We help IT Professionals succeed at work.

We've partnered with Certified Experts, Carl Webster and Richard Faulkner, to bring you a podcast all about Citrix Workspace, moving to the cloud, and analytics & intelligence. Episode 2 coming soon!Listen Now


VPN error 721 while trying to log into SBS 2003 R2

nradisic asked
Medium Priority
Last Modified: 2012-05-06
We've had an SBS 2003 R2 with one NIC behind a Linksys BEFVP41 running on a dynamic IP with Cablevison for over two years without any problems. Everything worked fine, remote web access, VPN, remote desktop, public website access, without problems. We need the VPN for sales people on the road to be able to log into the network check e-mail, access files, access quickbooks on the server to place orders, etc. The Linksys has always been the DHCP server, without any issues.

For a number of reasons we decided to switch to a static IP. The Cablevision Static IP set up comes with a Cisco 851 that acts as a NAT appliance with 5 static IPs ( it is in front of the Linksys, since I cannot manage the Cisco, I need to forward all the necessary ports Linksys tomthe SBS) On the Cisco 851 the all ports open and services enabled and nothing blocked - verified by calling Cablevision business tech support ( I cannot access the Cisco 851, it was set up by Cablevision and users have no access) Once we switched to static IP we changed the proper IP settings on the router and server as needed. With our anti-virus software, AVG 8.0 Network Edition we had accidentally installed the Firewall on the server and after the dynamic IP switch to Static IP on the SBS, the Firewall seemed to be blocking some access to the NIC on the server and IPV4 and IPV6 connections, according to the AVG Firewall interface. We seemingly corrected the AVG Firewall issues and repaired the AVG installation to remove and uninstall  the AVG Firewall from the SBS (since it did not belong there in the first place) Now we have had everything working with the static IP setup and the SBS 2003 R2 for over six months, except the VPN. so everything is working but the VPN... Webmail, remote desktop, access to our public website and all other server functions work except for the VPN.

The other thing that bugs me is that I cannot access the regular Windows Firewall - I get a pop up that says the Firewall is being used by another program and something about ipsys.nat. It makes me believe that there could be some remnant settings blocking the VPN from the uninstalled AVG Firewall component on the SBS, given the past issue after the switch to the static IP and the inability to access the regular Windows Firewall on the server.

That being said, we cannot VPN from within or from outside the LAN, as we could before the switch to the static IP. Upon trying to dial in remotely to the VPN all 5 users get error 721 and the connection is unable to authenticate and hangs...

I have read through every single error 721 question I have seen on EE, but have not found a solution. I have looked at the Event Wiever on the server and it shows an RAS error for every time one of the sales people tries to VPN into the server. I am rather tech savvy and manage about 95% of our small company IT needs, including most of the SBS setup, but I am not a Pro. I have a pretty good MS Small Business Specilalist (Alan) that tried to figure out our current SBS VPN issue, but even at $125 and hour for eight hours, he could not solve it. I would rather spend some more time on my own trying to solve this issue and avoid at all costs having to spend God knows how many hours at $125 paying Alan, who may or may not fix it.

I have read through many SBS posts here on EE and it seems Rob Will is the best at it....Rob, please help me! A detailed step by step explanation would be most helpful. Where should I start? I want to be able to eliminate all possible issues one to make sure I don't miss a thing.

Is it AVG Firewall remnants blocking the VPN?
Is it a DHCP authentication issue?
Do I reinstall the AVG Firewall to check the settings and make sure they are all cleared and then uninstall it again?
Should I rerun again the connection wizards for the mobile users?

We are able to function as is OK without the VPN, given that the reps also have PDA's for their e-mail while on the road connected through the SBS. Those are working fine, but we really need the SBS VPN to be working for everyone to be more efficient and productive no matter where we are with our laptops and have full access to the LAN and server while on the road.

