Solved

Vpn Works internally but not externally error 800 20209

Posted on 2010-11-13
55
1,884 Views
Last Modified: 2012-05-10
Greetings,

Suddedly our VPN stopped working with no obvious changes to our infrastructure.  The connection to the VPN is intermittent - some times i am able to successfully connect then other times the client hangs on verifying username and password and gives me the 800 error. on the server event log side i get the error 20209.  I have tried changing the firewall which gave me the same result. I am lost as to what could have happened.

We are using a PPTP VPN using routing and remote access
WIndows SBS 2003 SP1 installed
1 linksys switch
1 watchguard firewall
t1 connection

Any help would be greatly appreciated.

Thanks
0
Comment
Question by:cbd1012
  • 27
  • 16
  • 6
  • +2
55 Comments
 
LVL 76

Expert Comment

by:Alan Hardisty
Comment Utility
Okay - please visit www.canyouseeme.org from the server and test port 1723 to see if you get a good response.

If not, please check your firewall has this port open and forwarded to the SBS server's internal IP Address.
0
 

Author Comment

by:cbd1012
Comment Utility
Hi Alan,

This is already in place as the VPN has been working for years , and suddedly stopped. It is really weird as i am able to get it randomly but most of the time i am not able to get in. I am ready to rule out anything hard ware related as i already have switched firewalls and i have bypassed the switch all together and switched cables.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
Comment Utility
No problems - is Routing and Remote Access Service started?

If it is - you can disable RRAS (don't disable the service - disable it via console).

Then re-create it and choose the manual option on the first screen, then VPN on the second screen.

If that doesn't make sense - I'll run through specific instructions.

0
 

Author Comment

by:cbd1012
Comment Utility
Hi Alan the service was running i have started and restated many times.

Hi alan .. something interesting is happening .. i set up another server as our VPN server and tried to connect to that one and i got the same error i got on the other machines.

I talked to my isp already and they assured me that they are not blocking anything

A connection between the VPN server and the VPN client 208.54.39.201 has been established, but the VPN connection cannot be completed. The most common cause for this is that a firewall or router between the VPN server and the VPN client is not configured to allow Generic Routing Encapsulation (GRE) packets (protocol 47). Verify that the firewalls and routers between your VPN server and the Internet allow GRE packets. Make sure the firewalls and routers on the user's network are also configured to allow GRE packets. If the problem persists, have the user contact the Internet service provider (ISP) to determine whether the ISP might be blocking GRE packets.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
Comment Utility
Do you have Protocol 47 allowed through the router / firewall?

What are the results of www.canyouseeme.org testing port 1723?
0
 

Author Comment

by:cbd1012
Comment Utility
http://bit.ly/cJ2Hpe - > Is this the correct option

results of my 1732 port test

Success: I can see your service on 64.xx.xx.xx on port (1723)
Your ISP is not blocking port 1723
0
 
LVL 76

Expert Comment

by:Alan Hardisty
Comment Utility
That looks like the IP on the other end is essentially in a DMZ - no restrictions on access to the internet.  Is that the case?
0
 

Author Comment

by:cbd1012
Comment Utility
Honestly im not sure the answer to that its a T1 with a static ip how would i be able to verify this?
0
 
LVL 76

Expert Comment

by:Alan Hardisty
Comment Utility
Looking at the following link, it suggests that you are opening up 192.168.3.12 to all internet traffic.

http://www.watchguard.com/help/smalloffice/6.2/Wireless_Firewall/soho613w_fire.htm

Do you have two NIC's in the SBS server or just the one?
0
 

Author Comment

by:cbd1012
Comment Utility
Hi Alan thanks again for your help

This option was never enabled before - i just enabled it after reading about pass through. But i dont understand after years of function how the VPN could just stop. The weird thing is i have switched firewalls and still experiencing the behavior. If i bounce the server i can make one successful connection to the vpn server . If i disconnect and reconnect i am no longer able to connect. .

There is only one NIC installed
0
 
LVL 76

Expert Comment

by:Alan Hardisty
Comment Utility
Okay - with just one NIC installed, I would not enable the Pass Through for that IP - it sounds like you are opening the firewall up to the internet and that is dangerous.

Can you please open up Routing and Remote Access (Start> Programs> Administrative Tools> Routing and Remote Access).

Right-click on your server and choose Disable Routing and Remote Access.  Click Yes.

Then once disabled, right-click the server again and choose Configure and Enable Routing and Remote Access.

Choose Custom configuration and click next.

Tick VPN Access and click next, then Finish.  Click Yes to start the RRAS service.

Once started - please expand your server in the RRAS console and click on Ports.

Right-click on ports and select Properties.  Then click on L2TP and click the configure button.

If you don't want 128 L2TP connections, reduce the number here - personally I stick with 0! Click OK and then Yes.

