pankis
asked on
Cannot connect to VPN on Windows 2003 Enterprise R2 Server. Client receives VPN connection error 733. Server receives VPN event id 20050
When a user tries to connect using Windows XP, he gets as far as
registering computer on the network
, then:
TCP/IP CP reported error 733: A connection to the remote computer could not be completed. You might need to adjust the protocols on this computer.
On the server, Event 20050 occurs, saying The User DOMAIN\username connected to port VPN4-23 has been disconnected because no network protocols were successfully negotiated.
These errors occur whether we are attempting a connection from internal, or external, so it does not appear to be firewall related.
We updated a few nights ago, 4/22/2008, applying all Windows updates from the last month.
Prior to doing this, the VPN connection itself was working great. We thought this was the culprit.
We have uninstalled all updates applied 4/22, and no change in the results.
Server: Windows 2003 Enterprise R2
Clients: Windows XP Pro, Windows Vista Business
What troubleshooting steps should I take?
On the server, Event 20050 occurs, saying The User DOMAIN\username connected to port VPN4-23 has been disconnected because no network protocols were successfully negotiated.
These errors occur whether we are attempting a connection from internal, or external, so it does not appear to be firewall related.
We updated a few nights ago, 4/22/2008, applying all Windows updates from the last month.
Prior to doing this, the VPN connection itself was working great. We thought this was the culprit.
We have uninstalled all updates applied 4/22, and no change in the results.
Server: Windows 2003 Enterprise R2
Clients: Windows XP Pro, Windows Vista Business
What troubleshooting steps should I take?
arnold
Which VPNs does the server offer, IPSEC+L2TP or PPTP? Check the networking tab of the wan miniport settings to see which options are checked tere and the tcp/ip protocol. You may need to uncheck the enable LCP extenstions. What about copression. Do you specifically specify a PPTP or L2TP connection?
ASKER
The server appears to offer both.
I don't believe we specify a PPTP or L2TP connection. They both appear to be available.
Can you tell me how to check the WAN miniport? I'm not finding this. (Newbie to VPN)
Under Administrative Tools > Routing and Remote Access > Ports Properties, it reads as follows:
I don't believe we specify a PPTP or L2TP connection. They both appear to be available.
Can you tell me how to check the WAN miniport? I'm not finding this. (Newbie to VPN)
Under Administrative Tools > Routing and Remote Access > Ports Properties, it reads as follows:
Name Used By Type Number
WAN Miniport (L2TP) RAS/Routing L2TP 0
WAN Miniport (PPPOE) Routing PPPoE 1
WAN Miniport (PPTP) RAS/Routing Parallel 1
ASKER
Let's try this again (ignore previous post of details):
The description of Administrative Tools > Routing and Remote Access > Ports Properties:
The description of Administrative Tools > Routing and Remote Access > Ports Properties:
Name Used By Type Number
--------------------------------------------------------
WAN Miniport (L2TP) RAS/Routing L2TP 0
WAN Miniport (PPPOE) Routing PPPoE 1
WAN Miniport (PPTP) RAS/Routing PPTP 24
Direct Parallel Routing Parallel 1
On the windows XP or Vista system, in the network connections, you should have a wan miniport for PPTP or L2TP (this is the VPN connection)? See my prior comment for checking the settings on the client side.
ASKER
On the XP side, here is what is checked under Network Connections > WAN Miniport > Properties:
(CHECKED) Display Progress while connecting
(CHECKED) Prompt for name and password, certificate, etc.
(UN-CHECKED) Include WIndows Logon Domain
Redial attempts: 3
Time between redial attempts: 1 minute
Idle time before hanging up: never
(CHECKED) Display Progress while connecting
(CHECKED) Prompt for name and password, certificate, etc.
(UN-CHECKED) Include WIndows Logon Domain
Redial attempts: 3
Time between redial attempts: 1 minute
Idle time before hanging up: never
There should be three other tabs there. See options, security, networking and advanced. Make sure your choices under each match what your server's configuration is. Reference the prior comment ID:21412242.
How many PPTP tunnels can be established at one time on your server?
How many PPTP tunnels can be established at one time on your server?
ASKER
I think we need to troubleshoot this from a server perspective. 3 days ago 15 people could VPN into this server, no problem. Then we installed Windows Updates (doh!), and they cannot. After the updates were installed, Event ID 20050 began showing up in the logs, every time someone tried to connect.
Regarding connection settings on the client side XP machine, as you requested:
Options, are posted in 21413130.
Security: Typical (require secured password) and "Require Data Encryption" are both selected.
Networking Protocol:
Type of VPN: Automatic
All of the following are checked: TCP/IP, QoS Packet Scheduler, File and Printer Sharing for Microsoft Networks, Client for Microsoft Networks.
Regarding connection settings on the client side XP machine, as you requested:
Options, are posted in 21413130.
