[Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

VPN error 721 while trying to log into SBS 2003 R2

Posted on 2009-02-18
11
Medium Priority
?
642 Views
Last Modified: 2012-05-06
We've had an SBS 2003 R2 with one NIC behind a Linksys BEFVP41 running on a dynamic IP with Cablevison for over two years without any problems. Everything worked fine, remote web access, VPN, remote desktop, public website access, without problems. We need the VPN for sales people on the road to be able to log into the network check e-mail, access files, access quickbooks on the server to place orders, etc. The Linksys has always been the DHCP server, without any issues.

For a number of reasons we decided to switch to a static IP. The Cablevision Static IP set up comes with a Cisco 851 that acts as a NAT appliance with 5 static IPs ( it is in front of the Linksys, since I cannot manage the Cisco, I need to forward all the necessary ports Linksys tomthe SBS) On the Cisco 851 the all ports open and services enabled and nothing blocked - verified by calling Cablevision business tech support ( I cannot access the Cisco 851, it was set up by Cablevision and users have no access) Once we switched to static IP we changed the proper IP settings on the router and server as needed. With our anti-virus software, AVG 8.0 Network Edition we had accidentally installed the Firewall on the server and after the dynamic IP switch to Static IP on the SBS, the Firewall seemed to be blocking some access to the NIC on the server and IPV4 and IPV6 connections, according to the AVG Firewall interface. We seemingly corrected the AVG Firewall issues and repaired the AVG installation to remove and uninstall  the AVG Firewall from the SBS (since it did not belong there in the first place) Now we have had everything working with the static IP setup and the SBS 2003 R2 for over six months, except the VPN. so everything is working but the VPN... Webmail, remote desktop, access to our public website and all other server functions work except for the VPN.

The other thing that bugs me is that I cannot access the regular Windows Firewall - I get a pop up that says the Firewall is being used by another program and something about ipsys.nat. It makes me believe that there could be some remnant settings blocking the VPN from the uninstalled AVG Firewall component on the SBS, given the past issue after the switch to the static IP and the inability to access the regular Windows Firewall on the server.

That being said, we cannot VPN from within or from outside the LAN, as we could before the switch to the static IP. Upon trying to dial in remotely to the VPN all 5 users get error 721 and the connection is unable to authenticate and hangs...

I have read through every single error 721 question I have seen on EE, but have not found a solution. I have looked at the Event Wiever on the server and it shows an RAS error for every time one of the sales people tries to VPN into the server. I am rather tech savvy and manage about 95% of our small company IT needs, including most of the SBS setup, but I am not a Pro. I have a pretty good MS Small Business Specilalist (Alan) that tried to figure out our current SBS VPN issue, but even at $125 and hour for eight hours, he could not solve it. I would rather spend some more time on my own trying to solve this issue and avoid at all costs having to spend God knows how many hours at $125 paying Alan, who may or may not fix it.

I have read through many SBS posts here on EE and it seems Rob Will is the best at it....Rob, please help me! A detailed step by step explanation would be most helpful. Where should I start? I want to be able to eliminate all possible issues one to make sure I don't miss a thing.

Is it AVG Firewall remnants blocking the VPN?
Is it a DHCP authentication issue?
Do I reinstall the AVG Firewall to check the settings and make sure they are all cleared and then uninstall it again?
Should I rerun again the connection wizards for the mobile users?


We are able to function as is OK without the VPN, given that the reps also have PDA's for their e-mail while on the road connected through the SBS. Those are working fine, but we really need the SBS VPN to be working for everyone to be more efficient and productive no matter where we are with our laptops and have full access to the LAN and server while on the road.

That being said, I have planned my first family vacation in five years, since starting my company. My wife sends the orders that our reps e-mail in to our warehouse daily from our office using our multi-user Quickbooksset up on the SBS to enter all the orders( we are a small fine wine importer and distributor in NY/NJ ). Without the VPN we cannot access the Quickbooks remotely while on the road and on vacation to place the orders sent in by the rep daily, so I have to resolve this before vacation in early April! I know I can use remote desktop to log into a pc on the LAN via the SBS, but that is not doable if you are in the car all day, on the road, using an AT&T air card on your actual laptop...

In addition to the points I would gladly offer several free bottles of wines with free Fedex shipping to the expert who helps me solve this VPN mess!

I know it is something simple and it is just eating at me...Have at it boys!


