Solved

Connect Win 7 VPN client to a SBS 2003 server

Posted on 2011-02-21
20
1,258 Views
Last Modified: 2012-06-27
Okay, I have an SBS 2003 Server that has been setup for VPN connection for the last 4 years. Connecting with XP machines is a snap but we recently got two new laptops with Win 7 and I cannot get them to connect to the VPN using the VPN client in Windows 7. Seems to get through to the Server but then authentication fails with an 800 error.

0
Comment
Question by:nathra
20 Comments
 
LVL 11

Expert Comment

by:louisreeves
Comment Utility
I saw a couple of fixes in this BLOB

enabling the spi firewall. That is unchecking "Disable SPI Firewall" under wan setup. Go figure.

Then the other

I have resolved it by explicitly setting the Type of VPN property on Security tab to Point to Point Tunneling Protocol (PPTP). It seems that when this property is set to Automatic the WAN Miniport defaults to IKEv2 (and gets stuck if this is not the VPN type used). You can both observe and change this for any VPN connection by going to Control Panel > Network and Internet > Network Connection

These guys and gals had the discussion on it -
http://social.technet.microsoft.com/Forums/en-US/w7itpronetworking/thread/32c5e5b5-b2a2-43d3-b702-9cd0c8ef2c67

I also am aware of an issue with the joining of the domain. If the windows 7 box is having trouble- you clould try rejoining the domain manually. This has its own issues but it may resolve others.

I hope this helps.

L
0
 
LVL 5

Expert Comment

by:SteelerPaz
Comment Utility
Here is an excellent link to troubleshoot your VPN issue with Error 800

http://blogs.technet.com/b/rrasblog/archive/2009/08/12/troubleshooting-common-vpn-related-errors.aspx
0
 
LVL 77

Expert Comment

by:Rob Williams
Comment Utility
Are you using the SBS connection manage? If so it will not work on Win 7 64 bit, you have to manually create the client on the connecting PC similar to:
http://www.onecomputerguy.com/networking/vista_vpn_client.htm

Also there were two recent similar posts here where it was solved by editing the VPN client on the connecting C and changing the VPN type from auto to PPTP. This surprised me but seemed to work.

One other thought, Win 7 an Vista will not connect using MSChap V1, where XP will. The sever should automatically be set to allow both MSChap V1 and V2, but if anyone was 'tinkering'.
0
 

Author Comment

by:nathra
Comment Utility
Okay, so I have tried most of what has been suggested with no positive results. However, I decided to try to connect to a couple of other servers I have out with this laptop, docked, wireless. In both cases it connected without hesitation. So now I am completed befuddled! These other two server are also SBS 2003 server with two nics and are set up pretty much the same way with the exception of the domain name and IP address, although the laptop was physically connected at one point to the domain of the original server (we'll call it Server A) and not part of the other two.

Also, I just connected to Server A with this computer through a VPN connection with no issues. This computer is an XP Pro SP3 System.

One more thing - RobWill, can you give me a heads up on checking the status of the MSChap so I can see if it is set to allow MSChap 2 asl well as how to change it it if not? Thanks,

Hope that all makes sense.

0
 
LVL 77

Expert Comment

by:Rob Williams
Comment Utility
To check protocols the SBS will accept go to RRAS console | right click on server name and choose properties | security | Authentication methods
Default should be; EAP, MS Chap V2, MS Chap

Do you get an error # when the connection fails such as 800, 691, 721 ?
0
 

Author Comment

by:nathra
Comment Utility
Error 806. The VPN connecton between your computer and the VPN server could not be completed.
0
 
LVL 77

Expert Comment

by:Rob Williams
Comment Utility
806 on Vista and Win 7 machines often means blocked GRE.

Obviously it is not blocked at the server site because others can connect.
It can be blocked by the client site router or ISP, but I am guessing you have tried from more than one location.
Thus, if GRE is the issue I would suspect something installed on the laptops. Is there any security software installed? TrendMicro, Symantec with "Internet work protection", some AVG versions, McAfee Firewall, Microsoft OneCare, and a few others are all known to block GRE.

Just to double check, in most cases you cannot connect to the WAN IP of the server from the LAN side of the SBS. You need to test from off-site.
0
 

Author Comment

by:nathra
Comment Utility
Actually this is the first offsite location we have used this particular laptop. We got in on Friday and the owner took out of town that evening. I barely had time to get it setup on the domain! That said it could be an issue with the router at the location he is at which I will check.

