Solved

vpn error 800 when accessing sbs 2011

Posted on 2013-01-16
7
2,063 Views
Last Modified: 2013-12-02
I have a remote office with 10 users that are VPNing to our main office sbs2011 server.   the first 5 users have connected  fine.  When I attempt to connect the 6th remote client they get an error 800.  this laptop connected successfully yesterday, when I was setting the office up.  I haven't made any changes to it.  
Is there some setting on the sbs2011 server that has maxed out?  some setting I need to bump up to allow additional vpn tunnels?
0
Comment
Question by:TIGUETX
  • 4
  • 3
7 Comments
 
LVL 56

Expert Comment

by:Cliff Galiher
ID: 38785124
Did you set up the VPN service on SBS 2011 or are you using one provided by your router? Are you doing PPTP, L2TP, or SSTP? What kind of equipment is at your network's edge?
0
 

Author Comment

by:TIGUETX
ID: 38785345
Yes, I set up the VPN on SBS2011.  I brought the laptop home that was failing to connect Now that 3-4 off the other users have disconnected for the night. I can successfully vpn into the server.  got to be a limit setting on the server
0
 
LVL 56

Expert Comment

by:Cliff Galiher
ID: 38785394
You did not answer any of my other questions...
0
How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

 

Author Comment

by:TIGUETX
ID: 38785461
Sorry. PPTP and Comcast Business Class Routers at both ends running 27 down and 7 up  (Not at office, so I can't tell you the brand)

I was hoping to keep this simple, but some of the post on the subject seem to indicate that Multiple VPNs can put a major drain on the network and dedicated VPN routers at both ends creating the tunnel might be the way to go.

I have 2 Cisco rvs4000s gigabit routers with VPN ready to roll if i need them.
0
 

Author Comment

by:TIGUETX
ID: 38785462
also have avail static IPs at both ends
0
 
LVL 56

Accepted Solution

by:
Cliff Galiher earned 500 total points
ID: 38785481
PPTP uses GRE as part of the tunnel. Many consumer or lower end NAT devices will not handle more than a few GRE tunnels. After all, how many VPN sessions would the average home user have? So I suspect you are hitting a hard limit of the NAT device. 5 is a nice even number and not uncommon on Linksys and Netgear home/consumer routers.

I usually don't recommend using the provider's equipment as a router. Comcast should be able to provide you just a basic bridge device that does not do NAT and passes all traffic to another router/NAT device. Then you can use whatever you want and not be tied to the provider. For businesses, a basic UTM device is usually the most appropriate. Something like a SonicWall, Watchguard, Calyptix, etc. They will handle the NAT duties, routing duties, and provide *far* better security as well. Additionally they won't have a problem with more PPTP tunnels.

I should also mention that PPTP is really not secure anymore by modern standards. There are tools that can capture the keys and break them down relatively quickly. You should look at using a different VPN protocol if at all possible. I don't think you need to move from using SBS as the termination device so those Cisco's shouldn't be necessary. The RV series isn't exactly robust either, and I've had problems with them, but even if they did work they wouldn't be as secure as a good security device. The RVs are routers and NAT isn't a reliable security boundary. Cisco makes the ASA series for that. So with that in mind, I don't think deploying the routers would be an adequate solution. It may solve the *immediate* problem but it is ignoring the larger issue.
0
 

Author Comment

by:TIGUETX
ID: 38787176
After chasing my tail a bit, I learned that the 5 user ceiling I was hitting on my VPN clients was indeed a setting on my SBS 2011 server.  By default the VPN wizard on sbs2011 limits you to 5 ports.

here is a link to the answer:
http://www.sbsfaq.com/?p=3461

Thanks for your effort cgaligher
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Welcome to my series of short tips on migrations. Whilst based on Microsoft migrations the same principles can be applied to any type of migration. My first tip Migration Tip #1 – Source Server Health can be found listed in my profile here: http:…
If you are a user of the discontinued Microsoft Office Accounting 2008 (MSOA) and have to move to a new computer running Windows 8, you will be unhappy to discover that it won't install.  In particular, Microsoft SQL Server 2005 Express Edition (SSE…
This video discusses moving either the default database or any database to a new volume.
This video shows how to remove a single email address from the Outlook 2010 Auto Suggestion memory. NOTE: For Outlook 2016 and 2013 perform the exact same steps. Open a new email: Click the New email button in Outlook. Start typing the address: …

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now