RRAS VPN Setup on widows server 2003, behind a firewall Watchguard

Posted on 2009-04-09
Last Modified: 2012-05-06

could some one help me troubleshoot my problem with rras vpn setup server.

our network has two servers, both are windows server 2003 , and are domain controllers.  I have setup rras on one of the servers with a dedicated nic for it. I have opened up firewall which is provided by Watchguard router. we only have one public ip. on the firewall I have opened up the port of pptp and assigned the host address as the ip address of the nic I am using for rras. ( I don't think , this device watchguard, has explicti natting available).

When I try test by creating a vpn connection using a computer from my home it hangs at verifying user name and password for a bit, then gives the error message ' error 691: access was denied becuase the username and or password was invalid on the domian.'

I have gave the user account I am using to connect access as allow in the properties of AD for dial and remote access connection ( something like that, i don't remember the name of the option /tab).

am I mising something really obvious here. how do I troubleshoot this issue and hopefully resolve it.
Question by:ashjuv

Expert Comment

ID: 24111148
you must allow also GRE protocol on your router

Expert Comment

ID: 24111207
This really depends on which watchguard you are using. If you are using a firebox and not the soho. you can setup a direct one to one NAT with out a prob.

Which Watchguard are you using?

Accepted Solution

dj_relentless earned 250 total points
ID: 24111395
Try it with full upn user@domain.local. If no go enable security auditing on the vpn box if not already and see if your getting failure events on the username and password.
U.S. Department of Agriculture and Acronis Access

With the new era of mobile computing, smartphones and tablets, wireless communications and cloud services, the USDA sought to take advantage of a mobilized workforce and the blurring lines between personal and corporate computing resources.


Author Comment

ID: 24111409
this is the watchguard info

version 6.4.1
build 15
boot rom 5.6
Watchguard SOHO 6TC

Author Comment

ID: 24111435
when i specify pptp as the service should it not automatically take care of both the tcp port and protocol on the firewall.??

I actually did try creating my own service and specifying the the rras port as well as protocol, it gave the same result

Author Comment

ID: 24111501
Actually I tried logging on using full name and it worked.

thanks so much.

Assisted Solution

mickeyfan earned 250 total points
ID: 24111515
I would use the MUVPN Software for mobile users with any watchguard hardware. The software is free and setting it up is pretty easy.

We have had issue with using MS VPN through the watchguard hardware. We have had zero problem when we switched over to the watchguard software. The software is more secure and does compression as well.**&p_li=&p_topview=1#soho

MUVPN client connects to a SOHO 6
Determine the software version your SOHO 6 runs

To see what version your SOHO 6 has, go to the main System Status page and look for "Firewall Version" above the picture of the SOHO:

If your SOHO 6 has software version 6.4 or later

Send the MUVPN installation file, the client configuration file, and the Shared Key to the MUVPN user

1. Where to find the client configuration file.

Every Mobile User VPN account you configure has a client configuration file called a "wgx file". You get the wgx file from the SOHO 6 Web management page, in the main VPN area:

Click on the hyperlink for a user's wgx file. Follow the prompts to save the file locally:

2. Copy these files to the user's computer:

The MUVPN installation file, MUVPN.exe or MUVPNLite.exe
The wgx file
3. Give the user the Shared Key.

The shared key is sensitive information. You should not send this to the user with email. Give the user the shared key by telling it to the user, or by some other method that does not allow an unauthorized person to get the shared key
Install the MUVPN software

Note:  Do not install this software if there is another IPSec VPN program on the user's computer. Uninstall any other VPN software, including any previous version of WatchGuard's MUVPN software before installing this software.
Note:  You must have local administrative rights on the computer to install the software. You do not have to have administrative rights to use the program after it is installed.

Installation of the MUVPN software is exactly the same for a user connecting to a Firebox III or Firebox X. Follow the steps at "Install the MUVPN Program" listed in the previous section. Ignore any mention of certificates. The SOHO 6 can not use certificates for MUVPN connections.

The SOHO 6 also has a Remote Management feature that is very similar to an MUVPN client account. You get the wgx file for the Remote Management account from the SOHO 6 Administration page:


Author Comment

ID: 24111727
thanks, mickey, the information would really be helpful if I run into vpn problems. So far with ms it looks good ( still in test ). when I start rolling out i i will find out what are the other issues. In the mean time i will close the case and open a new one whent the issues happen again. thanks for all your hlep guys who responded to this mesage in timely manner.

Featured Post

Free learning courses: Active Directory Deep Dive

Get a firm grasp on your IT environment when you learn Active Directory best practices with Veeam! Watch all, or choose any amount, of this three-part webinar series to improve your skills. From the basics to virtualization and backup, we got you covered.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This is an article about my experiences with remote access to my clients (so that I may serve them) and eventually to my home office system via Radmin Remote Control. I have been using remote access for over 10 years and have been improving my metho…
While rebooting windows server 2003 server , it's showing "active directory rebuilding indices please wait" at startup. It took a little while for this process to complete and once we logged on not all the services were started so another reboot is …
After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

685 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question