Linksys Routers, VPN Connection Issues - HELP!

[Karl Burrows]

I am having a terrible time trying to connect stores to the home office
server. I can get one store to connect (it started right away), but the
others just time out on the connection (error 630). The details of our
setup are below:
a.. The home office runs Windows 2000 Server in a domain. The server also
runs WINS and as a RAS server (not VPN).
b.. Server has all updates and patches incl. SP4.
c.. We use a Linksys BEFSR41 for our network routing and connecting to a
Alcatel SpeedTouch DSL modem to our ISP, BellSouth.
d.. RAS is setup to accept 10 incoming connections for both PPTP and L2TP,
TCP/IP only (no IPX/SPX), simple encryption.
e.. All MiniWAN ports are open and available, no RADIUS (basically ran RAS
setup through the wizard and accepted defaults).
f.. The router is running DHCP, login with PPPoE and ports 3389, 1723 and
47 forwarded to the server for VPN and Terminal Services.
g.. The store computers are running Windows 2000 Pro (recent upgrades from
WinNT) with SP4 and all other updates and patches.
h.. Each store consists of one computer connecting to a Linksys BEFSR41
router and then to a Westell modem to BellSouth DSL.
i.. The Linksys is setup to detect connection automatically. The Westell
provides the PPPoE connectivity.
j.. Each Westell has the address of 192.168.1.254, the Linksys 192.168.2.1
providing DHCP with DNS of 192.168.1.254. No ports forwarded.
k.. Clients are setup to obtain IP automatically, no firewalls, only
running TCP/IP for network (no NetBEUI, NetBIOS, etc.).
l.. VPN connections for clients were established using New Network
Connection. Default settings were accepted. Tunnel connection is set to
PPTP (not auto detect) and all other defaults for security.
m.. All routers have latest firmware (1.45.7).
I have been able to connect one store computer so far. It actually has a v3
router and connected right away with no problems. All others just time out.
I have checked the RAS log and it shows no attempts to connect from these
computers, only the one that could make a connection.

I also tried just removing the router at the store locations and connecting
directly through the DSL modem. Still get timed out on the connection.

I think something is blocking the requests at the home office router and
just can't figure out why they are not connecting.

I am able to connect at home with XP and 2000 behind a Cisco DSL router with
absolutely no problem. There have been some posts on the VPN newsgroups
about this version router only allowing one connection, however, the one
that did connect was one of the last ones I tried to setup, so if it were
first come, first server, it would have been shutout.

Any suggestions or recommendations???? Is it the Westell modems, BellSouth
ISP, other????

Thanks so much!!!!

 

[Robert L [MS-MVP]]

quoted from http://www.ChicagoTech.net

Error 630 - The port was disconnected due to hardware failure
1. Check that the modem is plugged in, and if necessary, turn the modem off,
and then turn it back on.
2. Check if your modem is being given a bad init string - with a command
that it does not support.
3. Check if another program is already using the modem, or, if the modem or
serial port's resources configuration is incorrect.
4. Reboot your computer and try it again.
5. If that doesn't work, go to Start -> Settings -> Control Panel ->
Modems -> Diagnostics and get More Info from your modem. If it fails, your
modem driver is corrupt and needs to be re-installed.
6. Update the modem drivers.


--
For more and other information, go to http://www.ChicagoTech.net

Don't send e-mail or reply to me except you need consulting services.
Posting on MS newsgroup will benefit all readers and you may get more help.

Robert Lin, MS-MVP, MCSE & CNE
Networking, Internet, Routing, VPN, Anti-Virus, Tips & Troubleshooting on
http://www.ChicagoTech.net
This posting is provided "AS IS" with no warranties.

 

[Karl Burrows]

It's a DSL modem, so there are no drivers, it's just passing TCP/IP requests
to the WAN.

quoted from http://www.ChicagoTech.net

Error 630 - The port was disconnected due to hardware failure
1. Check that the modem is plugged in, and if necessary, turn the modem off,
and then turn it back on.
2. Check if your modem is being given a bad init string - with a command
that it does not support.
3. Check if another program is already using the modem, or, if the modem or
serial port's resources configuration is incorrect.
4. Reboot your computer and try it again.
5. If that doesn't work, go to Start -> Settings -> Control Panel ->
Modems -> Diagnostics and get More Info from your modem. If it fails, your
modem driver is corrupt and needs to be re-installed.
6. Update the modem drivers.