Repeat the above for PPTP but reduce the ports to a more reasonable number based on your organisations needs).  When setting PPTP - untick the Demand-dial routing connections (inbound and outbound).  When done - click Apply / OK.

Right-click on the DHCP Relay Agent and choose properties.  Type in the internal IP Address of the server (asuming you are using it to handle DHCP requests, otherwise, type in the DHCP Servers IP Address and click Add then Apply / OK.

Test VPN access again please.
0
 
LVL 10

Expert Comment

by:koudry
Comment Utility
Hello,

Searching google for "vpn error 800", resulted in a long listing of results among which just few below. I suspect you have seen these already but if not, please take a look.

Error Message: VPN Connection Error 800: Unable to Establish Connection @ http://support.microsoft.com/kb/319108

What I have read so far indicates that it is possible that the number of connections allowed by server has exceeded.  There is also the possibility that one of the ports is playing up.

One thing I always check, is to make sure the IP connectivity is working fine before putting the VPN on top of it. Because there is a chance that your problem may actually be at the IP level rather than VPN.

Please take a look at the URLs above and see if there is anything there that can help.

Good luck

Koudry
0
 

Author Comment

by:cbd1012
Comment Utility
thanks i have seen just about all of those artciles - what do you mean by check IP connectivity ?  
0
 
LVL 22

Expert Comment

by:Olaf De Ceuster
Comment Utility
Please rerun the connect to the interenet wizard in Sever Management > To Dop List.
Make sure you allow VPN.
When you say VPN works internally: Is your VPN directly to the server IP address?
Hope that helps,
Olaf
0
 
LVL 77

Expert Comment

by:Rob Williams
Comment Utility
If you can connect even once, it is highly unlikely there is a configuration issue. It is more likely that something has changed between client and server.  Dropped connections can often be caused by too high an MTU (Maximum Transmission Unit) size, especially if it is a lower than normal performance connection. It is recommended you change this on the connecting/client computer and when possible, it's local router. The easiest way to change the MTU on the client is using the DrTCP tool:
http://www.dslreports.com/drtcp
As for where to set it, if not using automatic, it has to be 1430 or less for a Windows VPN which uses PPTP if using the basic client (1460 for L2TP). There are ways to test for the optimum size of the MTU such as:
http://www.dslreports.com/faq/5793
However, this is not accurate over a VPN due to additional overhead. The best bet is to set it to 1300, and if it improves the situation, gradually increase it.
A couple of related links:
http://www.dslreports.com/faq/7752
http://www.chicagotech.net/vpnissues/vpndorp1.htm
0
 
LVL 10

Expert Comment

by:koudry
Comment Utility
Hello cbd1012:

By IP connectivity, I meant to say that you need to make sure that the VPN client can connect to the network or outside world before attempting to connect to VPN.

For example, if you do "ipconfig /all", what do you get in terms of IP address?  If the IP address you get is correct, try to see if you can connect to the Internet. If this works, then there is no IP connectivity issue.

Another possibility is that your client connectivity details could be problematic, e.g.

Security token: this provides you with one-time-password.  If you use this, please make sure the token is still valid
The IP address of the VPN gateway: make sure this has not changed recently
Username of VPN client
Password of VPN client

If a security token was used, there is also an IP address range associated with the token. So when you connect your VPN client to the VPN gateway using that security token, your VPN client will be allocated an IP address from the token IP range.  

The VPN client IP address is often a private IP address, .e.g. 10.180.20.10.  The token will also be associated with an authentication group and shared secret.

So after connecting the client to the VPN gateway, you need to check the IP allocated to the client to see if it falls within the IP range allocated for the security token. So on this occasion, "ipconfig /all" on the client, will show two types of IP, one for the local network (e.g. 192.168.X.X) and the other one for the VPN (10.X.X.X).

If there is a way to do this, it may be worth checking if there is any more IP available for the VPN client to use. This could be the problem. Do you know how many people connect the VPN server at one time? Is there enough IP in the pool for all VPN clients?

Thanks.
0
 

Author Comment

by:cbd1012
Comment Utility
Hi Guys,

I will try your suggestions and report back.

Thanks
0
 

Author Comment

by:cbd1012
Comment Utility
Odd behavior i want to report - randomly tried to connect to the vpn and now can connect no problem through a mac computer - but cannot connect on another computer - could this be a ip address assignment /dhcp issue?
0
 
LVL 77

Expert Comment

by:Rob Williams
Comment Utility
Is the MAC at a different site or same site? It can be an MTU issue as mentioned. Unlikely it would be related to DHCP assignments to end users.
0
 

Author Comment

by:cbd1012
Comment Utility
both the mac and pc are at my house trying to connect into the office remotely - at one point the mac was not working at all - is the MTU modified at the clients end or at the the server end. Also i noticed a few other users are now connected to the VPN now  . This is totally weird
0
 
LVL 77

Expert Comment

by:Rob Williams
Comment Utility
MTU is adjusted at the client end.
If it is erratic, or if you can connect but then it freezes when you try browsing or opening files, it is usually MTU.

