• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2056
  • Last Modified:

Vpn Works internally but not externally error 800 20209

Greetings,

Suddedly our VPN stopped working with no obvious changes to our infrastructure.  The connection to the VPN is intermittent - some times i am able to successfully connect then other times the client hangs on verifying username and password and gives me the 800 error. on the server event log side i get the error 20209.  I have tried changing the firewall which gave me the same result. I am lost as to what could have happened.

We are using a PPTP VPN using routing and remote access
WIndows SBS 2003 SP1 installed
1 linksys switch
1 watchguard firewall
t1 connection

Any help would be greatly appreciated.

Thanks
0
cbd1012
Asked:
cbd1012
  • 27
  • 16
  • 6
  • +2
1 Solution
 
Alan HardistyCo-OwnerCommented:
Okay - please visit www.canyouseeme.org from the server and test port 1723 to see if you get a good response.

If not, please check your firewall has this port open and forwarded to the SBS server's internal IP Address.
0
 
cbd1012Author Commented:
Hi Alan,

This is already in place as the VPN has been working for years , and suddedly stopped. It is really weird as i am able to get it randomly but most of the time i am not able to get in. I am ready to rule out anything hard ware related as i already have switched firewalls and i have bypassed the switch all together and switched cables.
0
 
Alan HardistyCo-OwnerCommented:
No problems - is Routing and Remote Access Service started?

If it is - you can disable RRAS (don't disable the service - disable it via console).

Then re-create it and choose the manual option on the first screen, then VPN on the second screen.

If that doesn't make sense - I'll run through specific instructions.

0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 
cbd1012Author Commented:
Hi Alan the service was running i have started and restated many times.

Hi alan .. something interesting is happening .. i set up another server as our VPN server and tried to connect to that one and i got the same error i got on the other machines.

I talked to my isp already and they assured me that they are not blocking anything

A connection between the VPN server and the VPN client 208.54.39.201 has been established, but the VPN connection cannot be completed. The most common cause for this is that a firewall or router between the VPN server and the VPN client is not configured to allow Generic Routing Encapsulation (GRE) packets (protocol 47). Verify that the firewalls and routers between your VPN server and the Internet allow GRE packets. Make sure the firewalls and routers on the user's network are also configured to allow GRE packets. If the problem persists, have the user contact the Internet service provider (ISP) to determine whether the ISP might be blocking GRE packets.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
0
 
Alan HardistyCo-OwnerCommented:
Do you have Protocol 47 allowed through the router / firewall?

What are the results of www.canyouseeme.org testing port 1723?
0
 
cbd1012Author Commented:
http://bit.ly/cJ2Hpe - > Is this the correct option

results of my 1732 port test

Success: I can see your service on 64.xx.xx.xx on port (1723)
Your ISP is not blocking port 1723
0
 
Alan HardistyCo-OwnerCommented:
That looks like the IP on the other end is essentially in a DMZ - no restrictions on access to the internet.  Is that the case?
0
 
cbd1012Author Commented:
Honestly im not sure the answer to that its a T1 with a static ip how would i be able to verify this?
0
 
Alan HardistyCo-OwnerCommented:
Looking at the following link, it suggests that you are opening up 192.168.3.12 to all internet traffic.

http://www.watchguard.com/help/smalloffice/6.2/Wireless_Firewall/soho613w_fire.htm

Do you have two NIC's in the SBS server or just the one?
0
 
cbd1012Author Commented:
Hi Alan thanks again for your help

This option was never enabled before - i just enabled it after reading about pass through. But i dont understand after years of function how the VPN could just stop. The weird thing is i have switched firewalls and still experiencing the behavior. If i bounce the server i can make one successful connection to the vpn server . If i disconnect and reconnect i am no longer able to connect. .

There is only one NIC installed
0
 
Alan HardistyCo-OwnerCommented:
Okay - with just one NIC installed, I would not enable the Pass Through for that IP - it sounds like you are opening the firewall up to the internet and that is dangerous.

Can you please open up Routing and Remote Access (Start> Programs> Administrative Tools> Routing and Remote Access).

Right-click on your server and choose Disable Routing and Remote Access.  Click Yes.

Then once disabled, right-click the server again and choose Configure and Enable Routing and Remote Access.

