Solved

Vpn Works internally but not externally error 800 20209

Posted on 2010-11-13
55
1,896 Views
Last Modified: 2012-05-10
Greetings,

Suddedly our VPN stopped working with no obvious changes to our infrastructure.  The connection to the VPN is intermittent - some times i am able to successfully connect then other times the client hangs on verifying username and password and gives me the 800 error. on the server event log side i get the error 20209.  I have tried changing the firewall which gave me the same result. I am lost as to what could have happened.

We are using a PPTP VPN using routing and remote access
WIndows SBS 2003 SP1 installed
1 linksys switch
1 watchguard firewall
t1 connection

Any help would be greatly appreciated.

Thanks
0
Comment
Question by:cbd1012
  • 27
  • 16
  • 6
  • +2
55 Comments
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 34127963
Okay - please visit www.canyouseeme.org from the server and test port 1723 to see if you get a good response.

If not, please check your firewall has this port open and forwarded to the SBS server's internal IP Address.
0
 

Author Comment

by:cbd1012
ID: 34127979
Hi Alan,

This is already in place as the VPN has been working for years , and suddedly stopped. It is really weird as i am able to get it randomly but most of the time i am not able to get in. I am ready to rule out anything hard ware related as i already have switched firewalls and i have bypassed the switch all together and switched cables.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 34128063
No problems - is Routing and Remote Access Service started?

If it is - you can disable RRAS (don't disable the service - disable it via console).

Then re-create it and choose the manual option on the first screen, then VPN on the second screen.

If that doesn't make sense - I'll run through specific instructions.

0
 

Author Comment

by:cbd1012
ID: 34128105
Hi Alan the service was running i have started and restated many times.

Hi alan .. something interesting is happening .. i set up another server as our VPN server and tried to connect to that one and i got the same error i got on the other machines.

I talked to my isp already and they assured me that they are not blocking anything

A connection between the VPN server and the VPN client 208.54.39.201 has been established, but the VPN connection cannot be completed. The most common cause for this is that a firewall or router between the VPN server and the VPN client is not configured to allow Generic Routing Encapsulation (GRE) packets (protocol 47). Verify that the firewalls and routers between your VPN server and the Internet allow GRE packets. Make sure the firewalls and routers on the user's network are also configured to allow GRE packets. If the problem persists, have the user contact the Internet service provider (ISP) to determine whether the ISP might be blocking GRE packets.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 34128118
Do you have Protocol 47 allowed through the router / firewall?

What are the results of www.canyouseeme.org testing port 1723?
0
 

Author Comment

by:cbd1012
ID: 34128208
http://bit.ly/cJ2Hpe - > Is this the correct option

results of my 1732 port test

Success: I can see your service on 64.xx.xx.xx on port (1723)
Your ISP is not blocking port 1723
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 34128216
That looks like the IP on the other end is essentially in a DMZ - no restrictions on access to the internet.  Is that the case?
0
 

Author Comment

by:cbd1012
ID: 34128229
Honestly im not sure the answer to that its a T1 with a static ip how would i be able to verify this?
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 34128470
Looking at the following link, it suggests that you are opening up 192.168.3.12 to all internet traffic.

http://www.watchguard.com/help/smalloffice/6.2/Wireless_Firewall/soho613w_fire.htm

Do you have two NIC's in the SBS server or just the one?
0
 

Author Comment

by:cbd1012
ID: 34128498
Hi Alan thanks again for your help

This option was never enabled before - i just enabled it after reading about pass through. But i dont understand after years of function how the VPN could just stop. The weird thing is i have switched firewalls and still experiencing the behavior. If i bounce the server i can make one successful connection to the vpn server . If i disconnect and reconnect i am no longer able to connect. .

There is only one NIC installed
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 34128582
Okay - with just one NIC installed, I would not enable the Pass Through for that IP - it sounds like you are opening the firewall up to the internet and that is dangerous.

Can you please open up Routing and Remote Access (Start> Programs> Administrative Tools> Routing and Remote Access).

Right-click on your server and choose Disable Routing and Remote Access.  Click Yes.

Then once disabled, right-click the server again and choose Configure and Enable Routing and Remote Access.

Choose Custom configuration and click next.

Tick VPN Access and click next, then Finish.  Click Yes to start the RRAS service.

Once started - please expand your server in the RRAS console and click on Ports.

Right-click on ports and select Properties.  Then click on L2TP and click the configure button.

