Solved

VPN not working

Posted on 2014-09-03
18
272 Views
Last Modified: 2014-10-29
My organization uses VPN for their outside sales staff to log into home office.  About 6 months ago, before my time, VPN just stopped working.  We have verified with AT&T that the proper ports are open on the router and verified that the firewall settings have not changed.  We are running SBS 2011 for our server and have attempted several times to use the wizard to set up VPN.  Any thoughts?
0
Comment
Question by:SEPCOUSA
  • 9
  • 3
  • 3
  • +1
18 Comments
 
LVL 15

Expert Comment

by:Perarduaadastra
ID: 40302048
I take it that all remote users were affected at the same time?

What errors do you get when using the SBS wizard? What router are you using?

As the VPN is inoperative anyway why not just delete it and create another one?
0
 

Author Comment

by:SEPCOUSA
ID: 40302098
Yes, all the remote users where affected at the same time.  The only error I get when using the wizard is that "The server cannot open ports on the router.  You must manually open port 1723 and point it to the IP address of the server."  We have tried deleting the VPN, rebooting the server and starting the service again.  The router is a CISCO 1900 series.
0
 
LVL 15

Expert Comment

by:Perarduaadastra
ID: 40302177
What type of VPN are you using? If I remember correctly, port 1723 is used by PPTP, but IPSec uses port 500. Also, ports can be TCP or UDP, and some implementations of VPN use either or both.
0
Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

 

Author Comment

by:SEPCOUSA
ID: 40302184
We are using PPTP
0
 
LVL 69

Expert Comment

by:Qlemo
ID: 40302353
You confirmed that the ports are open on the firewall (Cisco). But did you check if they are forwarded to SBS? Maybe the IP of SBS has changed, or the forwarding on Cisco has been removed/lost.
For PPTP also check that protocol 47 (GRE) is open and forwarded to SBS.

The VPN Wizard message isn't an error, just a note. Which error do you at the client on connection attempt?
0
 

Author Comment

by:SEPCOUSA
ID: 40303437
I am getting an Error 800.  We have checked with AT&T and they say the proper ports are open.  We have also checked that the settings on the firewall have not changed.  It stopped working about 6 months ago, before my time, so I am starting in the dark with some of this.
0
 
LVL 69

Assisted Solution

by:Qlemo
Qlemo earned 167 total points
ID: 40303506
Sadly, error 800 is generic and doesn't tell any detail. But it always is either of
a) IP not reachable at all
b) GRE issue
c) PPTP issue
You can use MS NetMon or WireShark on SBS with a capture filter for GRE and PPTP to see if and which packets arrive at SBS. You need to see both GRE and PPTP.
0
 

Author Comment

by:SEPCOUSA
ID: 40303521
I just confirmed with the department head and all the ports are being forwarded to the SBS from the firewall.  He also has confirmed that protocol 47 (GRE) is open and forwarded to the SBS as well.  I know of WireShark but am unfamiliar with exactly how to use it, but will research that and let you know the outcome.
0
 

Author Comment

by:SEPCOUSA
ID: 40303606
We just finished running Wireshark and we are seeing PPTP but not GRE.
0
 
LVL 69

Expert Comment

by:Qlemo
ID: 40304101
Looks like the Cisco acts on the GRE packets, thinking it's its business - or dismissing them or forwarding to the wrong address. Only a debug on Cisco will reveal that (but don't ask me for instructions, I'm no Cisco'si).
0
 

Author Comment

by:SEPCOUSA
ID: 40312256
We have actually recently discovered that the PPTP and the GRE packets are getting to the SBS, but VPN is still not working.
0
 
LVL 77

Assisted Solution

by:Rob Williams
Rob Williams earned 333 total points
ID: 40349666
I would try from the LAN connecting to the LAN IP of the SBS, not the public IP, using the VPN.  This will confirm if it is a router issue or SBS VPN.  If the SBS, I would run the "fix my network wizard", and also verify there is no 3rd party security software running on the SBS that could be blocking the VPN, such as Symantec.
0
 

Author Comment

by:SEPCOUSA
ID: 40349878
Thank you Mr. Williams, I will try those this morning and let you know.
0
 

Author Comment

by:SEPCOUSA
ID: 40349998
I tried to VPN from the LAN and received the same error about GRE.  We ran the network wizard and received an issue a few issues, but one that would pertain to VPN, "Remote access network policy is missing"  We corrected this issue and still not able to VPN from the LAN.  We do have Symantec running on the SBS box, but it was running on there when VPN was working.
0
 
LVL 77

Accepted Solution

by:
Rob Williams earned 333 total points
ID: 40350182
Most often if you have a GRE error that is not related to the router it is due to 3rd party software.  Symantec is notorious.  Often even disabling the security software does not resolve, it requires uninstalling.  I assume the error is not an 800 error at this point?  A GRE error would usually be 721 and sometimes incorrectly a 691.

Alternatively:  
-Is it possible to use the Cisco's VPN capability.  It would perform better and be more secure as it offloads the VPN service to the network perimeter and uses IPsec rather than PPTP.
-Do you really need a VPN.  VPN's have one major security flaw, they are a wide open tunnel between the corporate network and a remote uncontrolled network.  SBS 2011 by default allows remote desktop access, Outlook Web access, and access to file shares using Remote Web Access,  all of which offer more security than a PPTP VPN.
0
 

Author Comment

by:SEPCOUSA
ID: 40350189
I am actually getting a error 806.
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 40350199
I'm old school.  806 is more recent with Vista/Win7  :-)
806 usually indicates blocked GRE where 721 indicates no GRE response.  I'll stick with my 3rd part software suspicion.
0

Featured Post

ScreenConnect 6.0 Free Trial

Explore all the enhancements in one game-changing release, ScreenConnect 6.0, based on partner feedback. New features include a redesigned UI, app configurations and chat acknowledgement to improve customer engagement!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Meet the world's only “Transparent Cloud™” from Superb Internet Corporation. Now, you can experience firsthand a cloud platform that consistently outperforms Amazon Web Services (AWS), IBM’s Softlayer, and Microsoft’s Azure when it comes to CPU and …
ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…

821 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question