Solved

VPN Connection error with 800 on Server 2003

Posted on 2011-02-17
15
695 Views
Last Modified: 2012-06-21
Hi Guys,
I know this is a common problem and i've tried the usual things but we are getting error 800 on our VPN connections to the office.
We have a new netgear DG834G that has ports 47 1723 and 1701 open inbound and forwarding to our 2nd server that has RRAS configured (through the custom option just for VPN).
I can VPN in from our 1st server to the 2nd server so it confirms that the RRAS is working and accepting requests.
On the Netgear logs it is also showing that the 1723 and 1701 packets are being accepted but everytime we try to VPN in from anywhere we get the error 800 message.
RRAS was on the 1st server originally and so we have moved it onto the 2nd server to see if it was that but it's made no difference.
I have tried 'Can you see me' but it shows it's failed however i have tried this on other working systems as well and these have shown as failed so i'm not confident that this is correct.
Any help would be great.

Thanks

0
Comment
Question by:Netexperts
  • 8
  • 7
15 Comments
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 34914690
One thing. You mentioned port 47. That should be protocol 47 (GRE protocol).

So you need to enable PPTP passthrough. Try to look for that option on the netgear.
0
 
LVL 1

Author Comment

by:Netexperts
ID: 34914719
It doesn't have the option for protocol 47, i had to create a new servie to which i put 47 in as TCP/UDP
And then allowed this to forward to the RRAS.

Thanks
0
 
LVL 1

Author Comment

by:Netexperts
ID: 34914726
Also.....
There was VPN-PPTP (TCP:1723) option on the router to which i've allowed and pointed to the RRAS server as well (along with VPN-L2TP (TCP:1701)
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 34914763
47 isn't a port number, it's a protocol number. Check this out: http://www.iana.org/assignments/protocol-numbers/protocol-numbers.xml

So as you can see, TCP is protocol number 6, UDP number 17 and GRE number 47.
GRE stands for General Routing Encapsulation and that is the tunnel that is finally being set up. Port 1723 is used for the initial authentication/negotiation.

Nat only works with TCP/UDP because those protocols use port addressing. To allow the GRE protocol through you need to set that option. Most of the time it is called something like PPTP-passthrough and most of nowadays routers should support that.
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 34914782
0
 
LVL 1

Author Comment

by:Netexperts
ID: 34914964
There is no GRE that i can see.
I have changed the MTU to 1430, enabled the 'Respond to Ping on Internet Port' and enabled 6,17 and 47 to forward to the RRAS (as there's no GRE option) but still the same issue.
Even though it shows in the logs as aceepting the packet would this still be the case even if it doesn't let it through ?
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 34915098
enabled 6,17 and 47 to forward to the RRAS

What exactly do you mean by that?
0
Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

 
LVL 1

Author Comment

by:Netexperts
ID: 34915106
As there is no GRE or PPTP Passthrough i have created services for the individual ports (6.17 and 47) and have allowed them and pointed them to the RRAS server to try this.
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 34915345
It seems we still have a miscommunication here. Let me try to get that out of the way first.

TCP is a protocol on top of IP, UDP is another protocol on top of IP and GRE is yet another protocol on top of IP. TCP and UDP use ports within the protocol. That way is defined what service it is (to put it simply). GRE is a separate protocol that doesn't use ports. So with TCP and UDP you can do PAT because of the ports. GRE cannot. Also you can't get the GRE protocol to go through a port within another protocol.
You now opened up some ports for the TCP and UDP protocol. That has nothing to do with the GRE protocol.
I hope I haven't confused you even more. It is a confusing situation trying to grasp the difference between protocols, ports within protocols, etc (I know I was confused :).

So getting back to the issue.

For PPTP we need TCP port 1723 open and protocol 47 (GRE) being able to pass through.
For L2TP we need TCP port 1701 open and if you want to use it over IPSec then protocols 50 and 51 must be able to pass through.

I think you are going for the PPTP vpn so let's focus on that. You allready opened the port (1723) to be forwarded to the server. I also read the post again. The thing I was asking was indeed allready there with another name: VPN-PPTP (TCP:1723) .... My bad, sorry.

So that should be ok. On thing I noticed is that your firware is at V1.6.01.34 While the most recent is 3.01.38. Perhaps it might be wise to first do an upgrade.
0
 
LVL 1

Author Comment

by:Netexperts
ID: 34915831
I had to read it 3 times but now i understand where GRE should be but there still is no option for me to add or allow this that i can see (only TCP, UDP or TCP/UDP) and the router auto checks for firmware but shows that none is available (it is brand new so i'm wondering if the firmware you've seen is for another version of the 834).
I have just read a post on the netgear forum where it is said that the DG834G doesn't support GRE47 however we have put about 5 of these in elsewhere over the past few months, enabled 1723 and they've all worked fine so i'm a little stumped as to the issue.
Any ideas after this ?
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 34915927
Then it's a DG834Gv5 I assume (looked at another one :-~ )

Read something at the netgear site: you also need to open port 500 (?)
http://kb.netgear.com/app/answers/detail/a_id/1088/kw/pptp

It might also be a good idea to compare this device with a 'working one' (firmware, setup, etc).
0
 
LVL 1

Author Comment

by:Netexperts
ID: 34917107
I've opended 500 but still no connection.
I have checked on one of the other identical one's we've put in and the only difference is the firmware. On the one that works it's V4.01.06 and the one that doesn't work is V1.6.01.34 but these do seem totally different (even if they are different version i would've thought the firmware version would at least be similar.)
0
 
LVL 35

Accepted Solution

by:
Ernie Beek earned 500 total points
ID: 34924036
The thing is that it should be able to work. Perhaps doing a factory reset and after that just set the VPN-PPTP (TCP:1723) option (and perhaps opening port 1723 to the server) might do the trick. There were quite a few changes made which perhaps messed the whole thing up.
0
 
LVL 1

Author Closing Comment

by:Netexperts
ID: 34924132
I agree, i does seem strange that the others are working fine so i'll reset it and try from there, failing that i think we'll replace it.
Thanks for the information anyway
 (I know exactly what GRE is now !)
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 34924657
Atleast you learned something from it then ;)

Thx and good luck
0

Featured Post

Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
Connect Windows 8 VPN to ISA Server 2000 VPN 5 96
IP Phones with SonicWall 6 68
Site-to-Site VPN 6 91
Cisco Routers 17 77
One of the Top 10  common Cisco VPN problems are not-matching shared keys. This is an easy one to fix, but not always easy to notice, see the case below. A simple IPsec tunnel between fast Ethernet interfaces of routers SW1 (f1/1) and R1(f0/0). …
I've had to do a bit of research to setup my VPN connection so that Clients can access Windows Server 2008 network shares.  I have a Cisco ASA 5510 firewall.  I found an article which was extremely useful: It had a solution if you use ASDM to config…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now