If you have several users something you might want to check is do you have enough PPTP ports open. You can have up to 128 which is the default on Server std, but SBS sets this to 5. If you have more users than that or they are not properly releasing, maybe you don't have enough open (connections allowed). To set this, on the server, go to  administrative tools | routing and remote access | expand the server name | right click on ports and choose properties | highlight PPTP and click configure | set the maximum # of ports (I recommend double the number of users to be safe)
0
 
LVL 10

Expert Comment

by:koudry
Comment Utility
Hello cbd1012,

Could you please advise on the Operating System of your VPN client the one you are having problem with?

Thanks.
0
 

Author Comment

by:cbd1012
Comment Utility
Thanks guys these are all great suggestions. I will be trying these suggestions when i get into the office. The operating system of the users that can connect is MAC OSX, and the computers that cannot connect are Windows 7 .
0
 
LVL 77

Expert Comment

by:Rob Williams
Comment Utility
Win7 64bit or 32 bit. For the record the SBS connection manager client will not work on 64 bit. If you manually configure the VPN client VPN connection it is fine.
0
 
LVL 10

Expert Comment

by:koudry
Comment Utility
Hello cbd1012,

If possible, could you please try an XP machine? A while ago, I had to deal with a frame size problem on Vista. It does not stop you connecting to the VPN server. But it won't let you transmit a document over 1M. I know it is a separate problem and different OS (W7) but you just don't know. So you may want to try and see if XP works better or you can even try a Vista machine if you can find one. I am just trying to eliminate the OS aspect fo the problem.

Good luck.
0
 

Author Comment

by:cbd1012
Comment Utility
Sure, thanks for the suggestion Koudry i will try an XP Machine i believe i have a vista as well to try. I know ive asked this a million times, but what could have prevented all clients from being able to access the VPN. Weird
0
 

Author Comment

by:cbd1012
Comment Utility
@Robwill its a variety but to connect to the VPN i am using the standard connect to a network option buillt into windows
0
Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

 
LVL 77

Expert Comment

by:Rob Williams
Comment Utility
That is why I suggested MTU. Sounds like some of the routing between client and server, probably near the server end, may have changed. This would be outside equipment over which you have no control. It wouldn't be the first time it happened. Easy enough to test from one client. Exceeding available PPTP ports could also affect most users.
0
 
LVL 77

Expert Comment

by:Rob Williams
Comment Utility
>>"using the standard connect to a network option buillt into windows "
That should be fine.
0
 

Author Comment

by:cbd1012
Comment Utility
Hi @Robwill , my maximum connections were set to 5 i increased it to 10 and still experienced the same issue. I am going to try to MTU method and see if that helps me connect
0
 

Author Comment

by:cbd1012
Comment Utility
Hi All,

So did the test at a received "Packets beeds ti ve fragmented but DF set" alll the way from the 1400-1200 range . Currently at 1200 it does not fragment.
0
 
LVL 77

Expert Comment

by:Rob Williams
Comment Utility
Just try lowering and then connecting, the tests are not terribly accurate due to overhead.
0
 

Author Comment

by:cbd1012
Comment Utility
i noticed my firewall has an MTU setting, would it be helpful to make a modification here ?
0
 

Author Comment

by:cbd1012
Comment Utility
i noticed my firewall has an MTU setting, would it be helpful to make a modification here ?
0
 

Author Comment

by:cbd1012
Comment Utility
I have not been able to test mtu as right now im using my blackberry tetherered phone as my external internet. i need to get to an reliable external internet source so that i can alter mtu.  But i have a windows XP user who can connect no problem. Had her connect and disconnect multiple times and she was able to get in. Could this be an OS thing possibly?
0
 

Author Comment

by:cbd1012
Comment Utility
Connected to the VPN via iPhone and was able to successfully connect
0
 

Author Comment

by:cbd1012
Comment Utility
So i was able to get on to a n external network and i tried lowering my mtu which did not allow me to connect - the client still hangs at the verifying username and password step. I tested this on a mac and a windows vista machine.
0
 
LVL 77

Expert Comment

by:Rob Williams
Comment Utility
No need to lower MTU on the firewall. Think of it as trying to reduce the size of a particle flowing through a pipe you are trying at the source to make it small enough to get through the smallest restriction.

