Link to home
Create AccountLog in
Avatar of haachee
haachee

asked on

MS VPN Connection hanging at Verifying username and Password SBS 2003

Our office recently moved and since then the MS VPN connection that comes with SBS 2003 hangs at the Verifying Username and Password.  I am forwarding port 1723 to the server.  The RWW connection is working which uses the same protocol.

Both types of Remote connections were working prior to the move.  They did change the router they were using to a Linksys RSV4000.  I know that the GRE protocol neeeds to be forwarded and this is an IP Protocol not and TCP or UDP protocol.  I did try using a different router that I know another office was using for the same type of remote connection (MS VPN to a SBS 2003) and we ran into the same problems with this router.  

The weird thing is that the VPN connection would work with either router for several hours and then all of a sudden it would just stop working and hang on the Verifying part.  If we rebooted the MODEM then the VPN connection would work again.  So, I tried replacing the modem and now the VPN connection does not work at all.

I called AT&T and they had no idea, I called Dell and they had no idea other than the GRE protocol needing to be forwarded.  I called Linksys and they couldn't figure out how to fix it either.

Any ideas on what I could try next?
Avatar of c_ross
c_ross
Flag of United Kingdom of Great Britain and Northern Ireland image

Hi,

It does sound like what you would expect to happen if the GRE protocol was not being passed through but like you said you swapped the router so that rules this out.

I take it you have tried to connect to the VPN from multiple different locations?
Do you see anything in the logs of the SBS RRAS or even event viewer when you try to connect?
Avatar of haachee
haachee

ASKER

Of course the only message in the Event viewer is a warning for why the connection couldn't be completed and it has to do with the GRE protocol

Should I attach one of the RRAS log files?

Event Viewer warning event ID 20209:

A connection between the VPN server and the VPN client 76.170.69.141 has been established, but the VPN connection cannot be completed. The most common cause for this is that a firewall or router between the VPN server and the VPN client is not configured to allow Generic Routing Encapsulation (GRE) packets (protocol 47). Verify that the firewalls and routers between your VPN server and the Internet allow GRE packets. Make sure the firewalls and routers on the user's network are also configured to allow GRE packets. If the problem persists, have the user contact the Internet service provider (ISP) to determine whether the ISP might be blocking GRE packets.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
I take it the connection your connecting from allows GRE packets as stated below:

Make sure the firewalls and routers on the user's network are also configured to allow GRE packets. If the problem persists, have the user contact the Internet service provider (ISP) to determine whether the ISP might be blocking GRE packets.

Has there been any Windows Updates since your relocation as it may be worth rolling them back incase they have caused this issue?
Avatar of Rob Williams
If the port forwarding was not properly configured you wouldn't get that far and you would get an 800 error, so it definitely sounds like GRE or MTU.
-GRE is blocked by some ISP's, but it would be odd that it would connect and then drop.
-If it were a bad modem and then you replaced it, it could be that the new modem does not support the GRE protocol. Though this is true in some cases, it is not very common. However, might the new modem be a combined modem and router? Many are. If this is the case you need to put it in bridge mode.
-It was connecting and then loosing the connection before. Dropped connections can often be caused by too high an MTU (Maximum Transmission Unit) size, especially if it is a lower than normal performance connection. It is recommended you change this on the connecting/client computer and when possible, it's local router. The easiest way to change the MTU on the client is using the DrTCP tool:
http://www.dslreports.com/drtcp
As for where to set it, if not using automatic, it has to be 1430 or less for a Windows VPN which uses PPTP if using the basic client (1460 for L2TP). There are ways to test for the optimum size of the MTU such as:
http://www.dslreports.com/faq/5793
However, this is not accurate over a VPN due to additional overhead. The best bet is to set it to 1300, and if it improves the situation, gradually increase it.
A couple of related links:
http://www.dslreports.com/faq/7752
http://www.chicagotech.net/vpnissues/vpndorp1.htm
Avatar of haachee

ASKER

The actually error that I get when I try to VPN from my computer is error 721 after it times out on the verifying part.

The modem that I got was from best buy and is a Motorola Model 2210-02.  I believe it is just a modem and not a modem/router.

When I was on the phone with Linksys, they suggested to decrease the MTU on the router, and that didn't have an affect either.  We didn't go as low as 1300, i think we tried 1424.  I have the Airlink 101 router in place now and it doesn't have an option to decrease the MTU.  Again the airlink was in place at another site that had a working VPN.