--
For more and other information, go to http://www.ChicagoTech.net

Don't send e-mail or reply to me except you need consulting services.
Posting on MS newsgroup will benefit all readers and you may get more help.

Robert Lin, MS-MVP, MCSE & CNE
Networking, Internet, Routing, VPN, Anti-Virus, Tips & Troubleshooting on
http://www.ChicagoTech.net
This posting is provided "AS IS" with no warranties.

 

[Bill Grant]

Is the problem that only one of your sites csn connect, or is the problem
that only one can connect at any time? (ie if you disconnect the first
connection, can you then connect another?) You need to check whether the
problem is that the "calling" machines are the problem, or whether something
in the path (perhaps the Linksys) limits the number of VPN connections.

It's a DSL modem, so there are no drivers, it's just passing TCP/IP requests
to the WAN.

quoted from http://www.ChicagoTech.net

Error 630 - The port was disconnected due to hardware failure
1. Check that the modem is plugged in, and if necessary, turn the modem off,
and then turn it back on.
2. Check if your modem is being given a bad init string - with a command
that it does not support.
3. Check if another program is already using the modem, or, if the modem or
serial port's resources configuration is incorrect.
4. Reboot your computer and try it again.
5. If that doesn't work, go to Start -> Settings -> Control Panel ->
Modems -> Diagnostics and get More Info from your modem. If it fails, your
modem driver is corrupt and needs to be re-installed.
6. Update the modem drivers.


--
For more and other information, go to http://www.ChicagoTech.net

Don't send e-mail or reply to me except you need consulting services.
Posting on MS newsgroup will benefit all readers and you may get more help.

Robert Lin, MS-MVP, MCSE & CNE
Networking, Internet, Routing, VPN, Anti-Virus, Tips & Troubleshooting on
http://www.ChicagoTech.net
This posting is provided "AS IS" with no warranties.

I am having a terrible time trying to connect stores to the home office
server. I can get one store to connect (it started right away), but the
others just time out on the connection (error 630). The details of our
setup are below:
a.. The home office runs Windows 2000 Server in a domain. The server also
runs WINS and as a RAS server (not VPN).
b.. Server has all updates and patches incl. SP4.
c.. We use a Linksys BEFSR41 for our network routing and connecting to a
Alcatel SpeedTouch DSL modem to our ISP, BellSouth.
d.. RAS is setup to accept 10 incoming connections for both PPTP and L2TP,
TCP/IP only (no IPX/SPX), simple encryption.
e.. All MiniWAN ports are open and available, no RADIUS (basically ran RAS
setup through the wizard and accepted defaults).
f.. The router is running DHCP, login with PPPoE and ports 3389, 1723 and
47 forwarded to the server for VPN and Terminal Services.
g.. The store computers are running Windows 2000 Pro (recent upgrades from
WinNT) with SP4 and all other updates and patches.
h.. Each store consists of one computer connecting to a Linksys BEFSR41
router and then to a Westell modem to BellSouth DSL.
i.. The Linksys is setup to detect connection automatically. The Westell
provides the PPPoE connectivity.
j.. Each Westell has the address of 192.168.1.254, the Linksys 192.168.2.1
providing DHCP with DNS of 192.168.1.254. No ports forwarded.
k.. Clients are setup to obtain IP automatically, no firewalls, only
running TCP/IP for network (no NetBEUI, NetBIOS, etc.).
l.. VPN connections for clients were established using New Network
Connection. Default settings were accepted. Tunnel connection is set to
PPTP (not auto detect) and all other defaults for security.
m.. All routers have latest firmware (1.45.7).
I have been able to connect one store computer so far. It actually has

a

 

[Mike]

What is the IP of the RAS Server?

Mike

 

[Karl Burrows]

192.168.1.1



What is the IP of the RAS Server?

