Solved

VPN to Windows 7 computer fails with 720 error

Posted on 2011-03-17
31
1,624 Views
Last Modified: 2012-05-11
I have a host computer running Windows 7 Ultimatex64 hosting incoming connections via VPN.
It is behind a Linksys e2000 router using DynDns. Port 1723 is forwarded to the host machine.
I have tried connecting to it from many different computers with the same result: The connection validates the credentials displays"registering computer on network" and fails with error 720: connection to the remote computer could not be established, you may need to change network settings.
I have tried this with 3 different routers as well.
I have successfully implemented VPN before, but never on a Windows 7 box.
Does anyone know if it can even be done? If so, please share.

I have attached a log of the failure activity from one failed session.
I have searched here for an answer and seen many posts with similar issues and tried everything I could find. No joy.
Please advise.
 vpnFailureLog.doc
0
Comment
Question by:csialbany
  • 16
  • 15
31 Comments
 
LVL 68

Expert Comment

by:Qlemo
ID: 35161104
If RAS is hanging in "Registering computer on network", ending in 678, 930, 720 and some more error codes, almost always it is an GRE forwarding issue. You did not mention if you prepared your router for "PPTP passthru", "VPN passthru" or the like, or manually forwarded protocol 47 (GRE) to the server machine.
0
 

Author Comment

by:csialbany
ID: 35161199
PPTP passthrough is enabled.
I see no option for forwarding any protocols on the router. Only tcp or udp ports.

Thanks
0
 
LVL 68

Expert Comment

by:Qlemo
ID: 35161258
PPTP passthru should fit.
You told use you tried with 3 other routers - same brand? There might be a firmware issue with W7 and the router ...
0
 

Author Comment

by:csialbany
ID: 35161313
First router was a netgear home router. Same result with it.
Second option was Cisco rvs4000 VPN security router. This was deemed a poorchoice in many forums and performed with the same result.
You think I am doomed to trial and error with routers?
0
 
LVL 68

Expert Comment

by:Qlemo
ID: 35161327
At least you can perform a GRE test by using a test tool on server and client. See http://www.howtonetworking.com/Tools/testgre.htm. That should show if you have a GRE issue, or something different.
0
 

Author Comment

by:csialbany
ID: 35161369
I may be further displaying my ignorance here, but how do I run that on a windows 7 machine? The post upplies instructions if you have a windows 2000 setup cd.
0
 
LVL 68

Expert Comment

by:Qlemo
ID: 35161470
Got a W2003 or XP SP2 CD? If so, they are located in Support\Tools\Support.
Else you might consider to download (at your own risk) from
    http://www.filerepair.ca/downloads/p/pp/pptpsrv.exe-DLL-EXE-Download-pptpsrv.exe.html
and
   http://www.filerepair.ca/DLL-EXE-downloads/p/pp/pptpclnt.exe-Download-File-pptpclnt.exe.html
0
 

Author Comment

by:csialbany
ID: 35161615
I have the CDs at my office. I am working in bed tonight though. The links you provided are well enough, but the downloads time out consistently. It may have to be back burnered until tomorrow morning (eastern). If I can get the downloads I wiill post again tonight. Otherwise it will be first thing tomorrow.
Thanks again.
0
 

Author Comment

by:csialbany
ID: 35164507
I now have the pptpclnt file on the client machine but don't really know what to do with it. When try it from command line I get "not recognized as ...command..." I am sure I just need to install it somehow, but am at a loss and can't find anything in forums regarding this that seems to apply to windows 7.
Please advise
0
 
LVL 68

Expert Comment

by:Qlemo
ID: 35165131
I have used the XP SP2 ones on my W7 x64, and they work fine.
0
 

Author Comment

by:csialbany
ID: 35165214
I think this another case of ignorance. How do I use it?
0
 
LVL 68

Expert Comment

by:Qlemo
ID: 35165354
You start    PPTPsrv    on your server, then     PPTPclnt Ip.Add.ress.here    and all is done.
If you get "not recognized as command", it has not been found - you need to put it into a folder, e.g. TMP, start a Command prompt, change to this folder (cd c:\tmp    for example), and then use pptpclnt as stated above.
0
 

Author Comment

by:csialbany
ID: 35175797
Apologies for the delayed reply.
Thanks for the instruction.

