Solved

VPN Woes

Posted on 2012-03-09
16
1,080 Views
Last Modified: 2012-03-31
I am in dire need of some assistance.  

We had, until a week ago, a very stable VPN setup.   Single Win 2k server at our main office, and one Win7 client.  

The Server 192.168.0.1 (Active Domain) provides all services (dhcp, rras, file server, etc.)

Nothing fancy, just a simple vpn, 1 user access from remote location. (me - I work remotely).  both routers had nat.    I was able to access the shares on the server (not other computers at the office lan, but that wasn't necessary).  

A week ago, the very old - actiontec GT701r modem/router at the office died.  No problem - we ran out to purchase a new one - this time an actiontec GT784wn modem/router

Modem/Router installed fine - no issue.   changed ip address of router from default to old gateway address 192.168.0.2   Internet access resumed, with all local computers able to get out to the internet and and LAN access working great.  Nothing seemed askew.

Set the router up to pass through PPTP and L2TP/Ipsec. (at the time I couldn't remember how we had the vpn setup).  Turned off DHCP in the modem/router because the Office network gets dhcp from the server.  

Went home - tried the vpn.  No connection.   VPN server wouldn't answer.   I could ping the office wan ip fine.  Home LAN is on 192.168.1.X, with the router being 192.168.1.1

Turned off all firewalls - tried turning off eset.  Still no connection.    I did get intermittent VPN connectivity (about 1 in 5 tries), but once connected could not ping the server and the connection drops after a short while (30 second or so)  (actual connection was verified at the vpn server)  which tells me that it's not an authentication issue.

This really seems like a routing issue to me, but nothing should have changed.    It is possible that there was a static route set up on the old office router that was lost, but I am not sure what it would have pointed to.

Recap

server ip 192.168.0.1  > gateway ip 192.168.0.2 >office wan

  > internet<

home wan > home gateway ip 192.168.1.1 > home LAN 192.168.1.x

When it does connect:

PPP adapter:
ip 192.168.0.97  (given from vpn server static pool)
subnet mask 255.255.255.255
gateway  - blank
dns 192.168.0.1
netbios enabled

Any help would be greatly appreciated.

Thanks,

Mike
0
Comment
Question by:Belcad
  • 9
  • 7
16 Comments
 
LVL 77

Expert Comment

by:Rob Williams
Comment Utility
>>"When it does connect:"
Does it connect some times? If so it's not a routing issue.  Does it fail with an error # such as 691, 721, 800?

You do need to forward port 1723 and enable GRE (allow PPTP pass-through) but if connecting that is likely done.
Does the Actiontec have VPN capabilities itself?  If so its own PPTP VPN service needs to be disabled.

Is there another router between the Actiontec and the VPN server?
0
 

Author Comment

by:Belcad
Comment Utility
Thanks for the reply.

Yes, it connects sometimes.    I would say about 20% of the time (and rather quickly I might add).   But once connected, I am unable to ping the server.

The errors have varied, but the current condition is giving error 807 when it doesn't connect.
I will also get error 619 fairly frequently.  (usually when I retry the connection - I have assumed this error is due to the connection not being closed completely before I try again)

This actiontec does not have vpn capabilities, only pass through.

There is a switch, but no physical router.

In the vpn server settings there is a check in the box to "Enable this computer as a router".  (which was working great before the moden/router change)

Thanks,

Mike
0
 
LVL 77

Expert Comment

by:Rob Williams
Comment Utility
I would try connecting to the server from the LAN using the VPN, just as a test to verify the server is not the issue. It is not likely the issue, but just to be sure. When doing so use the LAN IP of the server not the public IP.

An 807 error is often due to blocked GRE but the fact that you can occasionally connect should rule that out.  It combined with a 619 error, especially where both are erratic, can indicate too high an MTU value.  Dropped connections can often be caused by too high an MTU (Maximum Transmission Unit) size, especially if it is a lower than normal performance connection.  It is recommended you change this on the connecting/client computer and when possible, it's local router. The easiest way to change the MTU on the client is using the DrTCP tool:
http://www.dslreports.com/drtcp
As for where to set it, if not using automatic, it has to be 1430 or less for a Windows VPN which uses PPTP (1460 for L2TP). There are ways to test for the optimum size of the MTU such as:
http://www.dslreports.com/faq/5793
However, this is not accurate over a VPN due to additional overhead. The best bet is to set it to 1200, and if stability improve, gradually increase it.
A couple of related links:
http://www.dslreports.com/faq/7752
http://www.chicagotech.net/vpnissues/vpndorp1.htm
0
 

