VPN tunnel with XP Home on remote end can't connect to server in App Mode

[jheinzel]

I have a VPN tunnel setup to a remote office. I can connect to our
Citrix servers fine using the XP Pro machines, but the XP Home machines
don't connect at all. They will however connect to WIN2K servers
running in remote admin mode. I'm pretty sure this is a license issue
haveing to do with XP Home, but shouldn't these machines just get one
of the available CALs and connect? Or is there more I need to configure
do to the VPN and them not being part of my domain? We have lots of
Win98 and even some Linux thin clients in our network that connect
fine. So I know we have licenses available.

Thanks in advance.

 

[Vera Noest [MVP]]

Which error message do you get when you try to connect?
Is there anything in the EventLog on the Citrix server?
Do you have this connectivity problem with both the rdp and the ica
client?
Are you running the latest rdp client?
_________________________________________________________
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
TS troubleshooting: http://ts.veranoest.net
___ please respond in newsgroup, NOT by private email ___

(e-mail address removed) wrote on 28 maj 2006 in
microsoft.public.win2000.termserv.clients:

 

[jheinzel]

Yes I get error 1004 on the Citrix Servers.

Event Type: Warning
Event Source: TermService
Event Category: None
Event ID: 1004
Date: 5/30/2006
Time: 2:28:02 PM
User: N/A
Computer: TC-CITRIX2
Description:
The terminal server cannot issue a client license.

It will not connect via the RPD client either. I am running the latest
version of botht he Citrix ICA client and RDP client. I can connect to
other servers, just not the ones that require a TSCAL. I've tried
setting up a LMHOST file for my domain controller and that didn't seem
to work either.

 

[Vera Noest [MVP]]

OK, so that confirms that it is a licensing issue.
First of all, please check in the TS Licensing Manager that you
have free *purchased* TS CALs available. The fact that other
clients can connect dosn't necessarily means that you have a free
license avialable for this client.

Assuming that you do have a free license available, there are a
couple of reasons why it can't be transfered to this client:

1. the user doesn't have at least Full Control permission to the
registry key on the client which stores the license, which is:
HKEY_LOCAL_MACHINE\Software\Microsoft\MSLicensing

2. there might be a black hole router between your client and the
TS, which blocks packets above a certain size. This prevents the
transfer of the permanent TS CAL to the client (on first
connection, the client gets a temporary license, on second
connection, it gets a permanent license).
If this is the problem, you have to change the MTU size. Check the
Terminal Services FAQ, there are 2 items about this under
"Connectivity"
http://www.microsoft.com/windowsserver2003/community/centers/termin
al/terminal_faq.asp

_________________________________________________________
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
TS troubleshooting: http://ts.veranoest.net
___ please respond in newsgroup, NOT by private email ___

(e-mail address removed) wrote on 30 maj 2006 in
microsoft.public.win2000.termserv.clients:

 

[jheinzel]

I do have licenses available, I checked the permissions on the registry
key and they weren't set for full control on the user that was logged
in. I'm in a remote office but I'll try it logged in as the straight
Administrator account. There are two routers between them and us, one
is the cable modem with a built in router. The second is a Linksys
BEFSX41 which is in the first routers DMZ. MTU is disabled on the
Linksys.

 

[jheinzel]

I'm looking at my Terminal Services Licenses and I see the desktops
listed under Temporary Licenses and then the Pro machine that won't
connect under Existing and Temporary. I can't for the life of me figure
out why these won't connect.

 

[Vera Noest [MVP]]

Pro? I thought we were talking about Home edition?
Have you done the ping test to check if there is a problem with the
MTU size?

Have you checked if there is a firmware update for your LinkSys
router? I know that some versions of the firmware contained a
problem with UPnP, which caused data encryption errors, making an
rdp connection impossible.
_________________________________________________________
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
TS troubleshooting: http://ts.veranoest.net
___ please respond in newsgroup, NOT by private email ___

(e-mail address removed) wrote on 31 maj 2006 in
microsoft.public.win2000.termserv.clients:

 

[jheinzel]

I did upgrade the firmware. I have tested for the MTU size, results are
as follows:

Pinging 172.16.100.20 with 1472 bytes of data:

Reply from 172.16.100.20: bytes=1472 time=159ms TTL=58
Reply from 172.16.100.20: bytes=1472 time=630ms TTL=58
Reply from 172.16.100.20: bytes=1472 time=158ms TTL=58
Reply from 172.16.100.20: bytes=1472 time=162ms TTL=58

Ping statistics for 172.16.100.20:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 158ms, Maximum = 630ms, Average = 277ms

It was only Home machines, but now I found a Pro machine doing
something similar, but not the exact some thing. I can't connect via
ICA or RDP with it or the home machines. But at the same location I
have other machines that can connect via ICA (Pro machines).