Here are the results from the client side:


Initializing WinSock...
Obtaining host information...
Successfully resolved server's host information

======================================
Enter data to send to server (between 1 and 255 chrs.), then hit enter:
-->test

Successfully connected to server using TCP port 1723 (PPTP)
Sending data to server

Waiting for a reply to the data which was just sent...
Received a reply.  Reply contains the following text:
--->

=================================
Connectivity test to TCP Port 1723 was successful!!!
Closing down socket...
=================================

Creating a socket to test GRE protocol traffic...

Total GRE packets sent = 1
Total GRE packets sent = 2
Total GRE packets sent = 3
Total GRE packets sent = 4
Total GRE packets sent = 5

=====================================
Check server to see if the GRE packets were received successfully
=====================================

Closing down socket

Goodbye!


SERVER SIDE RESULTS:
error 100048 binding socket

WSAEADDINUSE: address already in use

created socket for GRE protocol test

listening on protocol 47 for incoming GRE packets...

So I guess it is not hearing anything.
Please advise.
Thanks.



0
 
LVL 68

Expert Comment

by:Qlemo
ID: 35176374
(1) You should type in a text to send. That text needs to appear on the server side.
(2) The server echoes "Total GRE packets received = " 5 times if successful.
(3) You tested while your RRAS server was running, occupying port 1723. So you could not test the PPTP part.

It is pretty clear GRE is not forwarded, or allowed to pass either on the client or server side.
You can try some more:
Switch of RRAS on your server, and start pptpsrv again.
Then start pptpclnt with the private IP of the server from an arbitrary machine in your LAN
If successful, restart pptpsrv and try pptpclnt with the public IP.
You should see the text you type with pptpclnt each time, and of course the GRE answers on the server.
0
 

Author Comment

by:csialbany
ID: 35176567
I did, in fact enter text. I typed the word "test".
How do I switch off RRAS server?
0
Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

 
LVL 68

Expert Comment

by:Qlemo
ID: 35176620
Ah, sorry, didn't see "test".
Go into the Services, and you should see a service called "Routing and RAS". Stop that while testing.
0
 

Author Comment

by:csialbany
ID: 35177629
If I kill the RRAS service, will that not also prevent me from accessing the host via Remote Desktop?
If I need to I can enlist someone to be on site ....
0
 
LVL 68

Expert Comment

by:Qlemo
ID: 35179001
No, RDP and RRAS are not related. Only if you use RRAS to get on that machine via VPN you will stop that working, of course.
0
 

Author Comment

by:csialbany
ID: 35198359
OK,

The client side reports error 10054 Connection reset by peer.
The server side remains listening..,,
0
 
LVL 68

Expert Comment

by:Qlemo
ID: 35198388
"error 10054 Connection reset by peer" says that there has been something actively denying access (to port 1723). It is no timeout, which might come from missing port forwarding; the Linksys is rejecting the request. Maybe you have PPTP server active on it (if available)? Any logs in Linksys?
0
 

Author Comment

by:csialbany
ID: 35203883
I don't see any options on the e2000 for PPTP server. The window below contains some unfamiliar (to me) settings.

      Firmware Version: 1.0.03  
Security      Linksys E2000      E2000
                                    
Setup      Wireless      Security      Access Restrictions      Applications & Gaming      Administration      Status
Firewall      |      VPN Passthrough
            
Firewall      
            SPI Firewall Protection:         x Enabled  Disabled       
            
Internet Filter      
            x Filter Anonymous Internet Requests       
            Filter Multicast       
            Filter Internet NAT Redirection       
            x Filter IDENT (Port 113)       
            
Web Filter      
            Proxy Java ActiveX Cookies       
            

.
                        
The logs contain almost nothing. In the incoming log there are a couple of mentions of traffic on ports 32694 and 45764. The only mention there of the IP address I was testing from is the incoming connection on port 8080 from the remote admin login.
You think the block is on the Windows 7 machine itself? I have tried with the firewall off and even with Microsoft security essentials disabled...
0
 
LVL 68

Expert Comment

by:Qlemo
ID: 35205241
None of the above (besides VPN passthru) is related to the issue.
I do not have the slightest hint who is blocking here, and can only guess. Also, without having stats or logs on the Firewall, there isn't much we can see. Again, only guessing and testing remains.