Mike

 

[Karl Burrows]

Only one site can connect period. It was the fourth or fifth I set up. The
others already had problems timing out.


"Bill Grant" <bill_grant at bigpond dot com> wrote in message
Is the problem that only one of your sites csn connect, or is the problem
that only one can connect at any time? (ie if you disconnect the first
connection, can you then connect another?) You need to check whether the
problem is that the "calling" machines are the problem, or whether something
in the path (perhaps the Linksys) limits the number of VPN connections.

It's a DSL modem, so there are no drivers, it's just passing TCP/IP requests
to the WAN.

quoted from http://www.ChicagoTech.net

Error 630 - The port was disconnected due to hardware failure
1. Check that the modem is plugged in, and if necessary, turn the modem off,
and then turn it back on.
2. Check if your modem is being given a bad init string - with a command
that it does not support.
3. Check if another program is already using the modem, or, if the modem or
serial port's resources configuration is incorrect.
4. Reboot your computer and try it again.
5. If that doesn't work, go to Start -> Settings -> Control Panel ->
Modems -> Diagnostics and get More Info from your modem. If it fails, your
modem driver is corrupt and needs to be re-installed.
6. Update the modem drivers.


--
For more and other information, go to http://www.ChicagoTech.net

Don't send e-mail or reply to me except you need consulting services.
Posting on MS newsgroup will benefit all readers and you may get more help.

Robert Lin, MS-MVP, MCSE & CNE
Networking, Internet, Routing, VPN, Anti-Virus, Tips & Troubleshooting on
http://www.ChicagoTech.net
This posting is provided "AS IS" with no warranties.

I am having a terrible time trying to connect stores to the home office
server. I can get one store to connect (it started right away), but the
others just time out on the connection (error 630). The details of our
setup are below:
a.. The home office runs Windows 2000 Server in a domain. The server also
runs WINS and as a RAS server (not VPN).
b.. Server has all updates and patches incl. SP4.
c.. We use a Linksys BEFSR41 for our network routing and connecting to a
Alcatel SpeedTouch DSL modem to our ISP, BellSouth.
d.. RAS is setup to accept 10 incoming connections for both PPTP and L2TP,
TCP/IP only (no IPX/SPX), simple encryption.
e.. All MiniWAN ports are open and available, no RADIUS (basically ran RAS
setup through the wizard and accepted defaults).
f.. The router is running DHCP, login with PPPoE and ports 3389, 1723 and
47 forwarded to the server for VPN and Terminal Services.
g.. The store computers are running Windows 2000 Pro (recent upgrades from
WinNT) with SP4 and all other updates and patches.
h.. Each store consists of one computer connecting to a Linksys BEFSR41
router and then to a Westell modem to BellSouth DSL.
i.. The Linksys is setup to detect connection automatically. The Westell
provides the PPPoE connectivity.
j.. Each Westell has the address of 192.168.1.254, the Linksys 192.168.2.1
providing DHCP with DNS of 192.168.1.254. No ports forwarded.
k.. Clients are setup to obtain IP automatically, no firewalls, only
running TCP/IP for network (no NetBEUI, NetBIOS, etc.).
l.. VPN connections for clients were established using New Network
Connection. Default settings were accepted. Tunnel connection is set to
PPTP (not auto detect) and all other defaults for security.
m.. All routers have latest firmware (1.45.7).
I have been able to connect one store computer so far. It actually has

a

 

[Karl Burrows]

Only one site can connect period. It was the fourth or fifth I set up. The
others already had problems timing out.

"Bill Grant" <bill_grant at bigpond dot com> wrote in message
Is the problem that only one of your sites csn connect, or is the problem
that only one can connect at any time? (ie if you disconnect the first
connection, can you then connect another?) You need to check whether the
problem is that the "calling" machines are the problem, or whether something
in the path (perhaps the Linksys) limits the number of VPN connections.