Author Comment

by:Belcad
Comment Utility
I have set the mtu down to 1200 on the client router, but am unable to change the mtu on the server router.   (says it's 1492 by default if vpn pass through is on).   I can do a registry edit on the server, but am not sure that will be enough?
0
 
LVL 77

Expert Comment

by:Rob Williams
Comment Utility
Just chnage the connecting client, at least for now.  Think of it as pushing a pebble though a pipe, you just want to start out with a small pebble that you know will fit through all the tight spots.

If it makes a difference in stability, we can then try to isolate, if it doesn't we know we are "barking up the wrong tree.
0
 

Author Comment

by:Belcad
Comment Utility
sorry, I should have noted that changing the mtu on the client had no effect.  Still connecting intermittently.   I did notice something new - when it does connect, and I ping the server ip right away - I will get a response, but that goes away very quickly.   The last time I connected, I pinged the server right away - got a response the first 3 times, with response time varying from 69ms to 125ms.  

On one successful connection, I tried to do a tracert to the server, but it timed out.  I then immediately tried successfully to ping the server.

I did turn on diagnostics and could send you the logs if you want?  I am not sure what I am looking at so they don't do me much good.
0
 

Author Comment

by:Belcad
Comment Utility
below are the results  after a successfull connection

>ipconfig /all and >route print  (public ip removed)


Windows IP Configuration

   Host Name . . . . . . . . . . . . : Belmont-i7
   Primary Dns Suffix  . . . . . . . :
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No

PPP adapter Larrison:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Larrison
   Physical Address. . . . . . . . . :
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   IPv4 Address. . . . . . . . . . . : 192.168.0.97(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.255
   Default Gateway . . . . . . . . . :
   DNS Servers . . . . . . . . . . . : 192.168.1.1
   NetBIOS over Tcpip. . . . . . . . : Enabled

Ethernet adapter Local Area Connection:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Realtek RTL8168C(P)/8111C(P) Family PCI-E Gigabit Ethernet NIC (NDIS 6.20)
   Physical Address. . . . . . . . . : E0-CB-4E-FC-D3-3D
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::609e:5b6:1419:63e1%10(Preferred)
   IPv4 Address. . . . . . . . . . . : 192.168.1.100(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Lease Obtained. . . . . . . . . . : Monday, March 12, 2012 11:18:47 AM
   Lease Expires . . . . . . . . . . : Tuesday, March 13, 2012 11:18:47 AM
   Default Gateway . . . . . . . . . : 192.168.1.1
   DHCP Server . . . . . . . . . . . : 192.168.1.1
   DHCPv6 IAID . . . . . . . . . . . : 249613134
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-13-41-65-03-E0-CB-4E-FC-D3-3D
   DNS Servers . . . . . . . . . . . : 97.64.187.150
                                       74.84.119.153
   NetBIOS over Tcpip. . . . . . . . : Enabled

Tunnel adapter isatap.{2338B10C-714B-4607-AA01-44AB1EE76366}:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Microsoft ISATAP Adapter
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Local Area Connection* 9:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   IPv6 Address. . . . . . . . . . . : 2001:0:4137:9e76:3ca4:334e:cdae:dea3(Preferred)
   Link-local IPv6 Address . . . . . : fe80::3ca4:334e:cdae:dea3%11(Preferred)
   Default Gateway . . . . . . . . . : ::
   NetBIOS over Tcpip. . . . . . . . : Disabled

Tunnel adapter isatap.{E8E28578-7599-4AE7-ADB1-11CD877227F3}:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Microsoft ISATAP Adapter #2
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes





===========================================================================
Interface List
 20...........................Larrison
 10...e0 cb 4e fc d3 3d ......Realtek RTL8168C(P)/8111C(P) Family PCI-E Gigabit Ethernet NIC (NDIS 6.20)
  1...........................Software Loopback Interface 1
 14...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter
 11...00 00 00 00 00 00 00 e0 Teredo Tunneling Pseudo-Interface
 13...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #2
===========================================================================

