acampos
asked on
Windows 7 VPN users can not connect simultaneously
Hello.
I have this issue.
SCENARIO:
I have a LAN (Windows Server 2008) with Windows 7 Professional computers. We are trying to connect 6 of our computers to a remote VPN.
I have a Juniper ScreenOS 6.2.0r6.0 firewall. VPN section has not been configured at all.
ISSUE:
Only one computer is able to connect to the VPN. No simultaneous connection are allowed. Basically the second computer would kick off the previous one connected. Once the "kicked off" computer gets disconnected, when retrying to reconnect, it would give an error
Connecting to vpn.xxxxxxx.com using "WAN Miniport (L2TP)...
Error 800: The Remote Connection was not made because the attempted VPN tunnels failed.
Sometimes i would get also,
Error 619: A Connection to the remote computer could not be established so the port used for this connection was closed.
I've been googling up and down and there is not a clear solution to this. Even here in EX-EX i couldnt find a solution to my problem.
RANDOM THOUGHTS:
I checked the firewall and our policies does not restrict that port or service. Before we set up NEW everything (Servers, Firewalls and Desktop PCs) we were able to communicate perfectly fine. So if the issue is still the firewall, it has to do with allowing multiple connections thru the same service/port/whatever.
Another interesting fact is that if one of this users connects from home, it would not have any issues and it wouldnt kick off the one connected from inside.
One more thing. Our intranet IP schema changed from 192.168..... to 10.10..... it might be a chance that the rule that they created for our previous IP schema (if they had one) is not being applied to our new schema anymore.
Anyone has been in my shoes before.
Thank you
I have this issue.
SCENARIO:
I have a LAN (Windows Server 2008) with Windows 7 Professional computers. We are trying to connect 6 of our computers to a remote VPN.
I have a Juniper ScreenOS 6.2.0r6.0 firewall. VPN section has not been configured at all.
ISSUE:
Only one computer is able to connect to the VPN. No simultaneous connection are allowed. Basically the second computer would kick off the previous one connected. Once the "kicked off" computer gets disconnected, when retrying to reconnect, it would give an error
Connecting to vpn.xxxxxxx.com using "WAN Miniport (L2TP)...
Error 800: The Remote Connection was not made because the attempted VPN tunnels failed.
Sometimes i would get also,
Error 619: A Connection to the remote computer could not be established so the port used for this connection was closed.
I've been googling up and down and there is not a clear solution to this. Even here in EX-EX i couldnt find a solution to my problem.
RANDOM THOUGHTS:
I checked the firewall and our policies does not restrict that port or service. Before we set up NEW everything (Servers, Firewalls and Desktop PCs) we were able to communicate perfectly fine. So if the issue is still the firewall, it has to do with allowing multiple connections thru the same service/port/whatever.
Another interesting fact is that if one of this users connects from home, it would not have any issues and it wouldnt kick off the one connected from inside.
One more thing. Our intranet IP schema changed from 192.168..... to 10.10..... it might be a chance that the rule that they created for our previous IP schema (if they had one) is not being applied to our new schema anymore.
Anyone has been in my shoes before.
Thank you
Which kind of VPN are you using? If it is PPTP, you need to enable the GRE Application Layer Gateway (via CLI command). And that ALG had several issues over the last two years (I'm in contact with Juniper Support every now and then because of that). 6.2.0r6 should be safe, we did not have issues with GRE on it.
Are you trying to connect all clients to the *same* remote gateway? As said by edwarneke, it depends on many factors if your are able to use multiple connections to the same gateway. Most do not allow that.
There are much better ways to allow for multipe users to use the same (PPTP or L2TP/IPSec) VPN, in particular if you have Windows Server 2003 or above (as you have). The Routing and RAS service there allows for on-demand dial-in and routing in combination with client NAT. That works great in our office.
Are you trying to connect all clients to the *same* remote gateway? As said by edwarneke, it depends on many factors if your are able to use multiple connections to the same gateway. Most do not allow that.
There are much better ways to allow for multipe users to use the same (PPTP or L2TP/IPSec) VPN, in particular if you have Windows Server 2003 or above (as you have). The Routing and RAS service there allows for on-demand dial-in and routing in combination with client NAT. That works great in our office.
ASKER
Ok, it seems i didn't know how to explain myself.