If you don't want 128 L2TP connections, reduce the number here - personally I stick with 0! Click OK and then Yes.

Repeat the above for PPTP but reduce the ports to a more reasonable number based on your organisations needs).  When setting PPTP - untick the Demand-dial routing connections (inbound and outbound).  When done - click Apply / OK.

Right-click on the DHCP Relay Agent and choose properties.  Type in the internal IP Address of the server (asuming you are using it to handle DHCP requests, otherwise, type in the DHCP Servers IP Address and click Add then Apply / OK.

Test VPN access again please.
0
 
LVL 10

Expert Comment

by:koudry
ID: 34128599
Hello,

Searching google for "vpn error 800", resulted in a long listing of results among which just few below. I suspect you have seen these already but if not, please take a look.

Error Message: VPN Connection Error 800: Unable to Establish Connection @ http://support.microsoft.com/kb/319108

What I have read so far indicates that it is possible that the number of connections allowed by server has exceeded.  There is also the possibility that one of the ports is playing up.

One thing I always check, is to make sure the IP connectivity is working fine before putting the VPN on top of it. Because there is a chance that your problem may actually be at the IP level rather than VPN.

Please take a look at the URLs above and see if there is anything there that can help.

Good luck

Koudry
0
 

Author Comment

by:cbd1012
ID: 34128649
thanks i have seen just about all of those artciles - what do you mean by check IP connectivity ?  
0
 
LVL 22

Expert Comment

by:Olaf De Ceuster
ID: 34128909
Please rerun the connect to the interenet wizard in Sever Management > To Dop List.
Make sure you allow VPN.
When you say VPN works internally: Is your VPN directly to the server IP address?
Hope that helps,
Olaf
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 34128994
If you can connect even once, it is highly unlikely there is a configuration issue. It is more likely that something has changed between client and server.  Dropped connections can often be caused by too high an MTU (Maximum Transmission Unit) size, especially if it is a lower than normal performance connection. It is recommended you change this on the connecting/client computer and when possible, it's local router. The easiest way to change the MTU on the client is using the DrTCP tool:
http://www.dslreports.com/drtcp
As for where to set it, if not using automatic, it has to be 1430 or less for a Windows VPN which uses PPTP if using the basic client (1460 for L2TP). There are ways to test for the optimum size of the MTU such as:
http://www.dslreports.com/faq/5793
However, this is not accurate over a VPN due to additional overhead. The best bet is to set it to 1300, and if it improves the situation, gradually increase it.
A couple of related links:
http://www.dslreports.com/faq/7752
http://www.chicagotech.net/vpnissues/vpndorp1.htm
0
 
LVL 10

Expert Comment

by:koudry
ID: 34129469
Hello cbd1012:

By IP connectivity, I meant to say that you need to make sure that the VPN client can connect to the network or outside world before attempting to connect to VPN.

For example, if you do "ipconfig /all", what do you get in terms of IP address?  If the IP address you get is correct, try to see if you can connect to the Internet. If this works, then there is no IP connectivity issue.

Another possibility is that your client connectivity details could be problematic, e.g.

Security token: this provides you with one-time-password.  If you use this, please make sure the token is still valid
The IP address of the VPN gateway: make sure this has not changed recently
Username of VPN client
Password of VPN client

If a security token was used, there is also an IP address range associated with the token. So when you connect your VPN client to the VPN gateway using that security token, your VPN client will be allocated an IP address from the token IP range.  

The VPN client IP address is often a private IP address, .e.g. 10.180.20.10.  The token will also be associated with an authentication group and shared secret.

So after connecting the client to the VPN gateway, you need to check the IP allocated to the client to see if it falls within the IP range allocated for the security token. So on this occasion, "ipconfig /all" on the client, will show two types of IP, one for the local network (e.g. 192.168.X.X) and the other one for the VPN (10.X.X.X).

If there is a way to do this, it may be worth checking if there is any more IP available for the VPN client to use. This could be the problem. Do you know how many people connect the VPN server at one time? Is there enough IP in the pool for all VPN clients?

Thanks.
0
 

Author Comment

by:cbd1012
ID: 34132178
Hi Guys,

I will try your suggestions and report back.