Choose Custom configuration and click next.

Tick VPN Access and click next, then Finish.  Click Yes to start the RRAS service.

Once started - please expand your server in the RRAS console and click on Ports.

Right-click on ports and select Properties.  Then click on L2TP and click the configure button.

If you don't want 128 L2TP connections, reduce the number here - personally I stick with 0! Click OK and then Yes.

Repeat the above for PPTP but reduce the ports to a more reasonable number based on your organisations needs).  When setting PPTP - untick the Demand-dial routing connections (inbound and outbound).  When done - click Apply / OK.

Right-click on the DHCP Relay Agent and choose properties.  Type in the internal IP Address of the server (asuming you are using it to handle DHCP requests, otherwise, type in the DHCP Servers IP Address and click Add then Apply / OK.

Test VPN access again please.
0
 
koudryCommented:
Hello,

Searching google for "vpn error 800", resulted in a long listing of results among which just few below. I suspect you have seen these already but if not, please take a look.

Error Message: VPN Connection Error 800: Unable to Establish Connection @ http://support.microsoft.com/kb/319108

What I have read so far indicates that it is possible that the number of connections allowed by server has exceeded.  There is also the possibility that one of the ports is playing up.

One thing I always check, is to make sure the IP connectivity is working fine before putting the VPN on top of it. Because there is a chance that your problem may actually be at the IP level rather than VPN.

Please take a look at the URLs above and see if there is anything there that can help.

Good luck

Koudry
0
 
cbd1012Author Commented:
thanks i have seen just about all of those artciles - what do you mean by check IP connectivity ?  
0
 
Olaf De CeusterCommented:
Please rerun the connect to the interenet wizard in Sever Management > To Dop List.
Make sure you allow VPN.
When you say VPN works internally: Is your VPN directly to the server IP address?
Hope that helps,
Olaf
0
 
Rob WilliamsCommented:
If you can connect even once, it is highly unlikely there is a configuration issue. It is more likely that something has changed between client and server.  Dropped connections can often be caused by too high an MTU (Maximum Transmission Unit) size, especially if it is a lower than normal performance connection. It is recommended you change this on the connecting/client computer and when possible, it's local router. The easiest way to change the MTU on the client is using the DrTCP tool:
http://www.dslreports.com/drtcp
As for where to set it, if not using automatic, it has to be 1430 or less for a Windows VPN which uses PPTP if using the basic client (1460 for L2TP). There are ways to test for the optimum size of the MTU such as:
http://www.dslreports.com/faq/5793
However, this is not accurate over a VPN due to additional overhead. The best bet is to set it to 1300, and if it improves the situation, gradually increase it.
A couple of related links:
http://www.dslreports.com/faq/7752
http://www.chicagotech.net/vpnissues/vpndorp1.htm
0
 
koudryCommented:
Hello cbd1012:

By IP connectivity, I meant to say that you need to make sure that the VPN client can connect to the network or outside world before attempting to connect to VPN.

For example, if you do "ipconfig /all", what do you get in terms of IP address?  If the IP address you get is correct, try to see if you can connect to the Internet. If this works, then there is no IP connectivity issue.

Another possibility is that your client connectivity details could be problematic, e.g.

Security token: this provides you with one-time-password.  If you use this, please make sure the token is still valid
The IP address of the VPN gateway: make sure this has not changed recently
Username of VPN client
Password of VPN client

If a security token was used, there is also an IP address range associated with the token. So when you connect your VPN client to the VPN gateway using that security token, your VPN client will be allocated an IP address from the token IP range.  

The VPN client IP address is often a private IP address, .e.g. 10.180.20.10.  The token will also be associated with an authentication group and shared secret.

So after connecting the client to the VPN gateway, you need to check the IP allocated to the client to see if it falls within the IP range allocated for the security token. So on this occasion, "ipconfig /all" on the client, will show two types of IP, one for the local network (e.g. 192.168.X.X) and the other one for the VPN (10.X.X.X).

If there is a way to do this, it may be worth checking if there is any more IP available for the VPN client to use. This could be the problem. Do you know how many people connect the VPN server at one time? Is there enough IP in the pool for all VPN clients?

Thanks.
0
 
cbd1012Author Commented:
Hi Guys,

I will try your suggestions and report back.