Security: Typical (require secured password) and "Require Data Encryption" are both selected.
Networking Protocol:
Type of VPN: Automatic
All of the following are checked: TCP/IP, QoS Packet Scheduler, File and Printer Sharing for Microsoft Networks, Client for Microsoft Networks.
Settings on the networking page? Enable LCP extentions checked or unchecked? Which updates did you install?
Are you using certificate authentication? There is not information to point to a single location where you should look to correct the issue.The two sides can not agree on a protocol.
Try forcing the PPTP connection type under the Networking tab.
Check the security tab, which options are set are you using the default or did you go through and specify a specific set of valid redential exchanges.
Are you using certificate authentication? There is not information to point to a single location where you should look to correct the issue.The two sides can not agree on a protocol.
Try forcing the PPTP connection type under the Networking tab.
Check the security tab, which options are set are you using the default or did you go through and specify a specific set of valid redential exchanges.
ASKER
Setting on the networking page points to the VPN address, which is resolving in DNS. LCP extensions is not available as an option, as this is not a dial-up connection. Maybe I'm missing something? I checked these on the XP client.
How can I tell if I am using certificate authentication?
Forced PPTP, 773 error.
Forced L2TP IPSec VPN, 789 error, reading "The L2TP connection attempt failed because the security layer encountered a processing error during initial negotiations with the remote computer.
On security tab, I have kept everything as default. It is Typical (recommended settings), Require Secure Password, and Require Data Encryption.
I will post the updates I installed and then uninstalled, in the next post.
Thanks for helping me through this, I am a little confused.
How can I tell if I am using certificate authentication?
Forced PPTP, 773 error.
Forced L2TP IPSec VPN, 789 error, reading "The L2TP connection attempt failed because the security layer encountered a processing error during initial negotiations with the remote computer.
On security tab, I have kept everything as default. It is Typical (recommended settings), Require Secure Password, and Require Data Encryption.
I will post the updates I installed and then uninstalled, in the next post.
Thanks for helping me through this, I am a little confused.
ASKER
Updates that I installed 4/20/2008 are as follows.
Everything was working prior to these!
They were uninstalled last night, but that didn't seem to help.
KB942830
KB942831
KB943055
KB943460
KB943485
KB942763
KB945553
KB941644
KB948496
KB948590
KB948881
KB944653
KB936021
KB935840
KB935839
KB933729
KB941569
KB941568
KB941202
KB936782
KB929123
KB941693
KB946026
KB926122
KB936357
KB933854
Everything was working prior to these!
They were uninstalled last night, but that didn't seem to help.
KB942830
KB942831
KB943055
KB943460
KB943485
KB942763
KB945553
KB941644
KB948496
KB948590
KB948881
KB944653
KB936021
KB935840
KB935839
KB933729
KB941569
KB941568
KB941202
KB936782
KB929123
KB941693
KB946026
KB926122
KB936357
KB933854
This is a "dial-up connection" of sorts. The option is under the settings button on the Networking Tab.
L2TP over IPSEC could have failed because it did not have the passphrase to establish the IPSEC tunnel.
In the properties of the WAN miniport there are five distinct tabs. Under the networking there is the settings button that has additional choices.
Force your connection to use PPTP. Are you able to connect?
under the security tab you need to configure depending on what you have on the server. You may have to specify using the advanced button on the securty tab.
Do you need to specify IPSEC passphrase?
Double check the status of windows firewall on the server.
You should apply the patches.
L2TP over IPSEC could have failed because it did not have the passphrase to establish the IPSEC tunnel.
In the properties of the WAN miniport there are five distinct tabs. Under the networking there is the settings button that has additional choices.
Force your connection to use PPTP. Are you able to connect?
under the security tab you need to configure depending on what you have on the server. You may have to specify using the advanced button on the securty tab.
Do you need to specify IPSEC passphrase?
Double check the status of windows firewall on the server.
You should apply the patches.
ASKER
Okay, just got off the phone with the client (end users). I believe the answer to your PPTP, security, etc., questions is answered in the feedback I got from them. Basically, they've been able to run through the wizard, putting in the VPN server's address, and then connect.
They have been setup such that they can run the Windows New Connection Wizard, choose "Virtual Private Network" connection, tell it NOT to dial in, and then put in the Host Name, and click finish.
AT this point, with these default settings, they've been able to connect. Now they can't.
Would it be reasonable to re-create the VPN connection on the server?
Nobody in the organization can connect right now anyway.
They have been setup such that they can run the Windows New Connection Wizard, choose "Virtual Private Network" connection, tell it NOT to dial in, and then put in the Host Name, and click finish.
AT this point, with these default settings, they've been able to connect. Now they can't.
Would it be reasonable to re-create the VPN connection on the server?
Nobody in the organization can connect right now anyway.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.