PPTP VPN to Windows Server RRAS - Error 720

I have a conundrum with connecting to a Windows Server 2012 Essentials machine using PPTP.  The server is behind a NAT router with port 1723 forwarded through to it.  It's a Draytek router, so it handles the GRE protocol properly etc.  And PPTP connections from the Internet to this server used to work.  However, we don't have to connect to it very often, so I don't know at what stage it broke, or what changed.

When I connect using a Windows 8.1 PC, I get the error "Error 720: A connection to the remote computer could not be established.  You might need to change the network settings for this connection".  Not the most helpful of messages.  I get the same from two different Windows 8.1 PCs, and an iPhone configured as a PPTP client doesn't connect either.  I know the credentials I'm sending are correct, and I've tried the username in the format "domain\username" and in the format "username" as well.

In the System Event Log on the server, I get an error 20255 in RemoteAccess: "CoId={NA}: The following error occurred in the Point to Point Protocol module on port: VPN3-49, UserName: DOMAIN\username. A connection to the remote computer could not be established.  You might need to change the network settings for this connection."

I've tried configuring RRAS on the server to assign IP addresses from a static address pool, rather than getting them from DHCP, but that didn't help.

The Windows 8.1 client PCs are configured to use MS-CHAP v2 for authentication, and the network policy on the server includes that as an option too.

Anyway, I'm a bit stumped at the moment.  I'm finding it hard to narrow down the problem further.  Any suggestions where I could go from here, please?
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

I take it you have disabled the built in PPTP server onthe draytek? Click on the VPN and remote access and then Remote Access Control and disable the PPTP service and reboot it.

If that fails or you have already set that then in the clients VPN connection go to security and change it from automatic to PPTP and try that.
wakatashiAuthor Commented:
Hi plug1, thanks for getting back to me on this.  Yes, the built-in PPTP server is disabled on the Draytek (I just checked to make absolutely sure).  And I've tried explicitly setting the VPN type to "PPTP" in the client software, rather than "Automatic", but no go I'm afraid.
Is there any different error on the client event logs, also its worth completely disabling the firewall on the client and trying that.
Big Business Goals? Which KPIs Will Help You

The most successful MSPs rely on metrics – known as key performance indicators (KPIs) – for making informed decisions that help their businesses thrive, rather than just survive. This eBook provides an overview of the most important KPIs used by top MSPs.

wakatashiAuthor Commented:
Actually yes, there is more information in the client Application Event Logs, seems to suggest it's getting quite far on in the process before keeling over:

1. Information Event:

CoId={AC9888D2-A6C9-4549-9C2C-3B375EDFF93E}: The user SYSTEM has started dialing a VPN connection using a per-user connection profile named <Name>. The connection settings are: 
Dial-in User = <domain\username>
VpnStrategy = PPTP
DataEncryption = Requested
PrerequisiteEntry = 
AutoLogon = No
UseRasCredentials = Yes
Authentication Type = MS-CHAPv2 
Ipv4DefaultGateway = Yes
Ipv4AddressAssignment = By Server
Ipv4DNSServerAssignment = By Server
Ipv6DefaultGateway = Yes
Ipv6AddressAssignment = By Server
Ipv6DNSServerAssignment = By Server
IpDnsFlags = 
IpNBTEnabled = Yes
UseFlags = Private Connection
ConnectOnWinlogon = No.

Open in new window

2. Information Event:

CoId={AC9888D2-A6C9-4549-9C2C-3B375EDFF93E}: The user SYSTEM is trying to establish a link to the Remote Access Server for the connection named <name> using the following device: 
Server address/Phone Number = <IP Address>
Device = WAN Miniport (PPTP)
Port = VPN16-1
MediaType = VPN.

Open in new window

3. Information Event:

CoId={AC9888D2-A6C9-4549-9C2C-3B375EDFF93E}: The user SYSTEM has successfully established a link to the Remote Access Server using the following device: 
Server address/Phone Number = <IP address>
Device = WAN Miniport (PPTP)
Port = VPN16-1
MediaType = VPN.

Open in new window

4. Information Event:

CoId={AC9888D2-A6C9-4549-9C2C-3B375EDFF93E}: The link to the Remote Access Server has been established by user SYSTEM.

Open in new window

5. Error Event:

CoId={AC9888D2-A6C9-4549-9C2C-3B375EDFF93E}: The user SYSTEM dialed a connection named IAP which has failed. The error code returned on failure is 720.

Open in new window

Disabling the client firewall doesn't help.  I'm able to connect to other PPTP servers with no problems using this PC.  But neither this PC, nor a second one, nor an iPhone are able to connect to this particular server, so I'm suspecting trouble at the server end.
The fact it says its using user "SYSTEM" as opposed to a domain user such as domain\expert doesn't sound right. What credentials are you using? try using the domain administrator account and see how that goes.
wakatashiAuthor Commented:
I am using a domain administrator's credentials that are valid on the PPTP server, and in Event 1 above, it does say on line 2 "Dial-in User = <domain\username>"

(I haven't posted on this forum the actual domain and username I'm using, but I'm confident the credentials I'm using are correct)

When I make other outgoing PPTP connections (that work fine) from this PC, the process is initiated by user SYSTEM as well.  So I fear that might be a red herring.

Is there something you can suggest at the server end, please?  This is the only PPTP server to which I can't connect, and I do have access to several other ones.  Connections to these all work fine.
No worries, a red herring it is then :)

720 refers to no PPP control protocols being configured so what I would do is quickly disable the RRAS server and reconfigure it using the wizard from scratch, it should automatically create everything you need.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
wakatashiAuthor Commented:
Small extra complication - it's Windows Server 2012 Essentials and its "Anywhere Access" feature, rather than straight RRAS.  I had tried its "Repair" option from the Essentials Dashboard already, and that hadn't worked.  

So this time I went into the Network Policy Server admin console and deleted the policy that related to incoming VPNs.  Then ran "Repair" again from the Windows Server 2012 Essentials Dashboard.  That ran fine, and a new Network Policy was created as part of the process.  And that did the trick - incoming PPTP now works!  

So I guess the problem was with the Network Policy.  Strange, since it used to work and I hadn't changed anything.  I guess we'll never know the gory details, but I'm delighted it's working.

Thanks - I owe you a beer next time I'm in Hamilton! (I'm in Edinburgh)
Good stuff, look forward to that pint then mate :)
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.