[2 days left] What’s wrong with your cloud strategy? Learn why multicloud solutions matter with Nimble Storage.Register Now

x
?
Solved

PPTP VPN Radius Watchguard

Posted on 2009-03-30
6
Medium Priority
?
1,778 Views
Last Modified: 2013-11-16
Replace my 700x using WSG 7.3 with a 750e WSG 10.2 and Firewire. (Not a job for the faint at heart). Rebuilt and working Branch Office Tunnels and  other Policies Except PPTP VPN.

Need to get a few users connecting with PPTP access to our network. This was working on old unit.

Issue: you can connect but most times it takes 10-20 tries.

Nothing special, Raidus (IAS) very default (Even built a new IAS with same results). I spent 10 hrs reading and trying everything on this site and other.

IAS Does not fail to authenticate just nothing then after a bunch or tries it works:
FILTER-ID set to PPTP-Users
AD group = XXXX\pptp users

User xxxxx was granted access.
 Fully-Qualified-User-Name = xxxx.com/User Groups/xxxxxx/xxxxx, Michael
 NAS-IP-Address = 127.0.0.1
 NAS-Identifier = <not present>
 Client-Friendly-Name = Watchguard
 Client-IP-Address = 192.168.128.254
 Calling-Station-Identifier = <not present>
 NAS-Port-Type = <not present>
 NAS-Port = 0
 Proxy-Policy-Name = Use Windows authentication for all users
 Authentication-Provider = Windows
 Authentication-Server = <undetermined>
 Policy-Name = WatchGuard
 Authentication-Type = MS-CHAPv2
 EAP-Type = <undetermined>


Have tried to connect local on port 4100 but get an XML page error (did work a one time):

Invalid at the top level of the document. Error processing resource 'https://192.168.128.254:4100/?action=fw_logon&style=fw...

connect() err


GOOD and FAILED logs attached.

Very confused as to why is works sometimes.


PPTP-LOG.txt
0
Comment
Question by:uscost
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
6 Comments
 
LVL 32

Assisted Solution

by:dpk_wal
dpk_wal earned 2000 total points
ID: 24025596
If you use PPTP without RADIUS [FB authentication] does this work.

Are you running RADIUS on win2000 server, in one of the posts it was found that RADIUS on win2000 had compatibility problems. User used 2003 in that case.

Internal authentication on port 4100 should work; we use it extensively to find if there is problem with authentication server communication with firewall.

Finally, are the logs are for the same user.

I see you have specified:
FILTER-ID set to PPTP-Users
AD group = XXXX\pptp users

This should not make any difference as you are able to authenticate; but can you also make AD group as PPTP-Users to make sure if that is not the issue.
Also, on WG you have added group as PPTP-Users.

Thank you.
0
 
LVL 1

Author Comment

by:uscost
ID: 24027468
Windows 2003.

Logs look the same for various users.

I am confused about the XML error when trying port 4100 internal. As i want to use that for testing between WG and Radius, any clues why that error pops up?


I have a ticket opened with WatchGuard on this (will give them a shot before I start trying other things) and will update.
0
 
LVL 32

Expert Comment

by:dpk_wal
ID: 24031631
Not sure; it can be a browser issue; please ensure you have Java enabled and try different browsers just to eliminate browser specific issue.

Please update at your convenience.

Thank you.
0
Q2 2017 - Latest Malware & Internet Attacks

WatchGuard’s Threat Lab is a group of dedicated threat researchers committed to helping you stay ahead of the bad guys by providing in-depth analysis of the top security threats to your network.  Check out our latest Quarterly Internet Security Report!

 
LVL 1

Author Comment

by:uscost
ID: 24032610
Tried 3 different PC's IE6, IE7 and Firefox. The connection did work 1 time (I got the Watchguard Red login screen). Not sure what or why this is pulling an error.

Still waiting on WatchGuard.

BTW, dpk wal, issue I had with the old unit (would not show parts of some Web Pages) fixed with new Firewall.

Will continue to update on my issues, if anyone has a thought about the :4100 issue please post.
0
 
LVL 32

Expert Comment

by:dpk_wal
ID: 24032667
I think with the newer code of proxy, you might see the improvements. If you notice on 10.x version you get far better control of proxy than in earlier version.

Just to verify you do have Watchguard-Authentication policy in policy manager.

Thank you.
0
 
LVL 1

Accepted Solution

by:
uscost earned 0 total points
ID: 24108396
Issues resolved.

1. Reload of Firewall (back to factory) and reload configuration fixed port 4100 issue. (Watchguard support was helpful)

2. PPTP VPN issue fixed by power-cycling routers at clients site. 6 clients had issue (4 XP, 2 Vista) 4 clients had no issue. Routers power-cycled were Linksys or Dlink DSL/Cable routers. 5 clients were fixed with the power-cycle and 1 Vista client had to redo his VPN client.

Most of the users were connecting (without problems) to other VPN sites while the issue was going on with the Watchguard.

Watchguard Support was almost useless and they failed to read post, logs etc and it seems that I had to repeat myself over and over.

90% of any useful information was acquired by reading posts by dpk Wal on Expert Exchange so he deserves the pts.

Still clueless on why this issue happened but it is fixed so on to QOS.
0

Featured Post

What’s Wrong with Your Cloud Strategy ?

Even as many CIOs are embracing a cloud-first strategy, the reality is that moving to the cloud is a lengthy process and the end-state is likely to be a blend of multiple clouds—public and private. Learn why multicloud solutions matter in this webinar by Nimble Storage.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Secure VPN Connection terminated locally by the Client.  Reason 442: Failed to enable Virtual Adapter. If you receive this error on Windows 8 or Windows 8.1 while trying to connect with the Cisco VPN Client then the solution is a simple registry f…
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Suggested Courses

649 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question