They were connected previously via the VPN client before the Linksys
was put in and a tunnel setup.

MTU is disabled on the Linksys I'm not sure about the SMC (Cable
Modem/router), but since I can pass the 1472 packets but nothing
higher, do I need to enable and increase it?

 

[Vera Noest [MVP]]

No, your ping test shows that the MTU size is not the problem.
I'm beginning to get stumped, I must say.
How about the permissions on the MSLicensing key? Can you confirm
that the problem also exists when you login as local Administrator
on the clients?
And which OS is your TS and your LS running?
_________________________________________________________
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
TS troubleshooting: http://ts.veranoest.net
___ please respond in newsgroup, NOT by private email ___

(e-mail address removed) wrote on 01 jun 2006 in
microsoft.public.win2000.termserv.clients:

 

[jheinzel]

I'm running Win2000 Pro on the servers. I checked the registry keys and
all seemed ok, I also logged in as administrator with the same results.

I am going to the location on Monday and I hope I can get this running,
as I too am stumped. The fact that one Pro machine won't work, but two
others will and no Home machines will confuses me.

The only thing I can think of is that the machines that have connected
fine, including those at my house, have all connected to our network
via a VPN client rather than a tunnel prior to this. The ones that
won't connect now, have never connected to us before either. So I
wonder if while I'm on location I bypass all VPN tunnels etc and just
install the VPN client on the machines that won't connect and try that
first, then try it after the tunnel is reconnected that might work.
Just an idea.

 

[Vera Noest [MVP]]

If there's a problem with the permissions on the MSLicensing
registry key, it's on the client, not on the server.
The client stores the license locally in the MSLicensing key. If
users don't have Full Control on the MSLicensing key on the client,
they can't store the TS CAL, and thus are refused a connection.

But if you have the same problem when logging on to the client
machines as local Administrator, you should have sufficient
permissions to store the license.

Let us know how it goes next week.
_________________________________________________________
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
TS troubleshooting: http://ts.veranoest.net
___ please respond in newsgroup, NOT by private email ___

(e-mail address removed) wrote on 02 jun 2006 in
microsoft.public.win2000.termserv.clients:

 

[jheinzel]

I'm onsite, and when I do a ping -l 1372 -f 192.168.146.43 (Citrix
Server) I get a "packet needs to be fragmented, but DF set"

I can sucessfully ping at 1272, this seems to be a MTU issue correct?
I'm going to start looking into that now. Please let me know if you
agree and any advice you can give. Thanks!

 

[jheinzel]

Also as if things weren't strange enough, I have my laptop here which I
use daily at the office. I cannot connect to Citrix via the VPN tunnel,
but if I enable the VPN client I can. I'm on XP Pro and obviously have
a valid license. So it seems of all the machines in this building only
two are able to connect using the VPN tunnel and the rest are not able.
The two in question do have XP Pro.

 

[Vera Noest [MVP]]

The problem seems to be something with your LinkSys router, but
I've no idea what exactly.
_________________________________________________________
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
TS troubleshooting: http://ts.veranoest.net
___ please respond in newsgroup, NOT by private email ___

(e-mail address removed) wrote on 05 jun 2006 in
microsoft.public.win2000.termserv.clients:

 

[jheinzel]

Well after all that, doing the same things over and over again, I
finally got it working today on all Home and Pro machines. I don't know
if it was a combination of issues or just one, but I did the following
today:

Set the MTU at 1300 on the Linksys as the ping tests showed it to be
set at that on our network.

Booted each machine in safe mode as Administrator, deleted the
MSLicensing registry key, rebooted, installed VPN client (Watchguard)
just for backup reasons, upgraded the ICA client and then rebooted
again into Safe Mode with networking, logged into Citrix (sometimes it
didn't work and required another reboot for some reason). Safe mode as
Administrator seemed to get the license properly.

I did not config these machines prior to this so there could have been
any number of reasons why this didn't work, but I'm just glad I got it
going. Thank you so much for all your advise...it really did help.

 

[Vera Noest [MVP]]

Great! I'm glad that the problem is finally solved! My guess is
that it was the MTU size which did the trick.
_________________________________________________________
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
TS troubleshooting: http://ts.veranoest.net
___ please respond in newsgroup, NOT by private email ___

(e-mail address removed) wrote on 06 jun 2006 in
microsoft.public.win2000.termserv.clients: