RRAS VPN Setup on widows server 2003, behind a firewall Watchguard

Posted on 2009-04-09
Last Modified: 2012-05-06

could some one help me troubleshoot my problem with rras vpn setup server.

our network has two servers, both are windows server 2003 , and are domain controllers.  I have setup rras on one of the servers with a dedicated nic for it. I have opened up firewall which is provided by Watchguard router. we only have one public ip. on the firewall I have opened up the port of pptp and assigned the host address as the ip address of the nic I am using for rras. ( I don't think , this device watchguard, has explicti natting available).

When I try test by creating a vpn connection using a computer from my home it hangs at verifying user name and password for a bit, then gives the error message ' error 691: access was denied becuase the username and or password was invalid on the domian.'

I have gave the user account I am using to connect access as allow in the properties of AD for dial and remote access connection ( something like that, i don't remember the name of the option /tab).

am I mising something really obvious here. how do I troubleshoot this issue and hopefully resolve it.
Question by:ashjuv
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions

Expert Comment

ID: 24111148
you must allow also GRE protocol on your router

Expert Comment

ID: 24111207
This really depends on which watchguard you are using. If you are using a firebox and not the soho. you can setup a direct one to one NAT with out a prob.

Which Watchguard are you using?

Accepted Solution

dj_relentless earned 250 total points
ID: 24111395
Try it with full upn user@domain.local. If no go enable security auditing on the vpn box if not already and see if your getting failure events on the username and password.
Forrester Webinar: xMatters Delivers 261% ROI

Guest speaker Dean Davison, Forrester Principal Consultant, explains how a Fortune 500 communication company using xMatters found these results: Achieved a 261% ROI, Experienced $753,280 in net present value benefits over 3 years and Reduced MTTR by 91% for tier 1 incidents.


Author Comment

ID: 24111409
this is the watchguard info

version 6.4.1
build 15
boot rom 5.6
Watchguard SOHO 6TC

Author Comment

ID: 24111435
when i specify pptp as the service should it not automatically take care of both the tcp port and protocol on the firewall.??

I actually did try creating my own service and specifying the the rras port as well as protocol, it gave the same result

Author Comment

ID: 24111501
Actually I tried logging on using full name and it worked.

thanks so much.

Assisted Solution

mickeyfan earned 250 total points
ID: 24111515
I would use the MUVPN Software for mobile users with any watchguard hardware. The software is free and setting it up is pretty easy.

We have had issue with using MS VPN through the watchguard hardware. We have had zero problem when we switched over to the watchguard software. The software is more secure and does compression as well.**&p_li=&p_topview=1#soho

MUVPN client connects to a SOHO 6
Determine the software version your SOHO 6 runs

To see what version your SOHO 6 has, go to the main System Status page and look for "Firewall Version" above the picture of the SOHO:

If your SOHO 6 has software version 6.4 or later

Send the MUVPN installation file, the client configuration file, and the Shared Key to the MUVPN user

1. Where to find the client configuration file.

Every Mobile User VPN account you configure has a client configuration file called a "wgx file". You get the wgx file from the SOHO 6 Web management page, in the main VPN area:

Click on the hyperlink for a user's wgx file. Follow the prompts to save the file locally:

2. Copy these files to the user's computer:

The MUVPN installation file, MUVPN.exe or MUVPNLite.exe
The wgx file
3. Give the user the Shared Key.

The shared key is sensitive information. You should not send this to the user with email. Give the user the shared key by telling it to the user, or by some other method that does not allow an unauthorized person to get the shared key
Install the MUVPN software

Note:  Do not install this software if there is another IPSec VPN program on the user's computer. Uninstall any other VPN software, including any previous version of WatchGuard's MUVPN software before installing this software.
Note:  You must have local administrative rights on the computer to install the software. You do not have to have administrative rights to use the program after it is installed.

Installation of the MUVPN software is exactly the same for a user connecting to a Firebox III or Firebox X. Follow the steps at "Install the MUVPN Program" listed in the previous section. Ignore any mention of certificates. The SOHO 6 can not use certificates for MUVPN connections.

The SOHO 6 also has a Remote Management feature that is very similar to an MUVPN client account. You get the wgx file for the Remote Management account from the SOHO 6 Administration page:


Author Comment

ID: 24111727
thanks, mickey, the information would really be helpful if I run into vpn problems. So far with ms it looks good ( still in test ). when I start rolling out i i will find out what are the other issues. In the mean time i will close the case and open a new one whent the issues happen again. thanks for all your hlep guys who responded to this mesage in timely manner.

Featured Post

Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
2-Factor authentication VPN for staff and suppliers 6 89
Cisco ASA 5505's for VPN study 15 88
Remote laptop can't connect to mapped shared drive 14 76
IPSec firewall rules 1 35
I've always wanted to allow a user to have a printer no matter where they login. The steps below will show you how to achieve just that. In this Article I'll show how to deploy printers automatically with group policy and then using security fil…
A quick step-by-step overview of installing and configuring Carbonite Server Backup.
After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…

738 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question