Solved

Windows 7 VPN users can not connect simultaneously

Posted on 2010-09-03
10
2,908 Views
Last Modified: 2012-08-14
Hello.

I have this issue.

SCENARIO:
I have a LAN (Windows Server 2008) with Windows 7 Professional computers. We are trying to connect 6 of our computers to a remote VPN.

I have a Juniper ScreenOS 6.2.0r6.0 firewall. VPN section has not been configured at all.

ISSUE:
Only one computer is able to connect to the VPN. No simultaneous connection are allowed. Basically the second computer would kick off the previous one connected. Once the "kicked off" computer gets disconnected, when retrying to reconnect, it would give an error

Connecting to vpn.xxxxxxx.com using "WAN Miniport (L2TP)...
Error 800: The Remote Connection was not made because the attempted VPN tunnels failed.

Sometimes i would get also,

Error 619: A Connection to the remote computer could not be established so the port used for this connection was closed.

I've been googling up and down and there is not a clear solution to this. Even here in EX-EX i couldnt find a solution to my problem.

RANDOM THOUGHTS:
I checked the firewall and our policies does not restrict that port or service. Before we set up NEW everything (Servers, Firewalls and Desktop PCs) we were able to communicate perfectly fine. So if the issue is still the firewall, it has to do with allowing multiple connections thru the same service/port/whatever.

Another interesting fact is that if one of this users connects from home, it would not have any issues and it wouldnt kick off the one connected from inside.

One more thing. Our intranet IP schema changed from 192.168..... to 10.10..... it might be a chance that the rule that they created for our previous IP schema (if they had one) is not being applied to our new schema anymore.

Anyone has been in my shoes before.

Thank you
0
Comment
Question by:acampos
  • 4
  • 4
  • 2
10 Comments
 
LVL 2

Expert Comment

by:edwarneke
Comment Utility
Typically for VPN connections you can only connect one tunnel per external IP address. This may vary based on your VPN software(whether it's MS built in VPN software or a vendor such as Cisco's VPN solution).

Generally there are also issues if your local network has the same IP scheme as the destination networks internal network(IE, both have 192.168.1.x schemas). When you try to talk to server 192.168.1.x, it thinks it's on your local network, so doesn't go out the vpn with that traffic.

You say it worked in the past, did anything change on the network you are VPNing into?
0
 
LVL 68

Expert Comment

by:Qlemo
Comment Utility
Which kind of VPN are you using? If it is PPTP, you need to enable the GRE Application Layer Gateway (via CLI command). And that ALG had several issues over the last two years (I'm in contact with Juniper Support every now and then because of that). 6.2.0r6 should be safe, we did not have issues with GRE on it.

Are you trying to connect all clients to the *same* remote gateway? As said by edwarneke, it depends on many factors if your are able to use multiple connections to the same gateway. Most do not allow that.
There are much better ways to allow for multipe users to use the same (PPTP or L2TP/IPSec) VPN, in particular if you have Windows Server 2003 or above (as you have). The Routing and RAS service there allows for on-demand dial-in and routing in combination with client NAT. That works great in our office.
0
 

Author Comment

by:acampos
Comment Utility
Ok, it seems i didn't know how to explain myself.

We adquired a new company, in a different state. We are in GA, company in IN. In the old office, we were able to connect to the VPN from GA (simultaneous connections) we had like 6 people connected all the time. Our schema was 192.168.0.x

We moved to a new building. Good reason to upgrade 100% all of our equipment. We got for everybody Windows 7 and we got new servers DELL with Win2008 R2. We also have Juniper as a firewall. This is a new firewall thou. It the VPN section is empty. no one tunnel, configuration, nothing. Our IP schema changed thou. Now we have 10.10.6.x for our desktops PCs.

When these 6 employees tried to connect to the VPN, they were able to do so, but only one at a time. Next one would connect but would kick the previous person connected off.

