Solved

PPTP VPN Radius Watchguard

Posted on 2009-03-30
6
1,744 Views
Last Modified: 2013-11-16
Replace my 700x using WSG 7.3 with a 750e WSG 10.2 and Firewire. (Not a job for the faint at heart). Rebuilt and working Branch Office Tunnels and  other Policies Except PPTP VPN.

Need to get a few users connecting with PPTP access to our network. This was working on old unit.

Issue: you can connect but most times it takes 10-20 tries.

Nothing special, Raidus (IAS) very default (Even built a new IAS with same results). I spent 10 hrs reading and trying everything on this site and other.

IAS Does not fail to authenticate just nothing then after a bunch or tries it works:
FILTER-ID set to PPTP-Users
AD group = XXXX\pptp users

User xxxxx was granted access.
 Fully-Qualified-User-Name = xxxx.com/User Groups/xxxxxx/xxxxx, Michael
 NAS-IP-Address = 127.0.0.1
 NAS-Identifier = <not present>
 Client-Friendly-Name = Watchguard
 Client-IP-Address = 192.168.128.254
 Calling-Station-Identifier = <not present>
 NAS-Port-Type = <not present>
 NAS-Port = 0
 Proxy-Policy-Name = Use Windows authentication for all users
 Authentication-Provider = Windows
 Authentication-Server = <undetermined>
 Policy-Name = WatchGuard
 Authentication-Type = MS-CHAPv2
 EAP-Type = <undetermined>


Have tried to connect local on port 4100 but get an XML page error (did work a one time):

Invalid at the top level of the document. Error processing resource 'https://192.168.128.254:4100/?action=fw_logon&style=fw...

connect() err


GOOD and FAILED logs attached.

Very confused as to why is works sometimes.


PPTP-LOG.txt
0
Comment
Question by:uscost
  • 3
  • 3
6 Comments
 
LVL 32

Assisted Solution

by:dpk_wal
dpk_wal earned 500 total points
ID: 24025596
If you use PPTP without RADIUS [FB authentication] does this work.

Are you running RADIUS on win2000 server, in one of the posts it was found that RADIUS on win2000 had compatibility problems. User used 2003 in that case.

Internal authentication on port 4100 should work; we use it extensively to find if there is problem with authentication server communication with firewall.

Finally, are the logs are for the same user.

I see you have specified:
FILTER-ID set to PPTP-Users
AD group = XXXX\pptp users

This should not make any difference as you are able to authenticate; but can you also make AD group as PPTP-Users to make sure if that is not the issue.
Also, on WG you have added group as PPTP-Users.

Thank you.
0
 
LVL 1

Author Comment

by:uscost
ID: 24027468
Windows 2003.

Logs look the same for various users.

I am confused about the XML error when trying port 4100 internal. As i want to use that for testing between WG and Radius, any clues why that error pops up?


I have a ticket opened with WatchGuard on this (will give them a shot before I start trying other things) and will update.
0
 
LVL 32

Expert Comment

by:dpk_wal
ID: 24031631
Not sure; it can be a browser issue; please ensure you have Java enabled and try different browsers just to eliminate browser specific issue.

Please update at your convenience.

Thank you.
0
Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

 
LVL 1

Author Comment

by:uscost
ID: 24032610
Tried 3 different PC's IE6, IE7 and Firefox. The connection did work 1 time (I got the Watchguard Red login screen). Not sure what or why this is pulling an error.

Still waiting on WatchGuard.

BTW, dpk wal, issue I had with the old unit (would not show parts of some Web Pages) fixed with new Firewall.

Will continue to update on my issues, if anyone has a thought about the :4100 issue please post.
0
 
LVL 32

Expert Comment

by:dpk_wal
ID: 24032667
I think with the newer code of proxy, you might see the improvements. If you notice on 10.x version you get far better control of proxy than in earlier version.

Just to verify you do have Watchguard-Authentication policy in policy manager.

Thank you.
0
 
LVL 1

Accepted Solution

by:
uscost earned 0 total points
ID: 24108396
Issues resolved.

1. Reload of Firewall (back to factory) and reload configuration fixed port 4100 issue. (Watchguard support was helpful)

2. PPTP VPN issue fixed by power-cycling routers at clients site. 6 clients had issue (4 XP, 2 Vista) 4 clients had no issue. Routers power-cycled were Linksys or Dlink DSL/Cable routers. 5 clients were fixed with the power-cycle and 1 Vista client had to redo his VPN client.

Most of the users were connecting (without problems) to other VPN sites while the issue was going on with the Watchguard.

Watchguard Support was almost useless and they failed to read post, logs etc and it seems that I had to repeat myself over and over.

90% of any useful information was acquired by reading posts by dpk Wal on Expert Exchange so he deserves the pts.

Still clueless on why this issue happened but it is fixed so on to QOS.
0

Featured Post

Zoho SalesIQ

Hassle-free live chat software re-imagined for business growth. 2 users, always free.

Join & Write a Comment

Network traffic routing plays key role in your network, if you have single site with heavy browsing or multiple sites, replicating important application data from your Primary Default Gateway ,you have to route your other network traffic from your p…
Secure VPN Connection terminated locally by the Client.  Reason 442: Failed to enable Virtual Adapter. If you receive this error on Windows 8 or Windows 8.1 while trying to connect with the Cisco VPN Client then the solution is a simple registry f…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now