Solved

PPTP VPN Radius Watchguard

Posted on 2009-03-30
6
1,763 Views
Last Modified: 2013-11-16
Replace my 700x using WSG 7.3 with a 750e WSG 10.2 and Firewire. (Not a job for the faint at heart). Rebuilt and working Branch Office Tunnels and  other Policies Except PPTP VPN.

Need to get a few users connecting with PPTP access to our network. This was working on old unit.

Issue: you can connect but most times it takes 10-20 tries.

Nothing special, Raidus (IAS) very default (Even built a new IAS with same results). I spent 10 hrs reading and trying everything on this site and other.

IAS Does not fail to authenticate just nothing then after a bunch or tries it works:
FILTER-ID set to PPTP-Users
AD group = XXXX\pptp users

User xxxxx was granted access.
 Fully-Qualified-User-Name = xxxx.com/User Groups/xxxxxx/xxxxx, Michael
 NAS-IP-Address = 127.0.0.1
 NAS-Identifier = <not present>
 Client-Friendly-Name = Watchguard
 Client-IP-Address = 192.168.128.254
 Calling-Station-Identifier = <not present>
 NAS-Port-Type = <not present>
 NAS-Port = 0
 Proxy-Policy-Name = Use Windows authentication for all users
 Authentication-Provider = Windows
 Authentication-Server = <undetermined>
 Policy-Name = WatchGuard
 Authentication-Type = MS-CHAPv2
 EAP-Type = <undetermined>


Have tried to connect local on port 4100 but get an XML page error (did work a one time):

Invalid at the top level of the document. Error processing resource 'https://192.168.128.254:4100/?action=fw_logon&style=fw...

connect() err


GOOD and FAILED logs attached.

Very confused as to why is works sometimes.


PPTP-LOG.txt
0
Comment
Question by:uscost
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
6 Comments
 
LVL 32

Assisted Solution

by:dpk_wal
dpk_wal earned 500 total points
ID: 24025596
If you use PPTP without RADIUS [FB authentication] does this work.

Are you running RADIUS on win2000 server, in one of the posts it was found that RADIUS on win2000 had compatibility problems. User used 2003 in that case.

Internal authentication on port 4100 should work; we use it extensively to find if there is problem with authentication server communication with firewall.

Finally, are the logs are for the same user.

I see you have specified:
FILTER-ID set to PPTP-Users
AD group = XXXX\pptp users

This should not make any difference as you are able to authenticate; but can you also make AD group as PPTP-Users to make sure if that is not the issue.
Also, on WG you have added group as PPTP-Users.

Thank you.
0
 
LVL 1

Author Comment

by:uscost
ID: 24027468
Windows 2003.

Logs look the same for various users.

I am confused about the XML error when trying port 4100 internal. As i want to use that for testing between WG and Radius, any clues why that error pops up?


I have a ticket opened with WatchGuard on this (will give them a shot before I start trying other things) and will update.
0
 
LVL 32

Expert Comment

by:dpk_wal
ID: 24031631
Not sure; it can be a browser issue; please ensure you have Java enabled and try different browsers just to eliminate browser specific issue.

Please update at your convenience.

Thank you.
0
Will You Be GDPR Compliant by 5/28/2018?

GDPR? That's a regulation for the European Union. But, if you collect data from customers or employees within the EU, then you need to know about GDPR and make sure your organization is compliant by May 2018. Check out our preparation checklist to make sure you're on track today!

 
LVL 1

Author Comment

by:uscost
ID: 24032610
Tried 3 different PC's IE6, IE7 and Firefox. The connection did work 1 time (I got the Watchguard Red login screen). Not sure what or why this is pulling an error.

Still waiting on WatchGuard.

BTW, dpk wal, issue I had with the old unit (would not show parts of some Web Pages) fixed with new Firewall.

Will continue to update on my issues, if anyone has a thought about the :4100 issue please post.
0
 
LVL 32

Expert Comment

by:dpk_wal
ID: 24032667
I think with the newer code of proxy, you might see the improvements. If you notice on 10.x version you get far better control of proxy than in earlier version.

Just to verify you do have Watchguard-Authentication policy in policy manager.

Thank you.
0
 
LVL 1

Accepted Solution

by:
uscost earned 0 total points
ID: 24108396
Issues resolved.

1. Reload of Firewall (back to factory) and reload configuration fixed port 4100 issue. (Watchguard support was helpful)

2. PPTP VPN issue fixed by power-cycling routers at clients site. 6 clients had issue (4 XP, 2 Vista) 4 clients had no issue. Routers power-cycled were Linksys or Dlink DSL/Cable routers. 5 clients were fixed with the power-cycle and 1 Vista client had to redo his VPN client.

Most of the users were connecting (without problems) to other VPN sites while the issue was going on with the Watchguard.

Watchguard Support was almost useless and they failed to read post, logs etc and it seems that I had to repeat myself over and over.

90% of any useful information was acquired by reading posts by dpk Wal on Expert Exchange so he deserves the pts.

Still clueless on why this issue happened but it is fixed so on to QOS.
0

Featured Post

[Webinar] Code, Load, and Grow

Managing multiple websites, servers, applications, and security on a daily basis? Join us for a webinar on May 25th to learn how to simplify administration and management of virtual hosts for IT admins, create a secure environment, and deploy code more effectively and frequently.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I've written this article to illustrate how we can implement a Dynamic Multipoint VPN (DMVPN) with both hub and spokes having a dynamically assigned non-broadcast multiple-access (NBMA) network IP (public IP). Here is the basic setup of DMVPN Pha…
If you use NetMotion Mobility on your PC and plan to upgrade to Windows 10, it may not work unless you take these steps.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…

738 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question