It's a DSL modem, so there are no drivers, it's just passing TCP/IP requests
to the WAN.

quoted from http://www.ChicagoTech.net

Error 630 - The port was disconnected due to hardware failure
1. Check that the modem is plugged in, and if necessary, turn the modem off,
and then turn it back on.
2. Check if your modem is being given a bad init string - with a command
that it does not support.
3. Check if another program is already using the modem, or, if the modem or
serial port's resources configuration is incorrect.
4. Reboot your computer and try it again.
5. If that doesn't work, go to Start -> Settings -> Control Panel ->
Modems -> Diagnostics and get More Info from your modem. If it fails, your
modem driver is corrupt and needs to be re-installed.
6. Update the modem drivers.


--
For more and other information, go to http://www.ChicagoTech.net

Don't send e-mail or reply to me except you need consulting services.
Posting on MS newsgroup will benefit all readers and you may get more help.

Robert Lin, MS-MVP, MCSE & CNE
Networking, Internet, Routing, VPN, Anti-Virus, Tips & Troubleshooting on
http://www.ChicagoTech.net
This posting is provided "AS IS" with no warranties.

I am having a terrible time trying to connect stores to the home office
server. I can get one store to connect (it started right away), but the
others just time out on the connection (error 630). The details of our
setup are below:
a.. The home office runs Windows 2000 Server in a domain. The server also
runs WINS and as a RAS server (not VPN).
b.. Server has all updates and patches incl. SP4.
c.. We use a Linksys BEFSR41 for our network routing and connecting to a
Alcatel SpeedTouch DSL modem to our ISP, BellSouth.
d.. RAS is setup to accept 10 incoming connections for both PPTP and L2TP,
TCP/IP only (no IPX/SPX), simple encryption.
e.. All MiniWAN ports are open and available, no RADIUS (basically ran RAS
setup through the wizard and accepted defaults).
f.. The router is running DHCP, login with PPPoE and ports 3389, 1723 and
47 forwarded to the server for VPN and Terminal Services.
g.. The store computers are running Windows 2000 Pro (recent upgrades from
WinNT) with SP4 and all other updates and patches.
h.. Each store consists of one computer connecting to a Linksys BEFSR41
router and then to a Westell modem to BellSouth DSL.
i.. The Linksys is setup to detect connection automatically. The Westell
provides the PPPoE connectivity.
j.. Each Westell has the address of 192.168.1.254, the Linksys 192.168.2.1
providing DHCP with DNS of 192.168.1.254. No ports forwarded.
k.. Clients are setup to obtain IP automatically, no firewalls, only
running TCP/IP for network (no NetBEUI, NetBIOS, etc.).
l.. VPN connections for clients were established using New Network
Connection. Default settings were accepted. Tunnel connection is set to
PPTP (not auto detect) and all other defaults for security.
m.. All routers have latest firmware (1.45.7).
I have been able to connect one store computer so far. It actually has

a

 

[ppointer]

j.. Each Westell has the address of 192.168.1.254, the Linksys 192.168.2.1
providing DHCP with DNS of 192.168.1.254. No ports forwarded.

Please try changing one of the Westells to something like 192.168.3.1.
It seems to me you have a collision of LAN IP addresses. If that change
works, then my theory is that you can change all of them ao 192.168.3.1.

 

[Gilbert Joseph Smith III]

If everything else is working correctly try downgrading
the firmware.

I recently had a problem with a VPN setup on a Linksys
BEFSR41. I wanted to connect a Windows Server 2003
laptop, that is connected to the internet via a T-mobile
wireless GPRS Merlin G100 PC card modem (57.6K VPN to
ISP), to a Windows 2000 domain, behind the Linksys router,
via the laptops Netgear FA411 10/100 PC card NIC and
authenticate to a domain to access domain resources (no
broadband available at this time).

I could have probably gotten this to work by taking the
laptop off the router WAN interface and simply placing it
on the backbone of the router because I could establish a
VPN connection from the internal network to the PDC and
also when directly connected from the laptop (no router)
to PDC's external NIC.