Any other ideas...i think i pulled a lot of my hair out yesterday on this one.
Avatar of haachee

ASKER

The server was not modified in any way during the move.  I can connect to other SBS servers using VPN connections, just not this particular office, so the issue is not on the Client side.
A 721 error is 99% guaranteed to be GRE.

Lowering the MTU on the router will not help. You need to do so from the source, the VPN client.
I assume you are testing using a VPN client that is off site? It usually will not work to connect to the external IP from the LAN.
Avatar of haachee

ASKER

Yes, I'm using my home computer right now, and I'm able to log on to other offices using a VPN connection.
I just lowered the MTU on my router to 1300 and it's still hanging on the Verifying...

Their ISP is AT&T and they just moved about a mile away from their old office and they were using AT&T at their old office as well.

If it's a GRE issue, then why did the VPN connection work on the same router at a different site.  That's what's really baffling me right now.
The new modem is in NAT mode by default and will need to be put in Bridge mode I would say (i.e. it is a combo unit):
http://www.broadbandreports.com/faq/15882
If the Modem is in NAT mode your VPN will not work with the Linksys in place.

>>"Their ISP is AT&T and they just moved about a mile away from their old office and they were using AT&T at their old office as well.
"
Likely not the issue, but Comcast for example blocks GRE on some types of accounts and not others.

>>"If it's a GRE issue, then why did the VPN connection work on the same router at a different site."
May work at this site too, but you have suggested it may be a bad modem. Make sure the Linksys has PPTP pass-through enabled, and I forget if that one can act as a PPTP server/end point but if so make sure it is not configured to do so.
Avatar of haachee

ASKER

Ok, I'll try that the next time i'm in the office.
Good luck. Let us know how you make out.
--Rob
Avatar of haachee

ASKER

No luck :( Just tried this and I was unable to connect properly to the internet.
When I tried to open a web page I was redirected to AT&T's troubleshoot page where it would say that the username and password were incorrect, but when I change the modem back to PPP on the modem and I have to enter the username and password again on the modem, I'm able to connect to the internet.

I think the only solution now is to recommend going with a static IP Address.
Your modem is a combined router and modem, a static IP will not change anything.
When you configure the modem in Bridge mode the Linksys has to be configured with the PPPoE connection information (user name and password)
Avatar of haachee

ASKER

First of all, thanks for all the help Rob.

The problem when I try to have the linksys or the Airlink configured with PPPoE is that the username and password are not passing through correctly.  Every time I try to open a web page, I get redirected to AT&T stating that the username and password don't match what's on the account.  I was on the phone with AT&T and they changed my password and this still did not fix the issue.

So what I'm thinking of doing is changing their type of connection to static.  Bridge the modem, and then I can put the Static IP info on the router and this should work, as I no longer need to be concerned about a username and password.

This should work, right?  Can you think of any reason why it wouldn't.  I do not want to change to static if there's any chance that it won't resolve the issue.
You are very welcome. Glad to try to help.

Sorry, I better understand now why you are looking at static as an option. Yes that should work fine and in my opinion static is always the better option when you have the choice.
PPPoE can also be problematic with VPN's in that it is designed for efficiency. The connection is technically dropped after a period of inactivity which is quite short. When browsing you don't notice this as it reconnects almost instantly. However, with a VPN you loose the connection, so "keep alives" have to be set. It usually works fine, but I like to avoid it when possible.

Let us know how you make out.
--Rob
Avatar of haachee

ASKER

Ok, so I finally solved this.

The issue was with the modem.  The Motorolla 2210 is really a "single user" modem.  It's not good to use for small businesses or if you want some more advanced features.

I had to use a Netopia 3300 series modem to semi-bridge the connection.  The modem authenticates the connection and both the modem and the router have external IP Addresses.  The router than handles the NATing and the forwarding.

Thanks for your suggestions.
ASKER CERTIFIED SOLUTION
Avatar of Rob Williams
Rob Williams
Flag of Canada image

Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
See answer
Avatar of haachee

ASKER

You did point me to the right direction, so I'll agree, you do deserve the points.  The only thing is that the motorola modem would not work no matter what, and it was this that was causing the problem.  The link to the dslreports article was an extra step, but how would you know this?  Not even the level 1 people at AT&T knew this nor did one of the level 2 people i spoke with.
Thanks haachee.
My point was that one way or the other the modem has to be in bridge mode or it will not work. Correct I was not aware that you were unable to configure it to do so, but without it there was no hope.
Thanks again.
Cheers !
--Rob