0
Comment
Question by:nradisic
  • 5
  • 5
10 Comments
 

Author Comment

by:nradisic
ID: 23677858
Could this be an issue? I have only allocated one static IP for the SBS....Do I need to allocate more than one?

# Cause: The answering router cannot validate the credentials of the calling router (user name, password, and domain name).

Solution: Verify that the credentials of the VPN client (user name, password, and domain name) are correct and can be validated by the VPN server.
# Cause: There are not enough addresses in the static IP address pool.

Solution: If the VPN server is configured with a static IP address pool, verify that there are enough addresses in the pool. If all of the addresses in the static pool have been allocated to connected VPN clients, the VPN server cannot allocate an IP address, and the connection attempt is rejected. If all of the addresses in the static pool have been allocated, modify the pool. See the Windows Server 2003 Help and Support Center for more information about TCP/IP and remote access, and how to create a static IP address pool. Click Start to access the Windows Server 2003 Help and Support Center.
0
 
LVL 21

Expert Comment

by:suppsaws
ID: 23678835
Hello nradisic,

wow, that was ALOT of reading :-)
let's start with the page I've created:
http://sbs.editme.com/vpntrouble
so, did you run the VPN wizard in SBS? (remote access wizard actually)?
are you SURE there is GRE passtrough AND port 1723 is forwarded?

Regards,

suppsaws
0
 
LVL 21

Expert Comment

by:suppsaws
ID: 23678841
nradisic,

and btw, test this WITHOUT any antivirus programs active, because they can block VPN traffic.

suppsaws
0
Get your Conversational Ransomware Defense e‑book

This e-book gives you an insight into the ransomware threat and reviews the fundamentals of top-notch ransomware preparedness and recovery. To help you protect yourself and your organization. The initial infection may be inevitable, so the best protection is to be fully prepared.

 

Author Comment

by:nradisic
ID: 23700292
suppsaas:

The VPN worked without any issue passing through the existing Linksys router before we switched from dynamic to static IP, so yes port 1723 is forwarded from the router to the SBS.  GRE was obviously being passed through before, since the VPN was working and I did not touch any of the port settings after we switched to static IP, so....I will run the SBS remote access wizard again later today and let you know what happens. One step at a time...
0
 

Author Comment

by:nradisic
ID: 23831424
Yes, I have run the remote access wizard, yet again...Port 1723 is enabled and GRE pass through is allowed. We just spent the entire day cleaning out remnants of the AVG Firewall. I thought that might be part of the issue. It is not. We managed to reinstall the AVG Firewall, change all the settings to allow all communication and ports to go through, removed the AVG Firewall and voila. Clean AVG set up without any issues, except the VPN is still not working... even after re-downloading the connection manager after the changes onto two of the domains laptops, but still no VPN.

At this point it has to be a DHCP authentication issue. I have eliminate basically any other cause. The Linksys router runs the DHCP for our local network and I think that may be the reason that the VPN gets the error 721 when trying to dial in - the client is unable to authenticate on the SBS. Does that make sense? Should I let the SBS run the DHCP instead of the router? If so, what do I do about all the ports and services that are currently being forwarded by the Linksys to the SBS?
0
 
LVL 21

Accepted Solution

by:
suppsaws earned 2000 total points
ID: 23833855
The Linksys router runs the DHCP for our local network  >> thAt is the problem.
on an SBS network the SBS server needs to run DHCP.
disable dhcp on the linksys, and enable it on the SBS server by rerunning the 'connect to the internet wizard'.
0
 

Author Comment

by:nradisic
ID: 23835139
suppaws....

Just as I suspected....I believe I have eliminated all other possibilities regarding the VPN issue...When I have the time....hopefully by this weekend, I will change the DHCP from the router to the SBS and re-run the connect to the internet wizard....we'll see if that solves the VPN issue.

Thanks...
0
 
LVL 21

Expert Comment

by:suppsaws
ID: 23835223
0
 
LVL 21

Expert Comment

by:suppsaws
ID: 23835229
but the dhcp part is VERY important, sbs needs o run dhcp
0
 

Author Comment

by:nradisic
ID: 23835531
Cool...Thanks.
0

Featured Post

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

We recently endured a series of broadcast storms that caused our ISP to shut us down for brief periods of time. After going through a multitude of tests, we determined that the issue was related to Intel NIC drivers on some new HP desktop computers …
If you use NetMotion Mobility on your PC and plan to upgrade to Windows 10, it may not work unless you take these steps.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor (https://www.adremsoft.com/). Top Charts is a view in which you can set seve…

865 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question