However, I wanted to take advantage of the additional
layer of security (I think?) provided by the routers
separate private IP (Private network IP on the laptop and
a separate private IP network on the router. [Wireless
ISP <-> modem - ICS/ICF - Laptop - Private NET <->
Private NET - Router - 2nd Private NET <-> 2nd private
NET - ISA/RRAS/PDC/SUS/File/Print server (and internal
network access)]

On the laptop I was using ICS/ICF, and ICS provided
Internet to the W2K domain without problem except I could
not authenticate to the domain from the laptop back
through the router. The PDC ran ISA & RRAS so I spent a
lot of time playing with the router, ISA, RRAS and VPN
client settings to no avail. Opening up all the ports and
protocols on the ISA server to permit authentication
directly would have been an administrative burden and
weakened security to the domains most private asset, my
W2Kpro workstation which also had a personal FW and AV
software installed.

I enabled PPTP Pass-Through and forwarded TCP port 1723.
PPTP uses GRE Protocol 47 (not a port and not TCP or UDP)
and TCP port 1723 therefore forwarding port 47 TCP or UDP
would not help with a PPTP Client Side VPN connection.
See Microsoft KB articles 241251, 289892, 263925 and
289241. I tried everything and nothing seemed to work.

Finally just before giving up on authenticating to the W2K
domain via the Linksys router, I remembered reading a
thread somewhere that mentioned downgrading the router
firmware. As a last try, I downgraded and I was able to
immediately VPN to the W2K ISA/RRAS and authenticate to
the domain.

The routers internal IP was 192.168.254.1 as advised by
Linksys for VPN connections. The router firmware was
1.44.2z downgraded from 1.45.7 the most current for the
version 2 router (version 3 uses different firmware.) I
unblocked WAN requests, enabled PPTP pass-through,
forwarded TCP port 1723, downgraded the firmware, and
directed the VPN client to the routers WAN IP address, and
all is well.

Also the BEFSR41 can only support one VPN connection at a
time

 

[Bill Grant]

The last line says it all.

If everything else is working correctly try downgrading
the firmware.

I recently had a problem with a VPN setup on a Linksys
BEFSR41. I wanted to connect a Windows Server 2003
laptop, that is connected to the internet via a T-mobile
wireless GPRS Merlin G100 PC card modem (57.6K VPN to
ISP), to a Windows 2000 domain, behind the Linksys router,
via the laptops Netgear FA411 10/100 PC card NIC and
authenticate to a domain to access domain resources (no
broadband available at this time).

I could have probably gotten this to work by taking the
laptop off the router WAN interface and simply placing it
on the backbone of the router because I could establish a
VPN connection from the internal network to the PDC and
also when directly connected from the laptop (no router)
to PDC's external NIC.

However, I wanted to take advantage of the additional
layer of security (I think?) provided by the routers
separate private IP (Private network IP on the laptop and
a separate private IP network on the router. [Wireless
ISP <-> modem - ICS/ICF - Laptop - Private NET <->
Private NET - Router - 2nd Private NET <-> 2nd private
NET - ISA/RRAS/PDC/SUS/File/Print server (and internal
network access)]

On the laptop I was using ICS/ICF, and ICS provided
Internet to the W2K domain without problem except I could
not authenticate to the domain from the laptop back
through the router. The PDC ran ISA & RRAS so I spent a
lot of time playing with the router, ISA, RRAS and VPN
client settings to no avail. Opening up all the ports and
protocols on the ISA server to permit authentication
directly would have been an administrative burden and
weakened security to the domains most private asset, my
W2Kpro workstation which also had a personal FW and AV
software installed.

I enabled PPTP Pass-Through and forwarded TCP port 1723.
PPTP uses GRE Protocol 47 (not a port and not TCP or UDP)
and TCP port 1723 therefore forwarding port 47 TCP or UDP
would not help with a PPTP Client Side VPN connection.
See Microsoft KB articles 241251, 289892, 263925 and
289241. I tried everything and nothing seemed to work.

Finally just before giving up on authenticating to the W2K
domain via the Linksys router, I remembered reading a
thread somewhere that mentioned downgrading the router
firmware. As a last try, I downgraded and I was able to
immediately VPN to the W2K ISA/RRAS and authenticate to
the domain.

