Solved

Connect Win 7 VPN client to a SBS 2003 server

Posted on 2011-02-21
20
1,262 Views
Last Modified: 2012-06-27
Okay, I have an SBS 2003 Server that has been setup for VPN connection for the last 4 years. Connecting with XP machines is a snap but we recently got two new laptops with Win 7 and I cannot get them to connect to the VPN using the VPN client in Windows 7. Seems to get through to the Server but then authentication fails with an 800 error.

0
Comment
Question by:nathra
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
20 Comments
 
LVL 11

Expert Comment

by:louisreeves
ID: 34944403
I saw a couple of fixes in this BLOB

enabling the spi firewall. That is unchecking "Disable SPI Firewall" under wan setup. Go figure.

Then the other

I have resolved it by explicitly setting the Type of VPN property on Security tab to Point to Point Tunneling Protocol (PPTP). It seems that when this property is set to Automatic the WAN Miniport defaults to IKEv2 (and gets stuck if this is not the VPN type used). You can both observe and change this for any VPN connection by going to Control Panel > Network and Internet > Network Connection

These guys and gals had the discussion on it -
http://social.technet.microsoft.com/Forums/en-US/w7itpronetworking/thread/32c5e5b5-b2a2-43d3-b702-9cd0c8ef2c67

I also am aware of an issue with the joining of the domain. If the windows 7 box is having trouble- you clould try rejoining the domain manually. This has its own issues but it may resolve others.

I hope this helps.

L
0
 
LVL 5

Expert Comment

by:SteelerPaz
ID: 34944415
Here is an excellent link to troubleshoot your VPN issue with Error 800

http://blogs.technet.com/b/rrasblog/archive/2009/08/12/troubleshooting-common-vpn-related-errors.aspx
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 34944743
Are you using the SBS connection manage? If so it will not work on Win 7 64 bit, you have to manually create the client on the connecting PC similar to:
http://www.onecomputerguy.com/networking/vista_vpn_client.htm

Also there were two recent similar posts here where it was solved by editing the VPN client on the connecting C and changing the VPN type from auto to PPTP. This surprised me but seemed to work.

One other thought, Win 7 an Vista will not connect using MSChap V1, where XP will. The sever should automatically be set to allow both MSChap V1 and V2, but if anyone was 'tinkering'.
0
Easy, flexible multimedia distribution & control

Coming soon!  Ideal for large-scale A/V applications, ATEN's VM3200 Modular Matrix Switch is an all-in-one solution that simplifies video wall integration. Easily customize display layouts to see what you want, how you want it in 4k.

 

Author Comment

by:nathra
ID: 34947775
Okay, so I have tried most of what has been suggested with no positive results. However, I decided to try to connect to a couple of other servers I have out with this laptop, docked, wireless. In both cases it connected without hesitation. So now I am completed befuddled! These other two server are also SBS 2003 server with two nics and are set up pretty much the same way with the exception of the domain name and IP address, although the laptop was physically connected at one point to the domain of the original server (we'll call it Server A) and not part of the other two.

Also, I just connected to Server A with this computer through a VPN connection with no issues. This computer is an XP Pro SP3 System.

One more thing - RobWill, can you give me a heads up on checking the status of the MSChap so I can see if it is set to allow MSChap 2 asl well as how to change it it if not? Thanks,

Hope that all makes sense.

0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 34947811
To check protocols the SBS will accept go to RRAS console | right click on server name and choose properties | security | Authentication methods
Default should be; EAP, MS Chap V2, MS Chap

Do you get an error # when the connection fails such as 800, 691, 721 ?
0
 

Author Comment

by:nathra
ID: 34947863
Error 806. The VPN connecton between your computer and the VPN server could not be completed.
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 34947891
806 on Vista and Win 7 machines often means blocked GRE.

Obviously it is not blocked at the server site because others can connect.
It can be blocked by the client site router or ISP, but I am guessing you have tried from more than one location.
Thus, if GRE is the issue I would suspect something installed on the laptops. Is there any security software installed? TrendMicro, Symantec with "Internet work protection", some AVG versions, McAfee Firewall, Microsoft OneCare, and a few others are all known to block GRE.

Just to double check, in most cases you cannot connect to the WAN IP of the server from the LAN side of the SBS. You need to test from off-site.
0
 

Author Comment

by:nathra
ID: 34947938
Actually this is the first offsite location we have used this particular laptop. We got in on Friday and the owner took out of town that evening. I barely had time to get it setup on the domain! That said it could be an issue with the router at the location he is at which I will check.

