VPN Connection Issues

[number2jcb]

I have set up a Windows 2003 Server as a VPN Server and am able to successfully connect and authenticate from within the network. However, the client that counts (a roaming user with a wireless ISP connection) gets to the point of verifying the username and password and it says it can not connect. My firewall is configured to pass PPTP traffic to the VPN Server and if I block it off the VPN client returns a different error message. What could be preventing me from connecting successfully?

-newbie

 

[ChicagoTechNet]

what's the error code?

Robert Lin, MS-MVP, MCSE & CNE
Windows, Network and How to at

http://www.ChicagoTech.net

 

[miklos43]

I do not have a good answer because I have exactly the same problem. I get two different error messages, when I try to log on from outside I get Error 628 but when I try to log on from a local machine but through the internet I get Error 721

As "number2jcb" says, I can log on through the my LAN using IP address istead of domain name and I have no problem.

I am monitoring this thread, maybe I also get some good advise.

 

[number2jcb]

Robert, the error message is number 619 (A connection to remote could not be established so the port used for this connection was closed). The more info section doesn't really help that much, except it says that a firewall or NAT device may not be functioning correctly. Thanks for the help.

 

[furbs110]

I have the same problem as well and I am using WinNT 4 RAS. It was quick and easy to set up, what can I say. Anyway I have users VPN'ing in all the time except for one person. I have a feeling that an ISP route is blocking port 1723 on one of their routers. I say this only because I had the end user use a dial-up connection to UUNet and he VPN'ed in fine. It is his high speed connection that won't let him in. I would love to have him do a trace route of sorts to my VPN server but do it via port 1723 to see where it dies. Then I could call that provider. By the way he can telnet to port 1723 on my VPN server. Anyone know of a utility that can do that. Unix traceroute allows you to pick a port but I need a W2K compatible utility for this guy.

 

[ChicagoTechNet]

Hi all,

miklos43: error 628 could be connection issue. can you ping it? error 721 in the LAN could be the DNS issue.

number2jcb: error 619 could be the security issue. quoted from

http://www.chicagotech.net/

Error 619: 1. The port was disconnected (or Error 645, Dial-Up Networking could not complete the connection to the server and Error 930, The authentication server did not respond to authentication requests in a timely fashion. The Event Viewer shows: Event id: 20073, Description: The following error occurred in the Point to Point Protocol module on port: port number, UserName: user name. The authentication server did not respond to authentication requests in a timely fashion). When using VPN to access a remote network, W2K clients mat get above errors but not win9x and ME clients. This issue occurs because the VPN server hasn't registered in Active Directory.
2.You get this message when connecting via cable modems, dial up DOESN'T have any issues.

Resolution: 1) This problem most likely is secure issue such as unsecured password. So, check the settings.
2) It could be the hardware issue. Try to re-setup the device or download the new driver or just reset the devices such as modem and router.
3) Reapply the service pack
4) If the RRAS is in a domain network, add the VPN to the appropriate group. To do this, go to Active Directory Users and Computers>domain name>Users, double-click the RAS and IAS Servers security group. Select the members and add the VPN server to this group. 2) Type netsh ras add registeredserver at a command prompt (registeredserver is vpn server name), and then press ENTER.

furbs110: if other vpning works, I would focus on the client side. by the way, what's the error code?



Robert Lin, MS-MVP, MCSE & CNE
Windows, Network and How to at

http://www.ChicagoTech.net

 

[furbs110]

ChicagoTechNet,
Sorry I thought I put the Error Code in my post. It is Error 619 on the client (Port in use). I will also add that I get Event ID 20077 in Source RemoteAccess "PPP negotiation not converging" on the VPN Server. The gets all the way to the point of authentication when the connection is dropped.

I did find another tread on another forum (Sorry Tek-tips) during my research that somewhat resembles what we have all been talking about. Here is the link:

http://x220.minasi.com/forum/topic.asp?TOPIC_ID=4932

and it follows along your recomendations,Chicago. For instance rebooting the other devices. Perhaps you have a twin you don't know about The thread also brings up an interesting question regarding Norton AntiVirus. This user does in fact have it on his machine but then so do my other users. I have asked the remote guy to reboot all devices to see what happens. Disabling Norton will be my next test.

Thanks for the timely reply
furbs

 

[furbs110]

Update to Dec 4, 2003:
Rebootng all devices didn't do it. Disabling Norton is next. Waiting to hear back from the end user. I'll keep everyone up to date. I'm still toying with the idea that a router is blocking port 1723 somewhere along the way. Any one know of a way to prove that?

Thanks to all
-furbs

 

[furbs110]

Update to Dec 4 and 5:

Disabling Norton didn't do it either. Put a call into his ISP to check their peers to see if there is any port blocking going on along their route. ISP is Charter Communications. Don't know anything about their service. Anyone have any experience with them, good or bad?