The routers internal IP was 192.168.254.1 as advised by
Linksys for VPN connections. The router firmware was
1.44.2z downgraded from 1.45.7 the most current for the
version 2 router (version 3 uses different firmware.) I
unblocked WAN requests, enabled PPTP pass-through,
forwarded TCP port 1723, downgraded the firmware, and
directed the VPN client to the routers WAN IP address, and
all is well.

Also the BEFSR41 can only support one VPN connection at a
time

-----Original Message-----
I am having a terrible time trying to connect stores to the home office
server.

 

[Karl Burrows]

One connection at a time I can work around, but I can only connect from one
remote client. I can connect from other computers (home, LAN, etc.) with no
problems. The issue is something is blocking the incoming connection on
these particular connections. It either has something to do with the
upgrade from NT to 2000 or I ma missing something in the DUN part of 2000 or
something.

I don't think the IP has anything to so with it. I tried the 192.168.254.1
and that didn't work either. The current network at the client doesn't
match the home office IP either (office 192.168.1.0 and remote is
192.168.2.0). I tried connecting directly through the modem from the
clients (without using the Linksys router) and it wouldn't connect either.

Any other thoughts? I have setup the Linksys/DSL connections with other
servers (2 similar setups) with no problems connecting from anywhere.

"Bill Grant" <bill_grant at bigpond dot com> wrote in message
The last line says it all.

If everything else is working correctly try downgrading
the firmware.

I recently had a problem with a VPN setup on a Linksys
BEFSR41. I wanted to connect a Windows Server 2003
laptop, that is connected to the internet via a T-mobile
wireless GPRS Merlin G100 PC card modem (57.6K VPN to
ISP), to a Windows 2000 domain, behind the Linksys router,
via the laptops Netgear FA411 10/100 PC card NIC and
authenticate to a domain to access domain resources (no
broadband available at this time).

I could have probably gotten this to work by taking the
laptop off the router WAN interface and simply placing it
on the backbone of the router because I could establish a
VPN connection from the internal network to the PDC and
also when directly connected from the laptop (no router)
to PDC's external NIC.

However, I wanted to take advantage of the additional
layer of security (I think?) provided by the routers
separate private IP (Private network IP on the laptop and
a separate private IP network on the router. [Wireless
ISP <-> modem - ICS/ICF - Laptop - Private NET <->
Private NET - Router - 2nd Private NET <-> 2nd private
NET - ISA/RRAS/PDC/SUS/File/Print server (and internal
network access)]

On the laptop I was using ICS/ICF, and ICS provided
Internet to the W2K domain without problem except I could
not authenticate to the domain from the laptop back
through the router. The PDC ran ISA & RRAS so I spent a
lot of time playing with the router, ISA, RRAS and VPN
client settings to no avail. Opening up all the ports and
protocols on the ISA server to permit authentication
directly would have been an administrative burden and
weakened security to the domains most private asset, my
W2Kpro workstation which also had a personal FW and AV
software installed.

I enabled PPTP Pass-Through and forwarded TCP port 1723.
PPTP uses GRE Protocol 47 (not a port and not TCP or UDP)
and TCP port 1723 therefore forwarding port 47 TCP or UDP
would not help with a PPTP Client Side VPN connection.
See Microsoft KB articles 241251, 289892, 263925 and
289241. I tried everything and nothing seemed to work.

Finally just before giving up on authenticating to the W2K
domain via the Linksys router, I remembered reading a
thread somewhere that mentioned downgrading the router
firmware. As a last try, I downgraded and I was able to
immediately VPN to the W2K ISA/RRAS and authenticate to
the domain.

The routers internal IP was 192.168.254.1 as advised by
Linksys for VPN connections. The router firmware was
1.44.2z downgraded from 1.45.7 the most current for the
version 2 router (version 3 uses different firmware.) I
unblocked WAN requests, enabled PPTP pass-through,
forwarded TCP port 1723, downgraded the firmware, and
directed the VPN client to the routers WAN IP address, and
all is well.

Also the BEFSR41 can only support one VPN connection at a
time

-----Original Message-----
I am having a terrible time trying to connect stores to the home office
server.