Thanks
0
 

Author Comment

by:cbd1012
ID: 34133245
Odd behavior i want to report - randomly tried to connect to the vpn and now can connect no problem through a mac computer - but cannot connect on another computer - could this be a ip address assignment /dhcp issue?
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 34133266
Is the MAC at a different site or same site? It can be an MTU issue as mentioned. Unlikely it would be related to DHCP assignments to end users.
0
 

Author Comment

by:cbd1012
ID: 34133278
both the mac and pc are at my house trying to connect into the office remotely - at one point the mac was not working at all - is the MTU modified at the clients end or at the the server end. Also i noticed a few other users are now connected to the VPN now  . This is totally weird
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 34133332
MTU is adjusted at the client end.
If it is erratic, or if you can connect but then it freezes when you try browsing or opening files, it is usually MTU.

If you have several users something you might want to check is do you have enough PPTP ports open. You can have up to 128 which is the default on Server std, but SBS sets this to 5. If you have more users than that or they are not properly releasing, maybe you don't have enough open (connections allowed). To set this, on the server, go to  administrative tools | routing and remote access | expand the server name | right click on ports and choose properties | highlight PPTP and click configure | set the maximum # of ports (I recommend double the number of users to be safe)
0
 
LVL 10

Expert Comment

by:koudry
ID: 34135085
Hello cbd1012,

Could you please advise on the Operating System of your VPN client the one you are having problem with?

Thanks.
0
 

Author Comment

by:cbd1012
ID: 34136395
Thanks guys these are all great suggestions. I will be trying these suggestions when i get into the office. The operating system of the users that can connect is MAC OSX, and the computers that cannot connect are Windows 7 .
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 34136474
Win7 64bit or 32 bit. For the record the SBS connection manager client will not work on 64 bit. If you manually configure the VPN client VPN connection it is fine.
0
 
LVL 10

Expert Comment

by:koudry
ID: 34136644
Hello cbd1012,

If possible, could you please try an XP machine? A while ago, I had to deal with a frame size problem on Vista. It does not stop you connecting to the VPN server. But it won't let you transmit a document over 1M. I know it is a separate problem and different OS (W7) but you just don't know. So you may want to try and see if XP works better or you can even try a Vista machine if you can find one. I am just trying to eliminate the OS aspect fo the problem.

Good luck.
0
 

Author Comment

by:cbd1012
ID: 34137045
Sure, thanks for the suggestion Koudry i will try an XP Machine i believe i have a vista as well to try. I know ive asked this a million times, but what could have prevented all clients from being able to access the VPN. Weird
0
 

Author Comment

by:cbd1012
ID: 34137057
@Robwill its a variety but to connect to the VPN i am using the standard connect to a network option buillt into windows
0
Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

 
LVL 77

Expert Comment

by:Rob Williams
ID: 34137083
That is why I suggested MTU. Sounds like some of the routing between client and server, probably near the server end, may have changed. This would be outside equipment over which you have no control. It wouldn't be the first time it happened. Easy enough to test from one client. Exceeding available PPTP ports could also affect most users.
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 34137095
>>"using the standard connect to a network option buillt into windows "
That should be fine.
0
 

Author Comment

by:cbd1012
ID: 34137110
Hi @Robwill , my maximum connections were set to 5 i increased it to 10 and still experienced the same issue. I am going to try to MTU method and see if that helps me connect
0
 

Author Comment

by:cbd1012
ID: 34137156
Hi All,

So did the test at a received "Packets beeds ti ve fragmented but DF set" alll the way from the 1400-1200 range . Currently at 1200 it does not fragment.
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 34137253
Just try lowering and then connecting, the tests are not terribly accurate due to overhead.
0
 

Author Comment

by:cbd1012
ID: 34138422
i noticed my firewall has an MTU setting, would it be helpful to make a modification here ?
0
 

Author Comment

by:cbd1012
ID: 34138423
i noticed my firewall has an MTU setting, would it be helpful to make a modification here ?
0
 

Author Comment

by:cbd1012
ID: 34139281
I have not been able to test mtu as right now im using my blackberry tetherered phone as my external internet. i need to get to an reliable external internet source so that i can alter mtu.  But i have a windows XP user who can connect no problem. Had her connect and disconnect multiple times and she was able to get in. Could this be an OS thing possibly?
0
 

Author Comment

by:cbd1012
ID: 34139776
Connected to the VPN via iPhone and was able to successfully connect
0
 

Author Comment

by:cbd1012
ID: 34140517
So i was able to get on to a n external network and i tried lowering my mtu which did not allow me to connect - the client still hangs at the verifying username and password step. I tested this on a mac and a windows vista machine.
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 34141321
No need to lower MTU on the firewall. Think of it as trying to reduce the size of a particle flowing through a pipe you are trying at the source to make it small enough to get through the smallest restriction.

