mikewurtz
asked on
Routing and Remote Access VPN Stops Answering After a While
My routing and remote access service is congiured for VPN and works, but after a while, it stops answering client's requests to connect.
The VPN server is on a domain and is on a member server.
When making a failed connection, no messages appear in the event log. If I check netstat -aon, it shows the system is still listening on port 1723 as it should. Restarting the Routing and Remote Access service does not resolve the problem.
If I restart the server, it fixes the problem.
How can I prevent this from happening? How can I troubleshoot deeper what's happening when the VPN server does not answer?
The VPN server is on a domain and is on a member server.
When making a failed connection, no messages appear in the event log. If I check netstat -aon, it shows the system is still listening on port 1723 as it should. Restarting the Routing and Remote Access service does not resolve the problem.
If I restart the server, it fixes the problem.
How can I prevent this from happening? How can I troubleshoot deeper what's happening when the VPN server does not answer?
JBart_17
http://support.microsoft.com/kb/178697
ASKER
It looks like that only applies to situations where the DHCP server is unavailable. There is no problem with my DHCP server.
Is there any chance you are running out of DHCP addresses? Are you using the DHCP relay agent and your standard DHCP server, or a DHCP static address pool within RRAS?
You might also be running out of available PPTP ports. You can change this within the RRAS console. Most Win server O/S's default to 128, but some are only 5, and then it is always possible it was somehow changed.
You might also be running out of available PPTP ports. You can change this within the RRAS console. Most Win server O/S's default to 128, but some are only 5, and then it is always possible it was somehow changed.
ASKER
We do have 50+ available DHCP addresses left. Also, I don't think running out of ports is an issue because I'm the only one that has used this server for VPN since I set it up.
Also, attached is the error that is received by the client when the connection fails.
Also remember.. If I reboot it works again.. Weird.
Also, attached is the error that is received by the client when the connection fails.
Also remember.. If I reboot it works again.. Weird.
ASKER
error:
It is due to the reboot I suspected DHCP leases or ports as a reboot resets these.
You mentioned "attached is the error". Sorry I don't see that?
You mentioned "attached is the error". Sorry I don't see that?
Is 800 the error you are referring to? If so that is a basic connection failure. No handshaking is taking place at all. Are you always connecting from the same site?
ASKER
I tried to attach an image but for some reason it didn't work.
Yes sometimes an 800 error sometimes 678.
Yes I can connect just fine from one place and then later it doesn't work from that same place. Nothing in the envirment is changing. It's as if the Service isn't even listening but it is.. Need someone who knows how to trace what's going on.
I was unable to attach the error the last couple times.. I just uninstalled IE8 Beta and now I can attach lol.
error.JPG
Yes sometimes an 800 error sometimes 678.
Yes I can connect just fine from one place and then later it doesn't work from that same place. Nothing in the envirment is changing. It's as if the Service isn't even listening but it is.. Need someone who knows how to trace what's going on.
I was unable to attach the error the last couple times.. I just uninstalled IE8 Beta and now I can attach lol.
error.JPG
ASKER
I've investigated further using the PortQry tool to scan the VPN server from a remote location.. What I've found is bizaare..
The VPN server was not working, I did a scan of port 1723, and this is what PortQry returned:
TCP port 1723 (pptp service): FILTERED
Then I rebooted, and scanned the port again. This is the PortQry output:
TCP port 1723 (pptp service): LISTENING
So somehow, for some reason, while the server is just sitting there, the PPTP port just becomes blocked somehow, and rebooting opens the port back up...
HELP!
The VPN server was not working, I did a scan of port 1723, and this is what PortQry returned:
TCP port 1723 (pptp service): FILTERED
Then I rebooted, and scanned the port again. This is the PortQry output:
TCP port 1723 (pptp service): LISTENING
So somehow, for some reason, while the server is just sitting there, the PPTP port just becomes blocked somehow, and rebooting opens the port back up...
HELP!
That is very bizarre.
Do you have any other services open on that IP, such as RDP? If so next time it happens test for that service as well, to see if it too stops responding. I am wondering if the port is "going to sleep". I would verify in device manger that the network adapter doesn't have "allow the computer to turn off this device to save power" enabled.
Is there ant third party security software installed? Many software firewalls, security suites and a few anti-virus softwares can play havoc with PPTP VPN's though they would likely be consistent.
I would also double check the number of enabled ports in RRAS just as a safety: RRAS | right click on ports and choose properties | verify at least 4 are open. It's possible it is set to one and it is not releasing.
Do you have any other services open on that IP, such as RDP? If so next time it happens test for that service as well, to see if it too stops responding. I am wondering if the port is "going to sleep". I would verify in device manger that the network adapter doesn't have "allow the computer to turn off this device to save power" enabled.
Is there ant third party security software installed? Many software firewalls, security suites and a few anti-virus softwares can play havoc with PPTP VPN's though they would likely be consistent.
I would also double check the number of enabled ports in RRAS just as a safety: RRAS | right click on ports and choose properties | verify at least 4 are open. It's possible it is set to one and it is not releasing.
ASKER
Great idea with device manager. The device WAS checked to allow the OS to put it to sleep. Time will tell if that is the solution.
There is no 3rd party security software installed on this server. Just SpiceWorks which is free software we use for network health and asset tracking.
attached is the ports properties you talked about.. I assume they are correct.
ports.JPG
There is no 3rd party security software installed on this server. Just SpiceWorks which is free software we use for network health and asset tracking.
attached is the ports properties you talked about.. I assume they are correct.
ports.JPG
Ports look good, and I agree Spiceworks wouldn't cause an issue. Let's hope it had to do with power management.
Let us know how you make out.
--Rob
Let us know how you make out.
--Rob
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Really! I would never have suspected that. I have used Spiceworks on several occasions and would have thought where it is primarily monitoring it would have no effect except possibly web based services, due to its web management interface.
Good information to know. I wonder why.
Good information to know. I wonder why.
Spiceworks scans all connected devices. It is possible to access a connected VPN client from the server, I wonder if Spiceworks is doing so or at least somehow trying and holding the connection open or locked.
Very bizarre.
Very bizarre.