That being said, I have planned my first family vacation in five years, since starting my company. My wife sends the orders that our reps e-mail in to our warehouse daily from our office using our multi-user Quickbooksset up on the SBS to enter all the orders( we are a small fine wine importer and distributor in NY/NJ ). Without the VPN we cannot access the Quickbooks remotely while on the road and on vacation to place the orders sent in by the rep daily, so I have to resolve this before vacation in early April! I know I can use remote desktop to log into a pc on the LAN via the SBS, but that is not doable if you are in the car all day, on the road, using an AT&T air card on your actual laptop...

In addition to the points I would gladly offer several free bottles of wines with free Fedex shipping to the expert who helps me solve this VPN mess!

I know it is something simple and it is just eating at me...Have at it boys!

Watch Question


Could this be an issue? I have only allocated one static IP for the SBS....Do I need to allocate more than one?

# Cause: The answering router cannot validate the credentials of the calling router (user name, password, and domain name).

Solution: Verify that the credentials of the VPN client (user name, password, and domain name) are correct and can be validated by the VPN server.
# Cause: There are not enough addresses in the static IP address pool.

Solution: If the VPN server is configured with a static IP address pool, verify that there are enough addresses in the pool. If all of the addresses in the static pool have been allocated to connected VPN clients, the VPN server cannot allocate an IP address, and the connection attempt is rejected. If all of the addresses in the static pool have been allocated, modify the pool. See the Windows Server 2003 Help and Support Center for more information about TCP/IP and remote access, and how to create a static IP address pool. Click Start to access the Windows Server 2003 Help and Support Center.

Hello nradisic,

wow, that was ALOT of reading :-)
let's start with the page I've created:
so, did you run the VPN wizard in SBS? (remote access wizard actually)?
are you SURE there is GRE passtrough AND port 1723 is forwarded?




and btw, test this WITHOUT any antivirus programs active, because they can block VPN traffic.




The VPN worked without any issue passing through the existing Linksys router before we switched from dynamic to static IP, so yes port 1723 is forwarded from the router to the SBS.  GRE was obviously being passed through before, since the VPN was working and I did not touch any of the port settings after we switched to static IP, so....I will run the SBS remote access wizard again later today and let you know what happens. One step at a time...


Yes, I have run the remote access wizard, yet again...Port 1723 is enabled and GRE pass through is allowed. We just spent the entire day cleaning out remnants of the AVG Firewall. I thought that might be part of the issue. It is not. We managed to reinstall the AVG Firewall, change all the settings to allow all communication and ports to go through, removed the AVG Firewall and voila. Clean AVG set up without any issues, except the VPN is still not working... even after re-downloading the connection manager after the changes onto two of the domains laptops, but still no VPN.

At this point it has to be a DHCP authentication issue. I have eliminate basically any other cause. The Linksys router runs the DHCP for our local network and I think that may be the reason that the VPN gets the error 721 when trying to dial in - the client is unable to authenticate on the SBS. Does that make sense? Should I let the SBS run the DHCP instead of the router? If so, what do I do about all the ports and services that are currently being forwarded by the Linksys to the SBS?
The Linksys router runs the DHCP for our local network  >> thAt is the problem.
on an SBS network the SBS server needs to run DHCP.
disable dhcp on the linksys, and enable it on the SBS server by rerunning the 'connect to the internet wizard'.

Not the solution you were looking for? Getting a personalized solution is easy.

Ask the Experts



Just as I suspected....I believe I have eliminated all other possibilities regarding the VPN issue...When I have the time....hopefully by this weekend, I will change the DHCP from the router to the SBS and re-run the connect to the internet wizard....we'll see if that solves the VPN issue.


but the dhcp part is VERY important, sbs needs o run dhcp


Access more of Experts Exchange with a free account
Thanks for using Experts Exchange.

Create a free account to continue.

Limited access with a free account allows you to:

  • View three pieces of content (articles, solutions, posts, and videos)
  • Ask the experts questions (counted toward content limit)
  • Customize your dashboard and profile

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.


Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.