Windows 7 VPN users can not connect simultaneously

Hello.

I have this issue.

SCENARIO:
I have a LAN (Windows Server 2008) with Windows 7 Professional computers. We are trying to connect 6 of our computers to a remote VPN.

I have a Juniper ScreenOS 6.2.0r6.0 firewall. VPN section has not been configured at all.

ISSUE:
Only one computer is able to connect to the VPN. No simultaneous connection are allowed. Basically the second computer would kick off the previous one connected. Once the "kicked off" computer gets disconnected, when retrying to reconnect, it would give an error

Connecting to vpn.xxxxxxx.com using "WAN Miniport (L2TP)...
Error 800: The Remote Connection was not made because the attempted VPN tunnels failed.

Sometimes i would get also,

Error 619: A Connection to the remote computer could not be established so the port used for this connection was closed.

I've been googling up and down and there is not a clear solution to this. Even here in EX-EX i couldnt find a solution to my problem.

RANDOM THOUGHTS:
I checked the firewall and our policies does not restrict that port or service. Before we set up NEW everything (Servers, Firewalls and Desktop PCs) we were able to communicate perfectly fine. So if the issue is still the firewall, it has to do with allowing multiple connections thru the same service/port/whatever.

Another interesting fact is that if one of this users connects from home, it would not have any issues and it wouldnt kick off the one connected from inside.

One more thing. Our intranet IP schema changed from 192.168..... to 10.10..... it might be a chance that the rule that they created for our previous IP schema (if they had one) is not being applied to our new schema anymore.

Anyone has been in my shoes before.

Thank you
acamposAsked:
Who is Participating?
 
QlemoConnect With a Mentor Batchelor, Developer and EE Topic AdvisorCommented:
The simplest method to find out what is really used is to let one user connect to the VPN, and then look on that user's PC which ports are used (e.g. with netstat -n). If you see port 1723, it is PPTP, if it is 1721, it is L2TP with IPSec.
In addition or anyway, you can switch on PPTP ALG on your Juniper. Go into the WebUI, Security, ALG, and tick PPTP. Apply. After that, PPTP should work simultanously.
0
 
edwarnekeCommented:
Typically for VPN connections you can only connect one tunnel per external IP address. This may vary based on your VPN software(whether it's MS built in VPN software or a vendor such as Cisco's VPN solution).

Generally there are also issues if your local network has the same IP scheme as the destination networks internal network(IE, both have 192.168.1.x schemas). When you try to talk to server 192.168.1.x, it thinks it's on your local network, so doesn't go out the vpn with that traffic.

You say it worked in the past, did anything change on the network you are VPNing into?
0
 
QlemoBatchelor, Developer and EE Topic AdvisorCommented:
Which kind of VPN are you using? If it is PPTP, you need to enable the GRE Application Layer Gateway (via CLI command). And that ALG had several issues over the last two years (I'm in contact with Juniper Support every now and then because of that). 6.2.0r6 should be safe, we did not have issues with GRE on it.

Are you trying to connect all clients to the *same* remote gateway? As said by edwarneke, it depends on many factors if your are able to use multiple connections to the same gateway. Most do not allow that.
There are much better ways to allow for multipe users to use the same (PPTP or L2TP/IPSec) VPN, in particular if you have Windows Server 2003 or above (as you have). The Routing and RAS service there allows for on-demand dial-in and routing in combination with client NAT. That works great in our office.
0
Improved Protection from Phishing Attacks

WatchGuard DNSWatch reduces malware infections by detecting and blocking malicious DNS requests, improving your ability to protect employees from phishing attacks. Learn more about our newest service included in Total Security Suite today!

 
acamposAuthor Commented:
Ok, it seems i didn't know how to explain myself.

We adquired a new company, in a different state. We are in GA, company in IN. In the old office, we were able to connect to the VPN from GA (simultaneous connections) we had like 6 people connected all the time. Our schema was 192.168.0.x

We moved to a new building. Good reason to upgrade 100% all of our equipment. We got for everybody Windows 7 and we got new servers DELL with Win2008 R2. We also have Juniper as a firewall. This is a new firewall thou. It the VPN section is empty. no one tunnel, configuration, nothing. Our IP schema changed thou. Now we have 10.10.6.x for our desktops PCs.

When these 6 employees tried to connect to the VPN, they were able to do so, but only one at a time. Next one would connect but would kick the previous person connected off.

There are things i don't know about the host i am trying to connect. Like the kind of VPN for example or how they have it configured over there. Supposedly there is a network administrator over there who is taking care of this thing for us. I am gonna get in a couple of hours in the phone with him and try to figure out WHY we can only connect one at the time from the office IF at their end nothing changed. I am assuming that MAYBE our new IP schema is not set up in their firewall\RAS rules to allow us have multiple connections....

I guess once i get on the phone i will have more info to share with you guys. But i wanted make sure i wasnt making an obvious mistake on my side.

Is there anything i have to do in my firewall to allow OUTBOUND multiple connections to that VPN? We didnt have anything set up in the old building.

clueless so far...
0
 
QlemoBatchelor, Developer and EE Topic AdvisorCommented:
If you have outgoing PPTP connections  *crossing*  the Juniper, you will definitively need the PPTP ALG.
0
 
acamposAuthor Commented:
Qlemo, excuse my ignorance on the subject. I am new to all this network thing. i am more a software developer. You mean by PPTP ALG that i should create a tunnel or something like that?

what should i exactly need to know from the other end (VPN server)?

Thank you
0
 
QlemoBatchelor, Developer and EE Topic AdvisorCommented:
BTW, your IP address change is not related to the issue, as long as you are not using the same subnet as the remote office. I don't think so, else you would have serious issues even when only one client is connected.
0
 
edwarnekeCommented:
Right, very much doubt it's the subnet since you can have one client on and have it work fine. The issue is probably based on PPTP limitations, without specific software/hardware to enable multiple connections from the same network to a VPN host, PPTP doesn't allow it. From what Qlemo says though you should be able to with the Juniper device allow multiple connections.
0
 
acamposAuthor Commented:
Qlemo, you are the MAN!!!!

PPTP was unchecked...

Thank you so much. Get those 500 and add it up to your 2,268,691 points ammased so far :)

Thank you all for your time and concern on this thread.
0
 
acamposAuthor Commented:
By the way, now i have another issue. They cant print. Local printers are not showing up in the list. But i will research before i start a new thread. Bye and thank you all.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.