Thanks
0
 
cbd1012Author Commented:
Odd behavior i want to report - randomly tried to connect to the vpn and now can connect no problem through a mac computer - but cannot connect on another computer - could this be a ip address assignment /dhcp issue?
0
 
Rob WilliamsCommented:
Is the MAC at a different site or same site? It can be an MTU issue as mentioned. Unlikely it would be related to DHCP assignments to end users.
0
 
cbd1012Author Commented:
both the mac and pc are at my house trying to connect into the office remotely - at one point the mac was not working at all - is the MTU modified at the clients end or at the the server end. Also i noticed a few other users are now connected to the VPN now  . This is totally weird
0
 
Rob WilliamsCommented:
MTU is adjusted at the client end.
If it is erratic, or if you can connect but then it freezes when you try browsing or opening files, it is usually MTU.

If you have several users something you might want to check is do you have enough PPTP ports open. You can have up to 128 which is the default on Server std, but SBS sets this to 5. If you have more users than that or they are not properly releasing, maybe you don't have enough open (connections allowed). To set this, on the server, go to  administrative tools | routing and remote access | expand the server name | right click on ports and choose properties | highlight PPTP and click configure | set the maximum # of ports (I recommend double the number of users to be safe)
0
 
koudryCommented:
Hello cbd1012,

Could you please advise on the Operating System of your VPN client the one you are having problem with?

Thanks.
0
 
cbd1012Author Commented:
Thanks guys these are all great suggestions. I will be trying these suggestions when i get into the office. The operating system of the users that can connect is MAC OSX, and the computers that cannot connect are Windows 7 .
0
 
Rob WilliamsCommented:
Win7 64bit or 32 bit. For the record the SBS connection manager client will not work on 64 bit. If you manually configure the VPN client VPN connection it is fine.
0
 
koudryCommented:
Hello cbd1012,

If possible, could you please try an XP machine? A while ago, I had to deal with a frame size problem on Vista. It does not stop you connecting to the VPN server. But it won't let you transmit a document over 1M. I know it is a separate problem and different OS (W7) but you just don't know. So you may want to try and see if XP works better or you can even try a Vista machine if you can find one. I am just trying to eliminate the OS aspect fo the problem.

Good luck.
0
 
cbd1012Author Commented:
Sure, thanks for the suggestion Koudry i will try an XP Machine i believe i have a vista as well to try. I know ive asked this a million times, but what could have prevented all clients from being able to access the VPN. Weird
0
 
cbd1012Author Commented:
@Robwill its a variety but to connect to the VPN i am using the standard connect to a network option buillt into windows
0
 
Rob WilliamsCommented:
That is why I suggested MTU. Sounds like some of the routing between client and server, probably near the server end, may have changed. This would be outside equipment over which you have no control. It wouldn't be the first time it happened. Easy enough to test from one client. Exceeding available PPTP ports could also affect most users.
0
 
Rob WilliamsCommented:
>>"using the standard connect to a network option buillt into windows "
That should be fine.
0
 
cbd1012Author Commented:
Hi @Robwill , my maximum connections were set to 5 i increased it to 10 and still experienced the same issue. I am going to try to MTU method and see if that helps me connect
0
 
cbd1012Author Commented:
Hi All,

So did the test at a received "Packets beeds ti ve fragmented but DF set" alll the way from the 1400-1200 range . Currently at 1200 it does not fragment.
0
 
Rob WilliamsCommented:
Just try lowering and then connecting, the tests are not terribly accurate due to overhead.
0
 
cbd1012Author Commented:
i noticed my firewall has an MTU setting, would it be helpful to make a modification here ?
0
 
cbd1012Author Commented:
i noticed my firewall has an MTU setting, would it be helpful to make a modification here ?
0
 
cbd1012Author Commented:
I have not been able to test mtu as right now im using my blackberry tetherered phone as my external internet. i need to get to an reliable external internet source so that i can alter mtu.  But i have a windows XP user who can connect no problem. Had her connect and disconnect multiple times and she was able to get in. Could this be an OS thing possibly?
0
 
cbd1012Author Commented:
Connected to the VPN via iPhone and was able to successfully connect
0
 
cbd1012Author Commented:
So i was able to get on to a n external network and i tried lowering my mtu which did not allow me to connect - the client still hangs at the verifying username and password step. I tested this on a mac and a windows vista machine.
0
 
Rob WilliamsCommented:
No need to lower MTU on the firewall. Think of it as trying to reduce the size of a particle flowing through a pipe you are trying at the source to make it small enough to get through the smallest restriction.