We also have Symantec Endpoint Protection loaded on the computer too.
0
 

Author Comment

by:nathra
Comment Utility
I just remembered. We have another computer connected remotely at this site but it is an XP Pro system and has no problem connecting.
0
 

Author Comment

by:nathra
Comment Utility
What about the fact that I can connect thru this laptop to one of my other clients SBS servers without an problem.
0
Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

 
LVL 77

Expert Comment

by:Rob Williams
Comment Utility
>>"What about the fact that I can connect thru this laptop to one of my other clients SBS servers without an problem."
Kind of shoots my security software theory down doesn't it :-)
0
 
LVL 77

Expert Comment

by:Rob Williams
Comment Utility
For many years 99% of the time GRE errors 721 error. Since Vista and Win7 many but no where near that high a percentage of people that have reported 806 errors have reported the source of the problem was blocked GRE. If you are ambitious and want to see if GRE is the issue or not you can test that theory. From an earlier post of mine:

Microsoft has a pair of test tools pptpsrv and pptpclnt, to test for GRE pass-through, which are available as part of the Windows resource kit or from:
http://www.microsoft.com/downloads/details.aspx?amp;displaylang=en&familyid=49ae8576-9bb9-4126-9761-ba8011fabf38&displaylang=en

Log onto the client or VPN server machine and connect to the other with remote desktop, or a similar remote management tool. At a command line on the client machine, run pptpclnt and on the server run pptpsrv. The client machine will send a set of GRE packets to the server and it should show as received if GRE is able to pass. The server is then supposed to respond and the client indicate received, but I have never had that part work. The one direction client to server is usually enough to test.

Following links outline the use of the test tools:
http://www.howtonetworking.com/Tools/testgre.htm
See VPN traffic:
http://www.microsoft.com/technet/community/columns/cableguy/cg0105.mspx
0
 
LVL 77

Expert Comment

by:Rob Williams
Comment Utility
Sorry first line should read; For many years 99% of the time GRE issues returned 721 errors.
0
 

Author Comment

by:nathra
Comment Utility
If it was a GRE issue wouldn't the other system I have connecting the Server A's VPN have the same issue too? Like I said I am befuddled.
0
 
LVL 77

Expert Comment

by:Rob Williams
Comment Utility
I agree, as stated earlier. I just provided the tools it you wanted to rule it out, if there was still any doubt. Those tools will check from client to server. Doubtful now though that is the issue.

It still sounds like an authentication protocol issue. Did you check the server?
The reason I say that is XP could be authenticating to the server with MS Chap. Win7 is trying to use MS Chap V2 which should be enabled on the server, but if not fails. They can connect to other servers because it is enabled there.
0
 

Author Comment

by:nathra
Comment Utility
OKay, so I figured one aspect out in that I had another system in the remote logon to the VPN. When I logged it off I was able to logon with the Window 7 laptop. So it seems to be an issue with multiple VPN logons to my Server. Any suggestion?
0
 
LVL 77

Expert Comment

by:Rob Williams
Comment Utility
May be the number of ports allocated. The default with SBS is 5, and server std is 128, but you can have up o 128. To set it go to: RRAS console | expand server name | ports | on the right you can see the number of active/inactive ports (# of connections)
If you right click on ports and choose properties | highlight PPTP and click configure | you can increase/decrease this under "Maximum ports"
0
 
LVL 77

Expert Comment

by:Rob Williams
Comment Utility
It could also be a shortage of DHCP addresses. If you have used wizards and defaults that won't be a problem, but check that the DHCP scope has lots of room for LAN and VPN clients.
If you manually created the VPN and used a static address pool make sure that is large enough for VPN clients. The later is under: RRAS console | right click on server name -properties | IPv4 | static address pool (this would normally on an SBS be empty and unchecked but if used make sure enough addresses allocated)
0
 
LVL 77

Accepted Solution

by:
Rob Williams earned 500 total points
Comment Utility
One other thought, MANY small home routers only allow 1 outgoing PPTP connection from the same site. They all have limits, but as mentioned some are only 1.

This is not the server site. Incoming is only limited usually by bandwidth.
0
 

Author Closing Comment

by:nathra
Comment Utility
Thanks for helping to troubleshoot this RobWill!
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
Disable Email Signatures via GPO 25 57
Command to modify Registry entry 5 80
Sonicwall routing between VPNs 5 23
RDP Sonicwall 8 22
A quick step-by-step overview of installing and configuring Carbonite Server Backup.
The recent Microsoft changes on update philosophy for Windows pre-10 and their impact on existing WSUS implementations.
This Micro Tutorial will teach you how to change your appearance and customize your Windows 7 interface to your unique preference. This will be demonstrated using Windows 7 operating system.
This Micro Tutorial will give you a basic overview of Windows Live Photo Gallery and show you various editing filters and touches to photos you can apply. This will be demonstrated using Windows Live Photo Gallery on Windows 7 operating system.

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now