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0      192.168.1.1    192.168.1.100     20
     x.x.x.x  255.255.255.255      192.168.1.1    192.168.1.100     21
        127.0.0.0        255.0.0.0         On-link         127.0.0.1    306
        127.0.0.1  255.255.255.255         On-link         127.0.0.1    306
  127.255.255.255  255.255.255.255         On-link         127.0.0.1    306
      192.168.0.0    255.255.255.0     192.168.0.91     192.168.0.97     21
     192.168.0.97  255.255.255.255         On-link      192.168.0.97    276
      192.168.1.0    255.255.255.0         On-link     192.168.1.100    276
    192.168.1.100  255.255.255.255         On-link     192.168.1.100    276
    192.168.1.255  255.255.255.255         On-link     192.168.1.100    276
        224.0.0.0        240.0.0.0         On-link         127.0.0.1    306
        224.0.0.0        240.0.0.0         On-link     192.168.1.100    276
        224.0.0.0        240.0.0.0         On-link      192.168.0.97    276
  255.255.255.255  255.255.255.255         On-link         127.0.0.1    306
  255.255.255.255  255.255.255.255         On-link     192.168.1.100    276
  255.255.255.255  255.255.255.255         On-link      192.168.0.97    276
===========================================================================
Persistent Routes:
  None

IPv6 Route Table
===========================================================================
Active Routes:
 If Metric Network Destination      Gateway
 11     58 ::/0                     On-link
  1    306 ::1/128                  On-link
 11     58 2001::/32                On-link
 11    306 2001:0:4137:9e76:3ca4:334e:cdae:dea3/128
                                    On-link
 10    276 fe80::/64                On-link
 11    306 fe80::/64                On-link
 11    306 fe80::3ca4:334e:cdae:dea3/128
                                    On-link
 10    276 fe80::609e:5b6:1419:63e1/128
                                    On-link
  1    306 ff00::/8                 On-link
 11    306 ff00::/8                 On-link
 10    276 ff00::/8                 On-link
===========================================================================
Persistent Routes:
  None



Windows IP Configuration

   Host Name . . . . . . . . . . . . : Belmont-i7
   Primary Dns Suffix  . . . . . . . :
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No

PPP adapter Larrison:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Larrison
   Physical Address. . . . . . . . . :
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   IPv4 Address. . . . . . . . . . . : 192.168.0.97(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.255
   Default Gateway . . . . . . . . . :
   DNS Servers . . . . . . . . . . . : 192.168.1.1
   NetBIOS over Tcpip. . . . . . . . : Enabled

Ethernet adapter Local Area Connection:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Realtek RTL8168C(P)/8111C(P) Family PCI-E Gigabit Ethernet NIC (NDIS 6.20)
   Physical Address. . . . . . . . . : E0-CB-4E-FC-D3-3D
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::609e:5b6:1419:63e1%10(Preferred)
   IPv4 Address. . . . . . . . . . . : 192.168.1.100(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Lease Obtained. . . . . . . . . . : Monday, March 12, 2012 11:18:47 AM
   Lease Expires . . . . . . . . . . : Tuesday, March 13, 2012 11:18:47 AM
   Default Gateway . . . . . . . . . : 192.168.1.1
   DHCP Server . . . . . . . . . . . : 192.168.1.1
   DHCPv6 IAID . . . . . . . . . . . : 249613134
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-13-41-65-03-E0-CB-4E-FC-D3-3D
   DNS Servers . . . . . . . . . . . : 97.64.187.150
                                       74.84.119.153
   NetBIOS over Tcpip. . . . . . . . : Enabled

Tunnel adapter isatap.{2338B10C-714B-4607-AA01-44AB1EE76366}:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Microsoft ISATAP Adapter
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Local Area Connection* 9:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   IPv6 Address. . . . . . . . . . . : 2001:0:4137:9e76:3ca4:334e:cdae:dea3(Preferred)
   Link-local IPv6 Address . . . . . : fe80::3ca4:334e:cdae:dea3%11(Preferred)
   Default Gateway . . . . . . . . . : ::
   NetBIOS over Tcpip. . . . . . . . : Disabled

Tunnel adapter isatap.{E8E28578-7599-4AE7-ADB1-11CD877227F3}:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Microsoft ISATAP Adapter #2
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
0
 
LVL 77

Expert Comment

by:Rob Williams
Comment Utility
Just to confirm, you are pinging by IP and not NetBIOS or DNS names?