Are the MAC and PC at one site. i.e could we narrow it down to a site problem and not a general problem?
0
 

Author Comment

by:cbd1012
Comment Utility
Hi Robwill - i want to say thanks again for going through this with me. The mac is my travel laptop i am connecting to a neighboring office's wireless to try to VPN from the outside. Our accountant is offsite and she is able to connect with no problems repeatedly - also i am able to connect on my iphone using the 3g connection. I tried the DrTCP toool and it didnt not get em connected
0
 
LVL 77

Expert Comment

by:Rob Williams
Comment Utility
Very odd as normally you are far more likly to have a problem connecting with the 3G.
0
 

Author Comment

by:cbd1012
Comment Utility
Do you think reconfiguring the VPN would be a solution ?
0
 
LVL 10

Expert Comment

by:koudry
Comment Utility
Hello cbd1012:

I suspect the problem may be around the OS. Now that XP and MAC are working, the next OS to try is Vista. While you are doing that, I will try and see if I can dig out the document on how I resolved the Vista VPN client problem, just in case. I am aware the W7 PC is the problem machine.

Good luck
0
 

Author Comment

by:cbd1012
Comment Utility
it so happens that the few machines that are working are a windows xp machine , mac (intermittently) , an iphone.  I tried vista on a neighbors wireless network but im not confident on how it was set up .. so i want to try it again on another network. Windows 7 machines are also not connecting
0
 
LVL 77

Expert Comment

by:Rob Williams
Comment Utility
I doubt reconfiguring the VPN would have any positive effects.
0
 

Author Comment

by:cbd1012
Comment Utility
Is there anything such as DHCP or DNS that could be causing this issue ?
0
 
LVL 77

Expert Comment

by:Rob Williams
Comment Utility
DNS will not cause connection issues, unless you are connecting to the VPN using a FQDN and not an IP, and you are using a flaky external DNS service.
As far as your internal DNS that will not affect connections, but can affect name resolution. Name resolution issues can be fixed, but the best bet for that is using the SBS Connection Manager client which is completely pre-configured.

DHCP would only affect it if you have run out of addresses to assign the VPN clients.

On that note, there is no chance the server and the connecting client sites are using the same subnets locally, such as both sites using 192.168.0.x or 192.168.1.x?
Usually this will connect but the VPN will not work properly, but I have seen it disallow authentication.
0
 

Author Comment

by:cbd1012
Comment Utility
I have seen that issue too but they are different subnets. How do i know if i have run out of addresses to assign to the client.
0
 
LVL 77

Expert Comment

by:Rob Williams
Comment Utility
If you used the SBS wizard to create the VPN it will pull addresses from the standard DHCP console, you can see there the list of allocated IP's.
If you manually created the VPN you can check the range of IP's available for VPN clients in the RRAS management console by right clicking on the server name and choosing properties, then under the IP tab you will see static address pool similar to:
http://www.lan-2-wan.com/Added%20Images/1NIC/rras-1n-9.jpg
0
 

Author Comment

by:cbd1012
Comment Utility
@Robwill thanks for this - i saw this earlier - what would be the best set up ? im leaning towards DHCP lease issue as the root of the problem.
0
 
LVL 77

Expert Comment

by:Rob Williams
Comment Utility
Sorry, what do you mean by best set up? DHCP? SBS wizard is by far the best.
However this should also affect LAN users not just external.
0
 

Accepted Solution

by:
cbd1012 earned 0 total points
Comment Utility
Ahh i see all lan users connect fine - reason i thought it migh tbe a DHCP issue is because there are users who always can connect no matter how many times they log on or off ..yet there are some other clients who cannot get on at all.
0
 
LVL 77

Expert Comment

by:Rob Williams
Comment Utility
Good observation.
See in the RRAS console if you can see the connected users ( expand server and under "remote Access Clients" ). Watch when they disconnect to see that the session closes (disappears). Maybe the sessions are not dropping and the users are somehow reconnecting to the same sessions.
0
 
LVL 77

Expert Comment

by:Rob Williams
Comment Utility
Thanks for updating cbd1012. What was the specific DHCP issue, it would be good to know the resolution.
Thanks,
--Rob
0
 

Author Closing Comment

by:cbd1012
Comment Utility
Reasonings were not any of the reasons provided by other users. IT was a DHCP issue as i mentioned
0
 
LVL 77

Expert Comment

by:Rob Williams
Comment Utility
What was the specific DHCP issue, it would be good to know the resolution.
0

Featured Post

NetScaler Deployment Guides and Resources

Citrix NetScaler is certified to support many of the most commonly deployed enterprise applications. Deployment guides provide in-depth recommendations on configuring NetScaler to meet specific application requirements.

Join & Write a Comment

Suggested Solutions

#Citrix #Citrix Netscaler #HTTP Compression #Load Balance
This is an article about my experiences with remote access to my clients (so that I may serve them) and eventually to my home office system via Radmin Remote Control. I have been using remote access for over 10 years and have been improving my metho…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now