We also have Symantec Endpoint Protection loaded on the computer too.
0
 

Author Comment

by:nathra
ID: 34947949
I just remembered. We have another computer connected remotely at this site but it is an XP Pro system and has no problem connecting.
0
 

Author Comment

by:nathra
ID: 34948005
What about the fact that I can connect thru this laptop to one of my other clients SBS servers without an problem.
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 34948069
>>"What about the fact that I can connect thru this laptop to one of my other clients SBS servers without an problem."
Kind of shoots my security software theory down doesn't it :-)
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 34948080
For many years 99% of the time GRE errors 721 error. Since Vista and Win7 many but no where near that high a percentage of people that have reported 806 errors have reported the source of the problem was blocked GRE. If you are ambitious and want to see if GRE is the issue or not you can test that theory. From an earlier post of mine:

Microsoft has a pair of test tools pptpsrv and pptpclnt, to test for GRE pass-through, which are available as part of the Windows resource kit or from:
http://www.microsoft.com/downloads/details.aspx?amp;displaylang=en&familyid=49ae8576-9bb9-4126-9761-ba8011fabf38&displaylang=en

Log onto the client or VPN server machine and connect to the other with remote desktop, or a similar remote management tool. At a command line on the client machine, run pptpclnt and on the server run pptpsrv. The client machine will send a set of GRE packets to the server and it should show as received if GRE is able to pass. The server is then supposed to respond and the client indicate received, but I have never had that part work. The one direction client to server is usually enough to test.

Following links outline the use of the test tools:
http://www.howtonetworking.com/Tools/testgre.htm
See VPN traffic:
http://www.microsoft.com/technet/community/columns/cableguy/cg0105.mspx
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 34948085
Sorry first line should read; For many years 99% of the time GRE issues returned 721 errors.
0
 

Author Comment

by:nathra
ID: 34948193
If it was a GRE issue wouldn't the other system I have connecting the Server A's VPN have the same issue too? Like I said I am befuddled.
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 34948304
I agree, as stated earlier. I just provided the tools it you wanted to rule it out, if there was still any doubt. Those tools will check from client to server. Doubtful now though that is the issue.

It still sounds like an authentication protocol issue. Did you check the server?
The reason I say that is XP could be authenticating to the server with MS Chap. Win7 is trying to use MS Chap V2 which should be enabled on the server, but if not fails. They can connect to other servers because it is enabled there.
0
 

Author Comment

by:nathra
ID: 34948393
OKay, so I figured one aspect out in that I had another system in the remote logon to the VPN. When I logged it off I was able to logon with the Window 7 laptop. So it seems to be an issue with multiple VPN logons to my Server. Any suggestion?
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 34948438
May be the number of ports allocated. The default with SBS is 5, and server std is 128, but you can have up o 128. To set it go to: RRAS console | expand server name | ports | on the right you can see the number of active/inactive ports (# of connections)
If you right click on ports and choose properties | highlight PPTP and click configure | you can increase/decrease this under "Maximum ports"
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 34948448
It could also be a shortage of DHCP addresses. If you have used wizards and defaults that won't be a problem, but check that the DHCP scope has lots of room for LAN and VPN clients.
If you manually created the VPN and used a static address pool make sure that is large enough for VPN clients. The later is under: RRAS console | right click on server name -properties | IPv4 | static address pool (this would normally on an SBS be empty and unchecked but if used make sure enough addresses allocated)
0
 
LVL 77

Accepted Solution

by:
Rob Williams earned 500 total points
ID: 34948453
One other thought, MANY small home routers only allow 1 outgoing PPTP connection from the same site. They all have limits, but as mentioned some are only 1.

This is not the server site. Incoming is only limited usually by bandwidth.
0
 

Author Closing Comment

by:nathra
ID: 34951879
Thanks for helping to troubleshoot this RobWill!
0

Featured Post

SuperAntiSpyware Licenses Discounted by 25% !

Exclusive offer to Experts Exchange Members!
Buy SuperAntiSpyware License(s) from us and save 25% on the regular purchase price.
- Includes Full SuperAntiSpyware Vendor Support Entitlements
- Your Subscription does not begin until you activate your license
- Buy for your friends

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
IPC$ Password 13 54
Dual boot with Windows 7 on both partition 11 54
Windows 10 ISO build version 3 97
Remote login in windows 7 8 73
While working, an annoying popup showing below will come and we cannot cancel or close it form the screen. The error message will come again and again.
On some Windows 7 (SP1) computers, Windows Update becomes super slow even the computer is reasonably fast.  There's one solution that seemed to have worked well for me (after trying a few other suggested solutions).
The viewer will learn how to successfully download and install the SARDU utility on Windows 7, without downloading adware.
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…

759 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question