We adquired a new company, in a different state. We are in GA, company in IN. In the old office, we were able to connect to the VPN from GA (simultaneous connections) we had like 6 people connected all the time. Our schema was 192.168.0.x
We moved to a new building. Good reason to upgrade 100% all of our equipment. We got for everybody Windows 7 and we got new servers DELL with Win2008 R2. We also have Juniper as a firewall. This is a new firewall thou. It the VPN section is empty. no one tunnel, configuration, nothing. Our IP schema changed thou. Now we have 10.10.6.x for our desktops PCs.
When these 6 employees tried to connect to the VPN, they were able to do so, but only one at a time. Next one would connect but would kick the previous person connected off.
There are things i don't know about the host i am trying to connect. Like the kind of VPN for example or how they have it configured over there. Supposedly there is a network administrator over there who is taking care of this thing for us. I am gonna get in a couple of hours in the phone with him and try to figure out WHY we can only connect one at the time from the office IF at their end nothing changed. I am assuming that MAYBE our new IP schema is not set up in their firewall\RAS rules to allow us have multiple connections....
I guess once i get on the phone i will have more info to share with you guys. But i wanted make sure i wasnt making an obvious mistake on my side.
Is there anything i have to do in my firewall to allow OUTBOUND multiple connections to that VPN? We didnt have anything set up in the old building.
clueless so far...
We adquired a new company, in a different state. We are in GA, company in IN. In the old office, we were able to connect to the VPN from GA (simultaneous connections) we had like 6 people connected all the time. Our schema was 192.168.0.x
We moved to a new building. Good reason to upgrade 100% all of our equipment. We got for everybody Windows 7 and we got new servers DELL with Win2008 R2. We also have Juniper as a firewall. This is a new firewall thou. It the VPN section is empty. no one tunnel, configuration, nothing. Our IP schema changed thou. Now we have 10.10.6.x for our desktops PCs.
When these 6 employees tried to connect to the VPN, they were able to do so, but only one at a time. Next one would connect but would kick the previous person connected off.
There are things i don't know about the host i am trying to connect. Like the kind of VPN for example or how they have it configured over there. Supposedly there is a network administrator over there who is taking care of this thing for us. I am gonna get in a couple of hours in the phone with him and try to figure out WHY we can only connect one at the time from the office IF at their end nothing changed. I am assuming that MAYBE our new IP schema is not set up in their firewall\RAS rules to allow us have multiple connections....
I guess once i get on the phone i will have more info to share with you guys. But i wanted make sure i wasnt making an obvious mistake on my side.
Is there anything i have to do in my firewall to allow OUTBOUND multiple connections to that VPN? We didnt have anything set up in the old building.
clueless so far...
If you have outgoing PPTP connections *crossing* the Juniper, you will definitively need the PPTP ALG.
ASKER
Qlemo, excuse my ignorance on the subject. I am new to all this network thing. i am more a software developer. You mean by PPTP ALG that i should create a tunnel or something like that?
what should i exactly need to know from the other end (VPN server)?
Thank you
what should i exactly need to know from the other end (VPN server)?
Thank you
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
BTW, your IP address change is not related to the issue, as long as you are not using the same subnet as the remote office. I don't think so, else you would have serious issues even when only one client is connected.
Right, very much doubt it's the subnet since you can have one client on and have it work fine. The issue is probably based on PPTP limitations, without specific software/hardware to enable multiple connections from the same network to a VPN host, PPTP doesn't allow it. From what Qlemo says though you should be able to with the Juniper device allow multiple connections.
ASKER
Qlemo, you are the MAN!!!!
PPTP was unchecked...
Thank you so much. Get those 500 and add it up to your 2,268,691 points ammased so far :)
Thank you all for your time and concern on this thread.
PPTP was unchecked...
Thank you so much. Get those 500 and add it up to your 2,268,691 points ammased so far :)
Thank you all for your time and concern on this thread.
ASKER
By the way, now i have another issue. They cant print. Local printers are not showing up in the list. But i will research before i start a new thread. Bye and thank you all.
Generally there are also issues if your local network has the same IP scheme as the destination networks internal network(IE, both have 192.168.1.x schemas). When you try to talk to server 192.168.1.x, it thinks it's on your local network, so doesn't go out the vpn with that traffic.
You say it worked in the past, did anything change on the network you are VPNing into?