SEPCOUSA
asked on
VPN not working
My organization uses VPN for their outside sales staff to log into home office. About 6 months ago, before my time, VPN just stopped working. We have verified with AT&T that the proper ports are open on the router and verified that the firewall settings have not changed. We are running SBS 2011 for our server and have attempted several times to use the wizard to set up VPN. Any thoughts?
ASKER
Yes, all the remote users where affected at the same time. The only error I get when using the wizard is that "The server cannot open ports on the router. You must manually open port 1723 and point it to the IP address of the server." We have tried deleting the VPN, rebooting the server and starting the service again. The router is a CISCO 1900 series.
What type of VPN are you using? If I remember correctly, port 1723 is used by PPTP, but IPSec uses port 500. Also, ports can be TCP or UDP, and some implementations of VPN use either or both.
ASKER
We are using PPTP
You confirmed that the ports are open on the firewall (Cisco). But did you check if they are forwarded to SBS? Maybe the IP of SBS has changed, or the forwarding on Cisco has been removed/lost.
For PPTP also check that protocol 47 (GRE) is open and forwarded to SBS.
The VPN Wizard message isn't an error, just a note. Which error do you at the client on connection attempt?
For PPTP also check that protocol 47 (GRE) is open and forwarded to SBS.
The VPN Wizard message isn't an error, just a note. Which error do you at the client on connection attempt?
ASKER
I am getting an Error 800. We have checked with AT&T and they say the proper ports are open. We have also checked that the settings on the firewall have not changed. It stopped working about 6 months ago, before my time, so I am starting in the dark with some of this.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I just confirmed with the department head and all the ports are being forwarded to the SBS from the firewall. He also has confirmed that protocol 47 (GRE) is open and forwarded to the SBS as well. I know of WireShark but am unfamiliar with exactly how to use it, but will research that and let you know the outcome.
ASKER
We just finished running Wireshark and we are seeing PPTP but not GRE.
Looks like the Cisco acts on the GRE packets, thinking it's its business - or dismissing them or forwarding to the wrong address. Only a debug on Cisco will reveal that (but don't ask me for instructions, I'm no Cisco'si).
ASKER
We have actually recently discovered that the PPTP and the GRE packets are getting to the SBS, but VPN is still not working.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thank you Mr. Williams, I will try those this morning and let you know.
ASKER
I tried to VPN from the LAN and received the same error about GRE. We ran the network wizard and received an issue a few issues, but one that would pertain to VPN, "Remote access network policy is missing" We corrected this issue and still not able to VPN from the LAN. We do have Symantec running on the SBS box, but it was running on there when VPN was working.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I am actually getting a error 806.
I'm old school. 806 is more recent with Vista/Win7 :-)
806 usually indicates blocked GRE where 721 indicates no GRE response. I'll stick with my 3rd part software suspicion.
806 usually indicates blocked GRE where 721 indicates no GRE response. I'll stick with my 3rd part software suspicion.
What errors do you get when using the SBS wizard? What router are you using?
As the VPN is inoperative anyway why not just delete it and create another one?