The only thing in the IPconfig and routing table that looks odd is:
PPP adapter Larrison:
   .........
   IPv4 Address. . . . . . . . . . . : 192.168.0.97(Preferred)
   ...........
   DNS Servers . . . . . . . . . . . : 192.168.1.1


Not that DNS is your problem, but 192.168.1.1 is the local router.
At the corporate site you are not using 192.168.1.x for anything are you?  Internal, VPN, external?
If so that is the problem.
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 

Author Comment

by:Belcad
Comment Utility
yes, pinging by ip address.

when connected, pinging by unc doesn't work (makes sense as the dns server is not correct)

no, we are not using the 192.168.1.x  subnet for anything at the office.  

(I will double check that to be sure, but remember - all was working prior to changing the modem/router)

I even went out and replaced the modem/router thinking that maybe it was a bad internal connection - no change.
0
 
LVL 77

Expert Comment

by:Rob Williams
Comment Utility
I ask as all subnets in the path between client and host MUST be different.  If not routing will not work.   It is possible, if all conditions are right, to connect to the VPN server ONLY if there are similar subnets.  In that situation you will see exactly what you  described in your initial question; " I was able to access the shares on the server (not other computers at the office lan...."

Have you tried connecting LAN side, just to make sure the server is still functioning properly?
0
 

Author Comment

by:Belcad
Comment Utility
I am at a remote location and not near the server today - I will be there tomorrow to check that out.    Prior to these problems I would use the vpn to check things remotely on the server - now I don't have that ability.

Question - how do I check the VPN from the LAN - if the VPN server is on the same subnet as the LAN?  

At one point, while working near the server, I was able to log onto an outside wireless network, and test the connection through that - it was the same situation - intermittent connectivity - quickly dropping out.   at that time, when it did connect, I was able to look at the server and see that there in fact was a remote connection esablished - and there were no errors.

ADDED:

I would be fine with connecting to the server only.   I have little need to connect to individual computers on the office LAN.   (it's a small company)
0
 
LVL 77

Assisted Solution

by:Rob Williams
Rob Williams earned 200 total points
Comment Utility
>>"if the VPN server is on the same subnet as the LAN?  "
On the same subnet is fine (using the LAN IP of the server not the public IP).  The issue is packets cannot be routed between network segments if they are the same.  If I am on 192.168.100.x and I want to send a packet to a remote site thatis also on 192.168.100.x how will the router know to forward it, as it assumes all 192.168.100.x addresses are local.

It is possible your new router does not properly support PPTP , some do not.
0
 

Author Comment

by:Belcad
Comment Utility
ok - thanks for all of your help.   I think my next step is to get a different brand router and try that.     The actiontec has a specific set of port forwarding rules for pptp and L2TP/Ipsec and it says that 1723 tcp and GRE are forwarded.

I will try to connect to the VPN server locally tomorrow and post the results.
0
 
LVL 77

Expert Comment

by:Rob Williams
Comment Utility
Sounds good.  Let us know how you make out.
0
 

Accepted Solution

by:
Belcad earned 0 total points
Comment Utility
I went and tested the VPN Locally - it worked great.   After some more frustrating attempts, I finally decided to try and find a used modem/router combo of the same brand and model as the one we had previously (actiontec GT701).   Hooked it up and the vpn connected perfectly.   (unfortunately it's an old slow modem).

So I'm convinced now that it's in the router.   I don't think the new actiontec routers allow GRE through - even though they indicate that they do.   Something must be amiss with the port forwarding rules or something in the new routers.  Perhaps no-one uses PPTP anymore?

As soon as I have some time, I will be attempting to set up an openvpn solution.  That way I can choose what port to use, and can utilize a newer faster modem/router.  

-Mike
0
 

Author Closing Comment

by:Belcad
Comment Utility
Problem was not really solvable.   Turned out to be a hardware issue.
0

Featured Post

What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

Join & Write a Comment

Resolve DNS query failed errors for Exchange
If you're not part of the solution, you're part of the problem.   Tips on how to secure IoT devices, even the dumbest ones, so they can't be used as part of a DDoS botnet.  Use PRTG Network Monitor as one of the building blocks, to detect unusual…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now