Solved

PPTP VPN Error 721 issue for 1 out 25 users

Posted on 2009-04-07
12
1,096 Views
Last Modified: 2012-05-06
Hello,

Very frustrated with this issue.  I have searched here, and via google and can not come up with a real answer to the problem.

We have a network with 25 users on Laptops.  We also have Windows 2003 server handleing all VPN connections and authentication.  Everybody can connected using a PPTP VPN without issue, excpet 1 user.  It connects, and then stalls while verifing user name and password, giving an error 721.

He uses TrendMicro Total Internet Security for AV & firewall.  Windows firewall is disabled.  I tried configuring the firewall, and even disabling it completely.  Still doesn't work.  I shut the software completely off, still no go.  I have tried from a variaty of internet sources, wired, wireless, mobile broadband, from a variety of sources.  I have basically varified that the problem is with the machine it's self, not a router, firewall or other external source.  I still get the same Error 721.  Does anybody have any tips or ideas to look at?

Thanks
0
Comment
Question by:thompsontech
  • 3
  • 3
  • 3
  • +2
12 Comments
 
LVL 23

Assisted Solution

by:debuggerau
debuggerau earned 100 total points
ID: 24093021
From http://support.microsoft.com/kb/163111

721     Remote PPP peer is not responding.

So does the user have internet or network access?
Default gateway ok? DHCP lease ok?

Are they on an unreliable link?

Maybe they reconfigured their client with another wrong ip address?
0
 
LVL 76

Expert Comment

by:arnold
ID: 24093469
Did you create a new PPTP connection or were you using the existing one.

Is the PPTP connection configured on this laptop is the same as the ones on the working model?

Did you try the connection from the same location where another laptop had no problem establishing a VPN?

0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 24100029
A 721 error is almost always caused by blocked GRE protocol. This can be due to many issues at either end of the tunnel, but it sounds like you have narrowed it down to the client machine itself. Several security applications such as Symantec have to actually be uninstalled to allow GRE, simply shutting them down does not do it. Trend is one that can block GRE but I don't know if it actually has to be removed. Even some Anti-virus applications will block GRE such as Symantec if "internet worm protection" is enabled. Assuming you have tried from behind different routers and different ISP's I would suggest focusing on the security apps on the PC.
0
 

Author Comment

by:thompsontech
ID: 24107674

I have tried using the VPN from multiple internet access points; mobile broadband, the users home internet, and another access point.  In the case of the mobile broadband, other working PC's have been able to access the VPN without issue.

I configured the VPN link myself, and it is setup the same as on every other machine.  I removed the VPN and reinstalled it on at least three occasions.  Using both IP address and the url that points to the static IP.  Again, using settings that work on all other PC's with access.

The mobile broadband, is my own and was installed for testing this issue out.  I use it on a regualr basis on at least 3 other PCs for VPN access.

I suspect the GRE issue is the culprit, but not sure how to verify whether it's currently blocked.  

I have since learned a Symantec security suite was once used, but has been uninstalled.  TrendMicro is now the security suite used.  While in the TrendMicro's Internet Security  application I was unable to determine how to verify the status of the GRE portocol.

Any ideas related to this Security Suite would be helpful.  If I unistall the suite, I will still need to reinstall so not to leave the user exposed, so I need to find out how to configure it properly.

Thanks,
0
 
LVL 76

Expert Comment

by:arnold
ID: 24108116
See if you have an option to add an exemption for protocol 47 (GRE) within its firewall configuration.
0
 
LVL 77

Accepted Solution

by:
Rob Williams earned 300 total points
ID: 24108441
You can test to verify if GRE is the issue, though I suspect it definitely is. I am afraid I haven't worked with Trend enough to know the required configuration to allow.

From an earlier post of mine:
Microsoft has a pair of test tools pptpsrv and pptpclnt, to test for GRE pass-through, which are available as part of the Windows resource kit or from:
http://www.microsoft.com/downloads/details.aspx?amp;displaylang=en&familyid=49ae8576-9bb9-4126-9761-ba8011fabf38&displaylang=en

Log onto the client or VPN server machine and connect to the other with remote desktop, or a similar remote management tool. At a command line on the client machine, run pptpclnt and on the server run pptpsrv. The client machine will send a set of GRE packets to the server and it should show as received if GRE is able to pass. The server is then supposed to respond and the client indicate received, but I have never had that part work. The one direction client to server is usually enough to test.

Following links outline the use of the test tools:
http://www.howtonetworking.com/Tools/testgre.htm
See VPN traffic:
http://www.microsoft.com/technet/community/columns/cableguy/cg0105.mspx
0
What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 
LVL 23

Expert Comment

by:debuggerau
ID: 24143611
Could be something TCPIP related to windows like the MTU setting or something similar.

If you have GRE pass-through, I would check your TCP settings with DrTCP...

0
 

Assisted Solution

by:glzeiger
glzeiger earned 100 total points
ID: 24246858
I got it to work:
In Trend, go to Personal Firewall Controls.
Click Settings
Click Advanced Settings
Click Network Protocol Control Tab
In here you are going to add 2 OUTGOING rules:

1.PPTP-Out
Allow TCP Port 1723

2. PPTP-GRE
Allow Custom Protocol Number 47.

Worked like a champ for me. Able to access PPTP VPN at office.

Hope this helps.
0
 
LVL 23

Expert Comment

by:debuggerau
ID: 24246960
but the firewall was disabled was the claim above...

Anyways, happy you have it sorted..

0
 

Author Comment

by:thompsontech
ID: 24253160
I am looking in to trying the above fix from glzeiger.  I will report back as soon as I am able to work on the machine in question.  Currently, he is on the east and his internet is down, and I am on the west coast, so trying things out is a little slow sometimes, but I apreciate everybodies input.
0
 

Author Comment

by:thompsontech
ID: 24661541
I have gone round and round with this issue for sometime.  It has taken even longer due to the fact the machine is very rarley under my direct control.  The user and the machine are live on the east coast (I'm with the rest of the company on the west coast).  

After trying many things mentioned both here and other places I fianally set up a test machine with the same A/V firewall setup and was able to replicate the problem.  Could not find a solution.

Contacted TrendMicro (probably should have done this earlier) and was told point blank, PPTP VPN connections are not supported with this software firewall.  If I needed a PPTP VPN then I was directed to uninstall their firewall.

I did that and the problem was resolved.  I should note, disabling the firewall will not help, it must be uninstalled.  

I'm leaving the issue alone at this point and having the user uninstall their TrendMicro firewall, and will move on to another solution as needed.

Thanks for the help!
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 24661624
Glad to hear you have at least found the problem. As mentioned in ID:24100029, TrendMicro is known to be a problem with VPN's.
--Rob
0

Featured Post

Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Juniper VPN devices are a popular alternative to using Cisco products. Last year I needed to set up an international site-to-site VPN over the Internet, but the client had high security requirements -- FIPS 140. What and Why of FIPS 140 Federa…
INTRODUCTION The purpose of this document is to demonstrate the Installation and configuration of the Data Protection Manager product. Note that this demonstration was prepared on the basis of Windows OS is 2008 R2 and DPM 2010. DATA PROTECTI…
Windows 8 came with a dramatically different user interface known as Metro. Notably missing from that interface was a Start button and Start Menu. Microsoft responded to negative user feedback of the Metro interface, bringing back the Start button a…
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now