Incoming VPN issues...works for some, but not all.

[Mark R.]

I have a native mode W2K AD environment. On the perimeter
is a PIX 515 (sorry, not ISA Server, yet) as is my
perimeter defense. the PIX also does P-NAT for our office.
On the inside LAN I have a W2K member server that only
exists to provide incoming VPN authentication and DHCP to
requestors. On the PIX is a static route and access list
that moves all PPTP/GRE traffic into the network to the
VPN server for authentication. However, here is the issue.
Only some users are allowed authentication, and then they
only remain connected for about a minute and a half. The
ones that never connect get all the way to "verifying
username and password", it sits there for about 30
seconds, then the "error 721" box pops up telling you that
the "remote computer did not respond...yadda, yadda". The
event logged on the VPN server for the clients that
successfully connect and are dropped shortly thereafter is
a happy message about being logged off because of user
request (sorry, don't have the exact event id). We've
tried both W2K and XP clients, with encryption on and off
with the same results. Also, the users that can connect
can do it from pretty much any machine, while the ones
that cannot connect are in the same boat (cannot connect
from anywhere). We're not doing any fancy-schmancy
VLANning or weird layer 3 switching (I hope...will have to
check further up the food chain on that one).
Anyhow...sorry to ramble. Lemme know if there are ideas
out there.

Mark

 

[Robert L [MS-MVP]]

first of all, why do you use PIX as VPN server? quoted from
http://www.ChicagoTech.net
Error 721: Remote PPP peer or computer is not responding. If you have tried
many thing other people suggest like rebooting, reloading hardware and
re-installing the VPN or dial in connection, you still get the same problem.
I will suggest to check the router settings and make sure TCP Port 1723, IP
Protocol 47 (GRE) are opened. Also make sure that the router has the PPTP
enabled and not firewall block the traffic. On the RAS server, check the
DHCP settings.

--
For more and other information, go to http://www.ChicagoTech.net

Don't send e-mail or reply to me except you need consulting services.
Posting on MS newsgroup will benefit all readers and you may get more help.

Robert Lin, MS-MVP, MCSE & CNE
Networking, Internet, Routing, VPN, Anti-Virus, Tips & Troubleshooting on
http://www.ChicagoTech.net
This posting is provided "AS IS" with no warranties.

 

[Mark R.]

Robert,
Thanks for the response. Those ports (PPTP & GRE) are
both being forwarded by my PIX to an internal RRAS server
for authentication. The issue I am running into is that
some people can and some people cannot use the incoming
VPN line. I'm trying to troubleshoot any issues which
would be causing this. So far I've:
- checked all user attributes in AD
- checked the incoming RRAS policy
- double-checked the routing (gateway, etc.)
- confirmed that DHCP is being passed through
- etc., etc.
I think I've covered my bases with this, but I'm open to
any suggestions.

 

[Bill Grant]

Have you checked whether the clients who cannot connect are behind a
router/firewall which blocks GRE? Even a personal firewall on the client
will do it.