?
Solved

VPN not working

Posted on 2014-09-03
18
Medium Priority
?
282 Views
Last Modified: 2014-10-29
My organization uses VPN for their outside sales staff to log into home office.  About 6 months ago, before my time, VPN just stopped working.  We have verified with AT&T that the proper ports are open on the router and verified that the firewall settings have not changed.  We are running SBS 2011 for our server and have attempted several times to use the wizard to set up VPN.  Any thoughts?
0
Comment
Question by:SEPCOUSA
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 9
  • 3
  • 3
  • +1
18 Comments
 
LVL 15

Expert Comment

by:Perarduaadastra
ID: 40302048
I take it that all remote users were affected at the same time?

What errors do you get when using the SBS wizard? What router are you using?

As the VPN is inoperative anyway why not just delete it and create another one?
0
 

Author Comment

by:SEPCOUSA
ID: 40302098
Yes, all the remote users where affected at the same time.  The only error I get when using the wizard is that "The server cannot open ports on the router.  You must manually open port 1723 and point it to the IP address of the server."  We have tried deleting the VPN, rebooting the server and starting the service again.  The router is a CISCO 1900 series.
0
 
LVL 15

Expert Comment

by:Perarduaadastra
ID: 40302177
What type of VPN are you using? If I remember correctly, port 1723 is used by PPTP, but IPSec uses port 500. Also, ports can be TCP or UDP, and some implementations of VPN use either or both.
0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 

Author Comment

by:SEPCOUSA
ID: 40302184
We are using PPTP
0
 
LVL 70

Expert Comment

by:Qlemo
ID: 40302353
You confirmed that the ports are open on the firewall (Cisco). But did you check if they are forwarded to SBS? Maybe the IP of SBS has changed, or the forwarding on Cisco has been removed/lost.
For PPTP also check that protocol 47 (GRE) is open and forwarded to SBS.

The VPN Wizard message isn't an error, just a note. Which error do you at the client on connection attempt?
0
 

Author Comment

by:SEPCOUSA
ID: 40303437
I am getting an Error 800.  We have checked with AT&T and they say the proper ports are open.  We have also checked that the settings on the firewall have not changed.  It stopped working about 6 months ago, before my time, so I am starting in the dark with some of this.
0
 
LVL 70

Assisted Solution

by:Qlemo
Qlemo earned 501 total points
ID: 40303506
Sadly, error 800 is generic and doesn't tell any detail. But it always is either of
a) IP not reachable at all
b) GRE issue
c) PPTP issue
You can use MS NetMon or WireShark on SBS with a capture filter for GRE and PPTP to see if and which packets arrive at SBS. You need to see both GRE and PPTP.
0
 

Author Comment

by:SEPCOUSA
ID: 40303521
I just confirmed with the department head and all the ports are being forwarded to the SBS from the firewall.  He also has confirmed that protocol 47 (GRE) is open and forwarded to the SBS as well.  I know of WireShark but am unfamiliar with exactly how to use it, but will research that and let you know the outcome.
0
 

Author Comment

by:SEPCOUSA
ID: 40303606
We just finished running Wireshark and we are seeing PPTP but not GRE.
0
 
LVL 70

Expert Comment

by:Qlemo
ID: 40304101
Looks like the Cisco acts on the GRE packets, thinking it's its business - or dismissing them or forwarding to the wrong address. Only a debug on Cisco will reveal that (but don't ask me for instructions, I'm no Cisco'si).
0
 

Author Comment

by:SEPCOUSA
ID: 40312256
We have actually recently discovered that the PPTP and the GRE packets are getting to the SBS, but VPN is still not working.
0
 
LVL 77

Assisted Solution

by:Rob Williams
Rob Williams earned 999 total points
ID: 40349666
I would try from the LAN connecting to the LAN IP of the SBS, not the public IP, using the VPN.  This will confirm if it is a router issue or SBS VPN.  If the SBS, I would run the "fix my network wizard", and also verify there is no 3rd party security software running on the SBS that could be blocking the VPN, such as Symantec.
0
 

Author Comment

by:SEPCOUSA
ID: 40349878
Thank you Mr. Williams, I will try those this morning and let you know.
0
 

Author Comment

by:SEPCOUSA
ID: 40349998
I tried to VPN from the LAN and received the same error about GRE.  We ran the network wizard and received an issue a few issues, but one that would pertain to VPN, "Remote access network policy is missing"  We corrected this issue and still not able to VPN from the LAN.  We do have Symantec running on the SBS box, but it was running on there when VPN was working.
0
 
LVL 77

Accepted Solution

by:
Rob Williams earned 999 total points
ID: 40350182
Most often if you have a GRE error that is not related to the router it is due to 3rd party software.  Symantec is notorious.  Often even disabling the security software does not resolve, it requires uninstalling.  I assume the error is not an 800 error at this point?  A GRE error would usually be 721 and sometimes incorrectly a 691.

Alternatively:  
-Is it possible to use the Cisco's VPN capability.  It would perform better and be more secure as it offloads the VPN service to the network perimeter and uses IPsec rather than PPTP.
-Do you really need a VPN.  VPN's have one major security flaw, they are a wide open tunnel between the corporate network and a remote uncontrolled network.  SBS 2011 by default allows remote desktop access, Outlook Web access, and access to file shares using Remote Web Access,  all of which offer more security than a PPTP VPN.
0
 

Author Comment

by:SEPCOUSA
ID: 40350189
I am actually getting a error 806.
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 40350199
I'm old school.  806 is more recent with Vista/Win7  :-)
806 usually indicates blocked GRE where 721 indicates no GRE response.  I'll stick with my 3rd part software suspicion.
0

Featured Post

 [eBook] Windows Nano Server

Download this FREE eBook and learn all you need to get started with Windows Nano Server, including deployment options, remote management
and troubleshooting tips and tricks

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article will inform Clients about common and important expectations from the freelancers (Experts) who are looking at your Gig.
Originally, this post was published on Monitis Blog, you can check it here . It goes without saying that technology has transformed society and the very nature of how we live, work, and communicate in ways that would’ve been incomprehensible 5 ye…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

764 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question