Automatic
All of the following are checked:  TCP/IP, QoS Packet Scheduler, File and Printer Sharing for Microsoft Networks, Client for Microsoft Networks.
Settings on the networking page? Enable LCP extentions checked or unchecked?  Which updates did you install?

Are you using certificate authentication?  There is not information to point to a single location where you should look to correct the issue.The two sides can not agree on a protocol.
Try forcing the PPTP connection type under the Networking tab.

Check the security tab, which options are set are you using the default or did you go through and specify a specific set of valid redential exchanges.
pankisAuthor Commented:
Setting on the networking page points to the VPN address, which is resolving in DNS.  LCP extensions is not available as an option, as this is not a dial-up connection.  Maybe I'm missing something?  I checked these on the XP client.

How can I tell if I am using certificate authentication?

Forced PPTP, 773 error.
Forced L2TP IPSec VPN, 789 error, reading "The L2TP connection attempt failed because the security layer encountered a processing error during initial negotiations with the remote computer.

On security tab, I have kept everything as default.  It is Typical (recommended settings), Require Secure Password, and Require Data Encryption.

I will post the updates I installed and then uninstalled, in the next post.

Thanks for helping me through this, I am a little confused.
pankisAuthor Commented:
Updates that I installed 4/20/2008 are as follows.  

Everything was working prior to these!

They were uninstalled last night, but that didn't seem to help.

This is a "dial-up connection" of sorts.  The option is under the settings button on the Networking Tab.  

L2TP over IPSEC could have failed because it did not have the passphrase to establish the IPSEC tunnel.

In the properties of the WAN miniport there are five distinct tabs.  Under the networking there is the settings button that has additional choices.
Force your connection to use PPTP.  Are you able to connect?
under the security tab you need to configure depending on what you have on the server.  You may have to specify using the advanced button on the securty tab.
Do you need to specify IPSEC passphrase?  

Double check the status of windows firewall on the server.
You should apply the patches.

pankisAuthor Commented:
Okay, just got off the phone with the client (end users).  I believe the answer to your PPTP, security, etc., questions is answered in the feedback I got from them.  Basically, they've been able to run through the wizard, putting in the VPN server's address, and then connect.

They have been setup such that they can run the Windows New Connection Wizard, choose "Virtual Private Network" connection, tell it NOT to dial in, and then put in the Host Name, and click finish.

AT this point, with these default settings, they've been able to connect.  Now they can't.  

Would it be reasonable to re-create the VPN connection on the server?  

Nobody in the organization can connect right now anyway.
pankisAuthor Commented:
The tech's who set the VPN up have fixed it.  Not sure of the solution.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.