Cannot connect to VPN on Windows 2003 Enterprise R2 Server. Client receives VPN connection error 733. Server receives VPN event id 20050

When a user tries to connect using Windows XP, he gets as far as registering computer on the network, then: TCP/IP CP reported error 733: A connection to the remote computer could not be completed.  You might need to adjust the protocols on this computer.

On the server, Event 20050 occurs, saying The User DOMAIN\username connected to port VPN4-23 has been disconnected because no network protocols were successfully negotiated.

These errors occur whether we are attempting a connection from internal, or external, so it does not appear to be firewall related.

We updated a few nights ago, 4/22/2008, applying all Windows updates from the last month.
Prior to doing this, the VPN connection itself was working great.  We thought this was the culprit.

We have uninstalled all updates applied 4/22, and no change in the results.

Server: Windows 2003 Enterprise R2
Clients:  Windows XP Pro, Windows Vista Business

What troubleshooting steps should I take?
Who is Participating?
pankisConnect With a Mentor Author Commented:
The tech's who set the VPN up have fixed it.  Not sure of the solution.
Which VPNs does the server offer, IPSEC+L2TP or PPTP? Check the networking tab of the wan miniport settings to see which options are checked tere and the tcp/ip protocol.  You may need to uncheck the enable LCP extenstions.  What about copression.  Do you specifically specify a PPTP or L2TP connection?  
pankisAuthor Commented:
The server appears to offer both.

I don't believe we specify a PPTP or L2TP connection.  They both appear to be available.

Can you tell me how to check the WAN miniport?  I'm not finding this.  (Newbie to VPN)

Under Administrative Tools > Routing and Remote Access > Ports Properties, it reads as follows:

Name                    Used By       Type     Number
WAN Miniport (L2TP)     RAS/Routing   L2TP     0
WAN Miniport (PPPOE)    Routing       PPPoE    1
WAN Miniport (PPTP)     RAS/Routing   Parallel 1

Open in new window

We Need Your Input!

WatchGuard is currently running a beta program for our new macOS Host Sensor for our Threat Detection and Response service. We're looking for more macOS users to help provide insight and feedback to help us make the product even better. Please sign up for our beta program today!

pankisAuthor Commented:
Let's try this again (ignore previous post of details):

The description of Administrative Tools > Routing and Remote Access > Ports Properties:
Name                     Used By        Type      Number
WAN Miniport (L2TP)      RAS/Routing    L2TP      0
WAN Miniport (PPPOE)     Routing        PPPoE     1
WAN Miniport (PPTP)      RAS/Routing    PPTP      24
Direct Parallel          Routing        Parallel  1

Open in new window

On the windows XP or Vista system, in the network connections, you should have a wan miniport for PPTP or L2TP (this is the VPN connection)?  See my prior comment for checking the settings on the client side.

pankisAuthor Commented:
On the XP side, here is what is checked under Network Connections > WAN Miniport > Properties:

(CHECKED) Display Progress while connecting
(CHECKED) Prompt for name and password, certificate, etc.
(UN-CHECKED) Include WIndows Logon Domain

Redial attempts:  3
Time between redial attempts: 1 minute
Idle time before hanging up: never
There should be three other tabs there.  See options, security, networking and advanced.  Make sure your choices under each match what your server's configuration is.  Reference the prior comment ID:21412242.

How many PPTP tunnels can be established at one time on your server?
pankisAuthor Commented:
I think we need to troubleshoot this from a server perspective.  3 days ago 15 people could VPN into this server, no problem.  Then we installed Windows Updates (doh!), and they cannot.  After the updates were installed, Event ID 20050 began showing up in the logs, every time someone tried to connect.

Regarding connection settings on the client side XP machine, as you requested:

Options, are posted in  21413130.

Security: Typical (require secured password) and "Require Data Encryption" are both selected.

Networking Protocol:

Type of VPN:  Automatic
All of the following are checked:  TCP/IP, QoS Packet Scheduler, File and Printer Sharing for Microsoft Networks, Client for Microsoft Networks.
Settings on the networking page? Enable LCP extentions checked or unchecked?  Which updates did you install?

Are you using certificate authentication?  There is not information to point to a single location where you should look to correct the issue.The two sides can not agree on a protocol.
Try forcing the PPTP connection type under the Networking tab.

Check the security tab, which options are set are you using the default or did you go through and specify a specific set of valid redential exchanges.
pankisAuthor Commented:
Setting on the networking page points to the VPN address, which is resolving in DNS.  LCP extensions is not available as an option, as this is not a dial-up connection.  Maybe I'm missing something?  I checked these on the XP client.

How can I tell if I am using certificate authentication?

Forced PPTP, 773 error.
Forced L2TP IPSec VPN, 789 error, reading "The L2TP connection attempt failed because the security layer encountered a processing error during initial negotiations with the remote computer.

On security tab, I have kept everything as default.  It is Typical (recommended settings), Require Secure Password, and Require Data Encryption.

I will post the updates I installed and then uninstalled, in the next post.

Thanks for helping me through this, I am a little confused.
pankisAuthor Commented:
Updates that I installed 4/20/2008 are as follows.  

Everything was working prior to these!

They were uninstalled last night, but that didn't seem to help.

This is a "dial-up connection" of sorts.  The option is under the settings button on the Networking Tab.  

L2TP over IPSEC could have failed because it did not have the passphrase to establish the IPSEC tunnel.

In the properties of the WAN miniport there are five distinct tabs.  Under the networking there is the settings button that has additional choices.
Force your connection to use PPTP.  Are you able to connect?
under the security tab you need to configure depending on what you have on the server.  You may have to specify using the advanced button on the securty tab.
Do you need to specify IPSEC passphrase?  

Double check the status of windows firewall on the server.
You should apply the patches.

pankisAuthor Commented:
Okay, just got off the phone with the client (end users).  I believe the answer to your PPTP, security, etc., questions is answered in the feedback I got from them.  Basically, they've been able to run through the wizard, putting in the VPN server's address, and then connect.

They have been setup such that they can run the Windows New Connection Wizard, choose "Virtual Private Network" connection, tell it NOT to dial in, and then put in the Host Name, and click finish.

AT this point, with these default settings, they've been able to connect.  Now they can't.  

Would it be reasonable to re-create the VPN connection on the server?  

Nobody in the organization can connect right now anyway.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.