There are things i don't know about the host i am trying to connect. Like the kind of VPN for example or how they have it configured over there. Supposedly there is a network administrator over there who is taking care of this thing for us. I am gonna get in a couple of hours in the phone with him and try to figure out WHY we can only connect one at the time from the office IF at their end nothing changed. I am assuming that MAYBE our new IP schema is not set up in their firewall\RAS rules to allow us have multiple connections....

I guess once i get on the phone i will have more info to share with you guys. But i wanted make sure i wasnt making an obvious mistake on my side.

Is there anything i have to do in my firewall to allow OUTBOUND multiple connections to that VPN? We didnt have anything set up in the old building.

clueless so far...
0
 
LVL 68

Expert Comment

by:Qlemo
Comment Utility
If you have outgoing PPTP connections  *crossing*  the Juniper, you will definitively need the PPTP ALG.
0
 

Author Comment

by:acampos
Comment Utility
Qlemo, excuse my ignorance on the subject. I am new to all this network thing. i am more a software developer. You mean by PPTP ALG that i should create a tunnel or something like that?

what should i exactly need to know from the other end (VPN server)?

Thank you
0
Control application downtime with dependency maps

Visualize the interdependencies between application components better with Applications Manager's automated application discovery and dependency mapping feature. Resolve performance issues faster by quickly isolating problematic components.

 
LVL 68

Accepted Solution

by:
Qlemo earned 500 total points
Comment Utility
The simplest method to find out what is really used is to let one user connect to the VPN, and then look on that user's PC which ports are used (e.g. with netstat -n). If you see port 1723, it is PPTP, if it is 1721, it is L2TP with IPSec.
In addition or anyway, you can switch on PPTP ALG on your Juniper. Go into the WebUI, Security, ALG, and tick PPTP. Apply. After that, PPTP should work simultanously.
0
 
LVL 68

Expert Comment

by:Qlemo
Comment Utility
BTW, your IP address change is not related to the issue, as long as you are not using the same subnet as the remote office. I don't think so, else you would have serious issues even when only one client is connected.
0
 
LVL 2

Expert Comment

by:edwarneke
Comment Utility
Right, very much doubt it's the subnet since you can have one client on and have it work fine. The issue is probably based on PPTP limitations, without specific software/hardware to enable multiple connections from the same network to a VPN host, PPTP doesn't allow it. From what Qlemo says though you should be able to with the Juniper device allow multiple connections.
0
 

Author Comment

by:acampos
Comment Utility
Qlemo, you are the MAN!!!!

PPTP was unchecked...

Thank you so much. Get those 500 and add it up to your 2,268,691 points ammased so far :)

Thank you all for your time and concern on this thread.
0
 

Author Comment

by:acampos
Comment Utility
By the way, now i have another issue. They cant print. Local printers are not showing up in the list. But i will research before i start a new thread. Bye and thank you all.
0

Featured Post

Control application downtime with dependency maps

Visualize the interdependencies between application components better with Applications Manager's automated application discovery and dependency mapping feature. Resolve performance issues faster by quickly isolating problematic components.

Join & Write a Comment

I've written this article to illustrate how we can implement a Dynamic Multipoint VPN (DMVPN) with both hub and spokes having a dynamically assigned non-broadcast multiple-access (NBMA) network IP (public IP). Here is the basic setup of DMVPN Pha…
This is an article about my experiences with remote access to my clients (so that I may serve them) and eventually to my home office system via Radmin Remote Control. I have been using remote access for over 10 years and have been improving my metho…
This tutorial will show how to configure a new Backup Exec 2012 server and move an existing database to that server with the use of the BEUtility. Install Backup Exec 2012 on the new server and apply all of the latest hotfixes and service packs. The…
This Micro Tutorial will go in depth within Systems and Security in Windows 7 and will go into detail regarding Action Center, Windows Firewall, System, etc. This will be demonstrated using Windows 7 operating system.

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now