Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 3289
  • Last Modified:

Windows 7 VPN users can not connect simultaneously

Hello.

I have this issue.

SCENARIO:
I have a LAN (Windows Server 2008) with Windows 7 Professional computers. We are trying to connect 6 of our computers to a remote VPN.

I have a Juniper ScreenOS 6.2.0r6.0 firewall. VPN section has not been configured at all.

ISSUE:
Only one computer is able to connect to the VPN. No simultaneous connection are allowed. Basically the second computer would kick off the previous one connected. Once the "kicked off" computer gets disconnected, when retrying to reconnect, it would give an error

Connecting to vpn.xxxxxxx.com using "WAN Miniport (L2TP)...
Error 800: The Remote Connection was not made because the attempted VPN tunnels failed.

Sometimes i would get also,

Error 619: A Connection to the remote computer could not be established so the port used for this connection was closed.

I've been googling up and down and there is not a clear solution to this. Even here in EX-EX i couldnt find a solution to my problem.

RANDOM THOUGHTS:
I checked the firewall and our policies does not restrict that port or service. Before we set up NEW everything (Servers, Firewalls and Desktop PCs) we were able to communicate perfectly fine. So if the issue is still the firewall, it has to do with allowing multiple connections thru the same service/port/whatever.

Another interesting fact is that if one of this users connects from home, it would not have any issues and it wouldnt kick off the one connected from inside.

One more thing. Our intranet IP schema changed from 192.168..... to 10.10..... it might be a chance that the rule that they created for our previous IP schema (if they had one) is not being applied to our new schema anymore.

Anyone has been in my shoes before.

Thank you
0
acampos
Asked:
acampos
  • 4
  • 4
  • 2
1 Solution
 
edwarnekeCommented:
Typically for VPN connections you can only connect one tunnel per external IP address. This may vary based on your VPN software(whether it's MS built in VPN software or a vendor such as Cisco's VPN solution).

Generally there are also issues if your local network has the same IP scheme as the destination networks internal network(IE, both have 192.168.1.x schemas). When you try to talk to server 192.168.1.x, it thinks it's on your local network, so doesn't go out the vpn with that traffic.

You say it worked in the past, did anything change on the network you are VPNing into?
0
 
QlemoC++ DeveloperCommented:
Which kind of VPN are you using? If it is PPTP, you need to enable the GRE Application Layer Gateway (via CLI command). And that ALG had several issues over the last two years (I'm in contact with Juniper Support every now and then because of that). 6.2.0r6 should be safe, we did not have issues with GRE on it.

Are you trying to connect all clients to the *same* remote gateway? As said by edwarneke, it depends on many factors if your are able to use multiple connections to the same gateway. Most do not allow that.
There are much better ways to allow for multipe users to use the same (PPTP or L2TP/IPSec) VPN, in particular if you have Windows Server 2003 or above (as you have). The Routing and RAS service there allows for on-demand dial-in and routing in combination with client NAT. That works great in our office.
0
 
acamposAuthor Commented:
Ok, it seems i didn't know how to explain myself.

We adquired a new company, in a different state. We are in GA, company in IN. In the old office, we were able to connect to the VPN from GA (simultaneous connections) we had like 6 people connected all the time. Our schema was 192.168.0.x

We moved to a new building. Good reason to upgrade 100% all of our equipment. We got for everybody Windows 7 and we got new servers DELL with Win2008 R2. We also have Juniper as a firewall. This is a new firewall thou. It the VPN section is empty. no one tunnel, configuration, nothing. Our IP schema changed thou. Now we have 10.10.6.x for our desktops PCs.

When these 6 employees tried to connect to the VPN, they were able to do so, but only one at a time. Next one would connect but would kick the previous person connected off.

There are things i don't know about the host i am trying to connect. Like the kind of VPN for example or how they have it configured over there. Supposedly there is a network administrator over there who is taking care of this thing for us. I am gonna get in a couple of hours in the phone with him and try to figure out WHY we can only connect one at the time from the office IF at their end nothing changed. I am assuming that MAYBE our new IP schema is not set up in their firewall\RAS rules to allow us have multiple connections....

I guess once i get on the phone i will have more info to share with you guys. But i wanted make sure i wasnt making an obvious mistake on my side.

Is there anything i have to do in my firewall to allow OUTBOUND multiple connections to that VPN? We didnt have anything set up in the old building.

clueless so far...
0
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

 
QlemoC++ DeveloperCommented:
If you have outgoing PPTP connections  *crossing*  the Juniper, you will definitively need the PPTP ALG.
0
 
acamposAuthor Commented:
Qlemo, excuse my ignorance on the subject. I am new to all this network thing. i am more a software developer. You mean by PPTP ALG that i should create a tunnel or something like that?

what should i exactly need to know from the other end (VPN server)?

Thank you
0
 
QlemoC++ DeveloperCommented:
The simplest method to find out what is really used is to let one user connect to the VPN, and then look on that user's PC which ports are used (e.g. with netstat -n). If you see port 1723, it is PPTP, if it is 1721, it is L2TP with IPSec.
In addition or anyway, you can switch on PPTP ALG on your Juniper. Go into the WebUI, Security, ALG, and tick PPTP. Apply. After that, PPTP should work simultanously.
0
 
QlemoC++ DeveloperCommented:
BTW, your IP address change is not related to the issue, as long as you are not using the same subnet as the remote office. I don't think so, else you would have serious issues even when only one client is connected.
0
 
edwarnekeCommented:
Right, very much doubt it's the subnet since you can have one client on and have it work fine. The issue is probably based on PPTP limitations, without specific software/hardware to enable multiple connections from the same network to a VPN host, PPTP doesn't allow it. From what Qlemo says though you should be able to with the Juniper device allow multiple connections.
0
 
acamposAuthor Commented:
Qlemo, you are the MAN!!!!

PPTP was unchecked...

Thank you so much. Get those 500 and add it up to your 2,268,691 points ammased so far :)

Thank you all for your time and concern on this thread.
0
 
acamposAuthor Commented:
By the way, now i have another issue. They cant print. Local printers are not showing up in the list. But i will research before i start a new thread. Bye and thank you all.
0

Featured Post

Who's Defending Your Organization from Threats?

Protecting against advanced threats requires an IT dream team – a well-oiled machine of people and solutions working together to defend your organization. Download our resource kit today to learn more about the tools you need to build you IT Dream Team!

  • 4
  • 4
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now