Are the MAC and PC at one site. i.e could we narrow it down to a site problem and not a general problem?
0
 
cbd1012Author Commented:
Hi Robwill - i want to say thanks again for going through this with me. The mac is my travel laptop i am connecting to a neighboring office's wireless to try to VPN from the outside. Our accountant is offsite and she is able to connect with no problems repeatedly - also i am able to connect on my iphone using the 3g connection. I tried the DrTCP toool and it didnt not get em connected
0
 
Rob WilliamsCommented:
Very odd as normally you are far more likly to have a problem connecting with the 3G.
0
 
cbd1012Author Commented:
Do you think reconfiguring the VPN would be a solution ?
0
 
koudryCommented:
Hello cbd1012:

I suspect the problem may be around the OS. Now that XP and MAC are working, the next OS to try is Vista. While you are doing that, I will try and see if I can dig out the document on how I resolved the Vista VPN client problem, just in case. I am aware the W7 PC is the problem machine.

Good luck
0
 
cbd1012Author Commented:
it so happens that the few machines that are working are a windows xp machine , mac (intermittently) , an iphone.  I tried vista on a neighbors wireless network but im not confident on how it was set up .. so i want to try it again on another network. Windows 7 machines are also not connecting
0
 
Rob WilliamsCommented:
I doubt reconfiguring the VPN would have any positive effects.
0
 
cbd1012Author Commented:
Is there anything such as DHCP or DNS that could be causing this issue ?
0
 
Rob WilliamsCommented:
DNS will not cause connection issues, unless you are connecting to the VPN using a FQDN and not an IP, and you are using a flaky external DNS service.
As far as your internal DNS that will not affect connections, but can affect name resolution. Name resolution issues can be fixed, but the best bet for that is using the SBS Connection Manager client which is completely pre-configured.

DHCP would only affect it if you have run out of addresses to assign the VPN clients.

On that note, there is no chance the server and the connecting client sites are using the same subnets locally, such as both sites using 192.168.0.x or 192.168.1.x?
Usually this will connect but the VPN will not work properly, but I have seen it disallow authentication.
0
 
cbd1012Author Commented:
I have seen that issue too but they are different subnets. How do i know if i have run out of addresses to assign to the client.
0
 
Rob WilliamsCommented:
If you used the SBS wizard to create the VPN it will pull addresses from the standard DHCP console, you can see there the list of allocated IP's.
If you manually created the VPN you can check the range of IP's available for VPN clients in the RRAS management console by right clicking on the server name and choosing properties, then under the IP tab you will see static address pool similar to:
http://www.lan-2-wan.com/Added%20Images/1NIC/rras-1n-9.jpg
0
 
cbd1012Author Commented:
@Robwill thanks for this - i saw this earlier - what would be the best set up ? im leaning towards DHCP lease issue as the root of the problem.
0
 
Rob WilliamsCommented:
Sorry, what do you mean by best set up? DHCP? SBS wizard is by far the best.
However this should also affect LAN users not just external.
0
 
cbd1012Author Commented:
Ahh i see all lan users connect fine - reason i thought it migh tbe a DHCP issue is because there are users who always can connect no matter how many times they log on or off ..yet there are some other clients who cannot get on at all.
0
 
Rob WilliamsCommented:
Good observation.
See in the RRAS console if you can see the connected users ( expand server and under "remote Access Clients" ). Watch when they disconnect to see that the session closes (disappears). Maybe the sessions are not dropping and the users are somehow reconnecting to the same sessions.
0
 
Rob WilliamsCommented:
Thanks for updating cbd1012. What was the specific DHCP issue, it would be good to know the resolution.
Thanks,
--Rob
0
 
cbd1012Author Commented:
Reasonings were not any of the reasons provided by other users. IT was a DHCP issue as i mentioned
0
 
Rob WilliamsCommented:
What was the specific DHCP issue, it would be good to know the resolution.
0

Featured Post

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

  • 27
  • 16
  • 6
  • +2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now