Are the MAC and PC at one site. i.e could we narrow it down to a site problem and not a general problem?
0
 

Author Comment

by:cbd1012
ID: 34141374
Hi Robwill - i want to say thanks again for going through this with me. The mac is my travel laptop i am connecting to a neighboring office's wireless to try to VPN from the outside. Our accountant is offsite and she is able to connect with no problems repeatedly - also i am able to connect on my iphone using the 3g connection. I tried the DrTCP toool and it didnt not get em connected
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 34141502
Very odd as normally you are far more likly to have a problem connecting with the 3G.
0
 

Author Comment

by:cbd1012
ID: 34141519
Do you think reconfiguring the VPN would be a solution ?
0
 
LVL 10

Expert Comment

by:koudry
ID: 34141797
Hello cbd1012:

I suspect the problem may be around the OS. Now that XP and MAC are working, the next OS to try is Vista. While you are doing that, I will try and see if I can dig out the document on how I resolved the Vista VPN client problem, just in case. I am aware the W7 PC is the problem machine.

Good luck
0
 

Author Comment

by:cbd1012
ID: 34141812
it so happens that the few machines that are working are a windows xp machine , mac (intermittently) , an iphone.  I tried vista on a neighbors wireless network but im not confident on how it was set up .. so i want to try it again on another network. Windows 7 machines are also not connecting
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 34141918
I doubt reconfiguring the VPN would have any positive effects.
0
 

Author Comment

by:cbd1012
ID: 34141958
Is there anything such as DHCP or DNS that could be causing this issue ?
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 34144337
DNS will not cause connection issues, unless you are connecting to the VPN using a FQDN and not an IP, and you are using a flaky external DNS service.
As far as your internal DNS that will not affect connections, but can affect name resolution. Name resolution issues can be fixed, but the best bet for that is using the SBS Connection Manager client which is completely pre-configured.

DHCP would only affect it if you have run out of addresses to assign the VPN clients.

On that note, there is no chance the server and the connecting client sites are using the same subnets locally, such as both sites using 192.168.0.x or 192.168.1.x?
Usually this will connect but the VPN will not work properly, but I have seen it disallow authentication.
0
 

Author Comment

by:cbd1012
ID: 34147470
I have seen that issue too but they are different subnets. How do i know if i have run out of addresses to assign to the client.
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 34147697
If you used the SBS wizard to create the VPN it will pull addresses from the standard DHCP console, you can see there the list of allocated IP's.
If you manually created the VPN you can check the range of IP's available for VPN clients in the RRAS management console by right clicking on the server name and choosing properties, then under the IP tab you will see static address pool similar to:
http://www.lan-2-wan.com/Added%20Images/1NIC/rras-1n-9.jpg
0
 

Author Comment

by:cbd1012
ID: 34147725
@Robwill thanks for this - i saw this earlier - what would be the best set up ? im leaning towards DHCP lease issue as the root of the problem.
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 34147760
Sorry, what do you mean by best set up? DHCP? SBS wizard is by far the best.
However this should also affect LAN users not just external.
0
 

Accepted Solution

by:
cbd1012 earned 0 total points
ID: 34147998
Ahh i see all lan users connect fine - reason i thought it migh tbe a DHCP issue is because there are users who always can connect no matter how many times they log on or off ..yet there are some other clients who cannot get on at all.
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 34148063
Good observation.
See in the RRAS console if you can see the connected users ( expand server and under "remote Access Clients" ). Watch when they disconnect to see that the session closes (disappears). Maybe the sessions are not dropping and the users are somehow reconnecting to the same sessions.
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 34253481
Thanks for updating cbd1012. What was the specific DHCP issue, it would be good to know the resolution.
Thanks,
--Rob
0
 

Author Closing Comment

by:cbd1012
ID: 34281164
Reasonings were not any of the reasons provided by other users. IT was a DHCP issue as i mentioned
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 34281990
What was the specific DHCP issue, it would be good to know the resolution.
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Random Terminal Server disconnections. 2 84
ASA - RV130 VPN tunnel, cannot pass traffic 8 45
ssh setup on Cisco swith 11 42
Server Backup on 2016 Essentials Box 1 34
#Citrix #Citrix Netscaler #HTTP Compression #Load Balance
Don’t let your business fall victim to the coming apocalypse – use our Survival Guide for the Fax Apocalypse to identify the risks and signs of zombie fax activities at your business.
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

932 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now