Solved

VPN not working

Posted on 2014-09-03
18
268 Views
Last Modified: 2014-10-29
My organization uses VPN for their outside sales staff to log into home office.  About 6 months ago, before my time, VPN just stopped working.  We have verified with AT&T that the proper ports are open on the router and verified that the firewall settings have not changed.  We are running SBS 2011 for our server and have attempted several times to use the wizard to set up VPN.  Any thoughts?
0
Comment
Question by:SEPCOUSA
  • 9
  • 3
  • 3
  • +1
18 Comments
 
LVL 15

Expert Comment

by:Perarduaadastra
Comment Utility
I take it that all remote users were affected at the same time?

What errors do you get when using the SBS wizard? What router are you using?

As the VPN is inoperative anyway why not just delete it and create another one?
0
 

Author Comment

by:SEPCOUSA
Comment Utility
Yes, all the remote users where affected at the same time.  The only error I get when using the wizard is that "The server cannot open ports on the router.  You must manually open port 1723 and point it to the IP address of the server."  We have tried deleting the VPN, rebooting the server and starting the service again.  The router is a CISCO 1900 series.
0
 
LVL 15

Expert Comment

by:Perarduaadastra
Comment Utility
What type of VPN are you using? If I remember correctly, port 1723 is used by PPTP, but IPSec uses port 500. Also, ports can be TCP or UDP, and some implementations of VPN use either or both.
0
 

Author Comment

by:SEPCOUSA
Comment Utility
We are using PPTP
0
 
LVL 68

Expert Comment

by:Qlemo
Comment Utility
You confirmed that the ports are open on the firewall (Cisco). But did you check if they are forwarded to SBS? Maybe the IP of SBS has changed, or the forwarding on Cisco has been removed/lost.
For PPTP also check that protocol 47 (GRE) is open and forwarded to SBS.

The VPN Wizard message isn't an error, just a note. Which error do you at the client on connection attempt?
0
 

Author Comment

by:SEPCOUSA
Comment Utility
I am getting an Error 800.  We have checked with AT&T and they say the proper ports are open.  We have also checked that the settings on the firewall have not changed.  It stopped working about 6 months ago, before my time, so I am starting in the dark with some of this.
0
 
LVL 68

Assisted Solution

by:Qlemo
Qlemo earned 167 total points
Comment Utility
Sadly, error 800 is generic and doesn't tell any detail. But it always is either of
a) IP not reachable at all
b) GRE issue
c) PPTP issue
You can use MS NetMon or WireShark on SBS with a capture filter for GRE and PPTP to see if and which packets arrive at SBS. You need to see both GRE and PPTP.
0
 

Author Comment

by:SEPCOUSA
Comment Utility
I just confirmed with the department head and all the ports are being forwarded to the SBS from the firewall.  He also has confirmed that protocol 47 (GRE) is open and forwarded to the SBS as well.  I know of WireShark but am unfamiliar with exactly how to use it, but will research that and let you know the outcome.
0
What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

 

Author Comment

by:SEPCOUSA
Comment Utility
We just finished running Wireshark and we are seeing PPTP but not GRE.
0
 
LVL 68

Expert Comment

by:Qlemo
Comment Utility
Looks like the Cisco acts on the GRE packets, thinking it's its business - or dismissing them or forwarding to the wrong address. Only a debug on Cisco will reveal that (but don't ask me for instructions, I'm no Cisco'si).
0
 

Author Comment

by:SEPCOUSA
Comment Utility
We have actually recently discovered that the PPTP and the GRE packets are getting to the SBS, but VPN is still not working.
0
 
LVL 77

Assisted Solution

by:Rob Williams
Rob Williams earned 333 total points
Comment Utility
I would try from the LAN connecting to the LAN IP of the SBS, not the public IP, using the VPN.  This will confirm if it is a router issue or SBS VPN.  If the SBS, I would run the "fix my network wizard", and also verify there is no 3rd party security software running on the SBS that could be blocking the VPN, such as Symantec.
0
 

Author Comment

by:SEPCOUSA
Comment Utility
Thank you Mr. Williams, I will try those this morning and let you know.
0
 

Author Comment

by:SEPCOUSA
Comment Utility
I tried to VPN from the LAN and received the same error about GRE.  We ran the network wizard and received an issue a few issues, but one that would pertain to VPN, "Remote access network policy is missing"  We corrected this issue and still not able to VPN from the LAN.  We do have Symantec running on the SBS box, but it was running on there when VPN was working.
0
 
LVL 77

Accepted Solution

by:
Rob Williams earned 333 total points
Comment Utility
Most often if you have a GRE error that is not related to the router it is due to 3rd party software.  Symantec is notorious.  Often even disabling the security software does not resolve, it requires uninstalling.  I assume the error is not an 800 error at this point?  A GRE error would usually be 721 and sometimes incorrectly a 691.

Alternatively:  
-Is it possible to use the Cisco's VPN capability.  It would perform better and be more secure as it offloads the VPN service to the network perimeter and uses IPsec rather than PPTP.
-Do you really need a VPN.  VPN's have one major security flaw, they are a wide open tunnel between the corporate network and a remote uncontrolled network.  SBS 2011 by default allows remote desktop access, Outlook Web access, and access to file shares using Remote Web Access,  all of which offer more security than a PPTP VPN.
0
 

Author Comment

by:SEPCOUSA
Comment Utility
I am actually getting a error 806.
0
 
LVL 77

Expert Comment

by:Rob Williams
Comment Utility
I'm old school.  806 is more recent with Vista/Win7  :-)
806 usually indicates blocked GRE where 721 indicates no GRE response.  I'll stick with my 3rd part software suspicion.
0

Featured Post

Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

If your business is like most, chances are you still need to maintain a fax infrastructure for your staff. It’s hard to believe that a communication technology that was thriving in the mid-80s could still be an essential part of your team’s modern I…
If you're not part of the solution, you're part of the problem.   Tips on how to secure IoT devices, even the dumbest ones, so they can't be used as part of a DDoS botnet.  Use PRTG Network Monitor as one of the building blocks, to detect unusual…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

8 Experts available now in Live!

Get 1:1 Help Now