The port forward might be wrong - not active, wrong protocol, wrong port, wrong internal IP.
The Windows Firewall can be stubborn, and it makes a difference if you disable Firewall or the according service.
Anyway, allowing for Dial-In connections should already have activated the corresponding Firewall rule, so it should not matter - but sometimes the rule is not enabled.

If you have another PC on the LAN, try to use that either for the PPTP test tools or the PPTP connection against the internal IP. If that works, try it against the external IP. The latter might work or not, even if anything is configured correctly, because some routers do not forward traffic coming from LAN back to LAN.
0
 

Author Comment

by:csialbany
ID: 35214386
I have attached the log from the failed connection attempt.
Also, I have attached the incoming log from the router.
I have verified that port 1723 is forwarded to the correct internal IP address.
I will try disabling the firewall service today, but it at least tells me it is allowing vpn traffic.
I will also try the tools on the lan side.



vpnFailureLog.docx
incoming-log.txt
0
 

Author Comment

by:csialbany
ID: 35259771
OK, I still don't have an explanation and thus will be happy to award points based on that, but I did find a solution that is at least workable in this particular situation. At this link:
 
      http://www.sevenforums.com/network-sharing/23998-windows-7-vpn-problems.html

I found this:
 

"Hei (sic) All.

Thought I would let everyone who has been following this that I solved the problem outlined in my original post.

To fix the problem I change the VPN settings to allocated an IP address within a specific range (via the vpn wizard on the server machine). This way the client machine registers on the network fine"

I set the Ip's to a specific range and Voila! Connection, registration and share access without 720.

Anyone know why this was a problem in the first place? DHCP?...

0
 
LVL 68

Expert Comment

by:Qlemo
ID: 35260457
If you change to a specific RAS IP Pool, DHCP is not used - obviously the server could not allocate more IP addresses from DHCP on your LAN. Could you check that? RAS IP allocations are visible in DHCP Admin console with a icon different from local IPs. You should see at least two IP addresses allocated for RAS (one for the server, and one for the client).
0
 

Author Comment

by:csialbany
ID: 35266066
DHCP is handled by the router , no? The host machine is Windows 7. Is the a DHCP admin console in Win7?
0
 
LVL 68

Expert Comment

by:Qlemo
ID: 35266425
DHCP is issued by whatever it does. I assumed you have a server - but that was too much guessed, I see. Most probably it is your router acting as DHCP server, yes. It's admin GUI should allow you to see the allocated DHCP leases, in that case you need to look for a couple of leases for the same machine name.
0
 

Author Comment

by:csialbany
ID: 35268384
So, DHCP log on the router shows no record for any IP other than those assigned ot what I know are the locally connected computers. Are the IPs for machines connected via VPN now assigned by the host computer? I am just trying to understand why the connection fails without the specified IP pool.
0
 
LVL 68

Accepted Solution

by:
Qlemo earned 250 total points
ID: 35274557
RAS should obtain at least one IP from DHCP. It does not, so that is the reason RAS is not working without a statip IP pool. The EventLog should show you the reason why it could not obtain dynamic IPs.
0
 
LVL 68

Expert Comment

by:Qlemo
ID: 35274563
For the time being you are not worse off by using the static IP pool, as long as you can make sure no address will be used twice. If you static IP is from the upper area of your subnet, that is very unlikely; but it is more safe then to exclude the RAS IP pool from DHCP.
0
 

Author Closing Comment

by:csialbany
ID: 35277056
The problem is solved and I now have a better understanding. I imagine that many people using Windows 7 to host VPN  for the first time will be looking for this information.
0

Featured Post

Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

Join & Write a Comment

Meet the world's only “Transparent Cloud™” from Superb Internet Corporation. Now, you can experience firsthand a cloud platform that consistently outperforms Amazon Web Services (AWS), IBM’s Softlayer, and Microsoft’s Azure when it comes to CPU and …
ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
This Micro Tutorial will give you basic overview of the control panel section on Windows 7. It will depth in Network and Internet, Hardware and Sound, etc. This will be demonstrated using Windows 7 operating system.
This Micro Tutorial will give you a basic overview of Windows Live Photo Gallery and show you various editing filters and touches to photos you can apply. This will be demonstrated using Windows Live Photo Gallery on Windows 7 operating system.

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now