 

[John Lewis]

Any chance your running W2K that has been upgraded to SP4 on the client?

 

[furbs110]

As a matter of fact I think it is an SP4 client whereas the others (that can get in) are SP3.

What do you know about SP4 and VPN issues ?????? I'm on the edge of my seat.

-furbs

 

[John Lewis]

I'm afraid it's more a matter of what I don't know.

Had similar problems with several SP4 machines. 619 errors as well as 1717 errors at times. Googled myself nearly to death, including newsgroup searches. Even had someone translate a thread from French for me. Found several people with the same error, although none were in enough detail to determine if the actual cause was the same. Didn't find any solutions. Microsoft has nothing in KB, MSDN, Technet or otherwise.

The problems that I have seen are caused by RASPPP being fired with an invalid parameter (I think). Still not entirely shure why, I'm guessing that somewhere in the SP4 upgrade the miniports are enumerated improperly. (If that doesn't make any sense, don't worry. Doesn't really get you any closer to a fix, anyway.)

I have found that removing SP4 and regressing to SP3 eliminates the problem. SP4 was a must for me, other needed software wouldn't run on SP3, so I dug for a fix. Long and short, the only real solution I found was to install W2K fresh (generally from W2K SP2 CD), apply SP4, then apply patches one at a time. Always works fine after the initial SP4, also worked after applying all patches one at a time, but applying several patches at once broke it again. I had to do a full re-install, repair install did not help.

The proper thing to do would have been to open an issue with MS tech support, but I haven't found myself in a position to work through the process yet, due to timing issues. I hope to get a test machine up to specifically recreate the issue, but I'm sure you know how time is.

If you wish to verify that you are having the same problem and not some other configuration issue, you would need to enable logging on the client side. First, open your WINNT folder, then look for a folder named 'tracing'. Open it (if it's there) and delete anything that is already there. Next, open a command prompt and type 'netsh' and press enter. At the 'netsh>' prompt, type 'RAS' and press enter. At the 'ras>' prompt, type 'set tracing * enabled' and press enter. You can close the command window at this point.

Try the connection again. Don't worry that it doesn't connect, just let it go until it errors out the first time then click cancel. Wait a minute or two then restart the computer. When everything is back up, open a command window again and do 'netsh' and 'ras' again. At the 'ras>' prompt, type 'set tracing * disabled' and press enter. Just for good measure, type 'show tracing' and press enter. Should report a list of items, all saying disabled. If you should leave tracing on, you will eat disk space very quickly if you do get the connection running. You can close the command window at this point.

Now, go to the tracing folder mentioned earlier. You should have several log files there. Open PPP.LOG with notepad or another text editor. Look for lines that say 'PCB not found for port xx' several times. Open RASMAN.LOG and look for multiple lines that say 'Queing packet on PCB'. If you have those, you are seeing the same problem. Otherwise, it could be related, but I'm not sure. You may want to enable tracing on a working machine and look at the logs there to get a feel for what you should see. No real good documentation about what should be there or what the errors mean, I'm just making a somewhat educated guess.

If you do have the same problem, my solution, as I said was to do a fresh install, SP4, then patches one at a time. I wasn't real happy with that, due to the work involved, but it seemed to be my only option given the requirements of the project. I feel like there should be another solution, but again everything else that I tried didn't help, and I think I did as well as anyone could without getting MS involved. If you have a bit more time, you may want to try opening an issue with MS, be prepared to submit all of the logs you generated in the tracing folder earlier, not just the two that you looked at -- don't delete them.

Sorry for the lengthy post, but I hate to see you chasing this if it is the same thing.

Good luck!

 

[furbs110]

Wow..... Excelent reply. Thank you for all the detail. That will come in very handy. I had read about the netsh in a few different forums and was going to give that a closer look. My biggest hurdle is that the end user is remote, very remote. Although he is somewhat technical he is not easy to work with over the phone as he gets constant interuptions or has a meeting to attend. Short windows of opportunities. Idealy I would love to get the laptop from him to test here to see if the problem exists with his laptop on my test lan. Probably won't happen in the near future. So I think I will drop back to SP3. If I get the chance I can mess with a laptop here, but time isn't good friend to me. Never around when you need it. No matter what I'll keep this thread current with my findings. It will be a great resource for some poor person with the same problem.

Have a great holiday everyone

-furbs

 

[number2jcb]

As the original poster of this I should comment, wow, i learned a lot from reading all these responses. I think that my connection issue is related to the wireless service provider. My cable modem at home(through a router) worked without me even having to configure anything. The client is a tablet pc running xp tablet edition so I am pretty sure the sp3->sp4 problem does not apply. I am going to contact the service provider and ask for thier current standings on this.