VPN not working

My organization uses VPN for their outside sales staff to log into home office.  About 6 months ago, before my time, VPN just stopped working.  We have verified with AT&T that the proper ports are open on the router and verified that the firewall settings have not changed.  We are running SBS 2011 for our server and have attempted several times to use the wizard to set up VPN.  Any thoughts?
SEPCOUSAAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

PerarduaadastraCommented:
I take it that all remote users were affected at the same time?

What errors do you get when using the SBS wizard? What router are you using?

As the VPN is inoperative anyway why not just delete it and create another one?
0
SEPCOUSAAuthor Commented:
Yes, all the remote users where affected at the same time.  The only error I get when using the wizard is that "The server cannot open ports on the router.  You must manually open port 1723 and point it to the IP address of the server."  We have tried deleting the VPN, rebooting the server and starting the service again.  The router is a CISCO 1900 series.
0
PerarduaadastraCommented:
What type of VPN are you using? If I remember correctly, port 1723 is used by PPTP, but IPSec uses port 500. Also, ports can be TCP or UDP, and some implementations of VPN use either or both.
0
How do you know if your security is working?

Protecting your business doesn’t have to mean sifting through endless alerts and notifications. With WatchGuard Total Security Suite, you can feel confident that your business is secure, meaning you can get back to the things that have been sitting on your to-do list.

SEPCOUSAAuthor Commented:
We are using PPTP
0
QlemoBatchelor, Developer and EE Topic AdvisorCommented:
You confirmed that the ports are open on the firewall (Cisco). But did you check if they are forwarded to SBS? Maybe the IP of SBS has changed, or the forwarding on Cisco has been removed/lost.
For PPTP also check that protocol 47 (GRE) is open and forwarded to SBS.

The VPN Wizard message isn't an error, just a note. Which error do you at the client on connection attempt?
0
SEPCOUSAAuthor Commented:
I am getting an Error 800.  We have checked with AT&T and they say the proper ports are open.  We have also checked that the settings on the firewall have not changed.  It stopped working about 6 months ago, before my time, so I am starting in the dark with some of this.
0
QlemoBatchelor, Developer and EE Topic AdvisorCommented:
Sadly, error 800 is generic and doesn't tell any detail. But it always is either of
a) IP not reachable at all
b) GRE issue
c) PPTP issue
You can use MS NetMon or WireShark on SBS with a capture filter for GRE and PPTP to see if and which packets arrive at SBS. You need to see both GRE and PPTP.
0
SEPCOUSAAuthor Commented:
I just confirmed with the department head and all the ports are being forwarded to the SBS from the firewall.  He also has confirmed that protocol 47 (GRE) is open and forwarded to the SBS as well.  I know of WireShark but am unfamiliar with exactly how to use it, but will research that and let you know the outcome.
0
SEPCOUSAAuthor Commented:
We just finished running Wireshark and we are seeing PPTP but not GRE.
0
QlemoBatchelor, Developer and EE Topic AdvisorCommented:
Looks like the Cisco acts on the GRE packets, thinking it's its business - or dismissing them or forwarding to the wrong address. Only a debug on Cisco will reveal that (but don't ask me for instructions, I'm no Cisco'si).
0
SEPCOUSAAuthor Commented:
We have actually recently discovered that the PPTP and the GRE packets are getting to the SBS, but VPN is still not working.
0
Rob WilliamsCommented:
I would try from the LAN connecting to the LAN IP of the SBS, not the public IP, using the VPN.  This will confirm if it is a router issue or SBS VPN.  If the SBS, I would run the "fix my network wizard", and also verify there is no 3rd party security software running on the SBS that could be blocking the VPN, such as Symantec.
0
SEPCOUSAAuthor Commented:
Thank you Mr. Williams, I will try those this morning and let you know.
0
SEPCOUSAAuthor Commented:
I tried to VPN from the LAN and received the same error about GRE.  We ran the network wizard and received an issue a few issues, but one that would pertain to VPN, "Remote access network policy is missing"  We corrected this issue and still not able to VPN from the LAN.  We do have Symantec running on the SBS box, but it was running on there when VPN was working.
0
Rob WilliamsCommented:
Most often if you have a GRE error that is not related to the router it is due to 3rd party software.  Symantec is notorious.  Often even disabling the security software does not resolve, it requires uninstalling.  I assume the error is not an 800 error at this point?  A GRE error would usually be 721 and sometimes incorrectly a 691.

Alternatively:  
-Is it possible to use the Cisco's VPN capability.  It would perform better and be more secure as it offloads the VPN service to the network perimeter and uses IPsec rather than PPTP.
-Do you really need a VPN.  VPN's have one major security flaw, they are a wide open tunnel between the corporate network and a remote uncontrolled network.  SBS 2011 by default allows remote desktop access, Outlook Web access, and access to file shares using Remote Web Access,  all of which offer more security than a PPTP VPN.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
SEPCOUSAAuthor Commented:
I am actually getting a error 806.
0
Rob WilliamsCommented:
I'm old school.  806 is more recent with Vista/Win7  :-)
806 usually indicates blocked GRE where 721 indicates no GRE response.  I'll stick with my 3rd part software suspicion.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
VPN

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.