Re: Mysterious VPN Errors
From: Phillip Windell (_at_.)
Date: 03/10/04
- Next message: Richard Rickard: "Cisco VPN and ISA 2000"
- Previous message: Johnny X: "Re: VPN Authentication Problems"
- In reply to: Boris Nikolaevich: "Mysterious VPN Errors"
- Next in thread: Boris Nikolaevich: "Re: Mysterious VPN Errors"
- Reply: Boris Nikolaevich: "Re: Mysterious VPN Errors"
- Messages sorted by: [ date ] [ thread ]
Date: Wed, 10 Mar 2004 14:41:44 -0600
If your Firewall is performing NAT for the system and all your servers &
workstations are behind it, then the firewall must be the VPN Server and not
your Windows Machine that is behind it. Your Windows Server may do the job
fine for internal users because they can directly contact it, but from the
outside users cannot do this and can only connect directly to the Firewall,
hence the Firewall must be the "VPN Server" for them.
This also means that you could also use the firewall as the VPN Server for
internal users as well since there would be no real point in having two VPN
Servers. If you wanted the Windows Server to be the VPN Server then you
would have to throw out the firewall and the Windows Server would replace it
and become the firewall.
It comes down to this,...whatever you want to use for the VPN Server must be
*directly* accessable to all users that need to use it.
We have a similar setup here and we use the Firewall box as the VPN Server.
We connect about 20 other sites full time 24-7. Our LAN Router is the
Default Gateway of *all* the machines, and then the Router uses the Firewall
box as it Default Gateway. This allows all the users to connect to the
remote LANs across the VPN without even being aware that it exists.
-- Phillip Windell [MCP, MVP, CCNA] www.wandtv.com "Boris Nikolaevich" <boris@nikolaevich.mailshell.com> wrote in message news:OHqQ6VmBEHA.3284@TK2MSFTNGP09.phx.gbl... > Hi all, > > I'm having a real headache of a time with VPN on Windows Server 2003. I > don't even know where to begin troubleshooting, but I'll give as much > relevant information as I can and hopefully you'll know what questions to > ask me so that I can add any additional information you need. Thanks for > taking the time to read and help! > > The VPN Server (ZARYA) is Windows 2003. > The Domain Controller (VOSKHOD) is Windows 2003. > There is a workstation (SPUTNIK1) running Windows XP Professional. > The remote client (SPUTNIK2) is notebook Windows XP Professional. > All are members of the domain SOYUZ. > > I added "VPN Server" as one of the server roles through the Manage Your > Server wizard on ZARYA. > > I tested the VPN connection internally from SPUTNIK1 and had no problem > connecting, authenticating, and having the computer registered on the > network. > > When I try to connect remotely with SPUTNIK2 (usually from home) I get one > of the following situations: > a) The connection is made successfully and authentication completes normally > b) The connection is made, but times out with the progress indicating > "Verifying username and password..." > c) The connection is made, and after several minutes at "Verifying username > and password..." I get a message that my credentials couldn't be verified. > After re-entering my username and password, connection and authentication > complete normally. > d) The connection is not made, with an error that the VPN server could not > be contacted. > > Unfortunately, situation "a" happens infrequently and inconsistently. On > the server side, situations "b" and "c" produce one of the following entries > in the System log: > > ============== > Event Type: Warning > Event Source: RemoteAccess > Event Category: None > Event ID: 20049 > Date: 3/9/2004 > Time: 8:53:30 PM > User: N/A > Computer: ZARYA > Description: > The user connected to port VPN1-1 has been disconnected because the > authentication process did not complete within the required amount of time. > ============== > Event Type: Warning > Event Source: RemoteAccess > Event Category: None > Event ID: 20189 > Date: 3/9/2004 > Time: 8:53:58 PM > User: N/A > Computer: ZARYA > Description: > The user SOYUZ\boris connected from 555.555.555.555 but failed an > authentication attempt due to the following reason: Authentication was not > successful because an unknown user name or incorrect password was used. > ============== > > Note that in every situation, I am entering the same (correct) username and > password. > > One of the things I came across in trying to figure this out was the > suggesstion that error 20049 is often caused by firewall settings--i.e. > ports required for VPN are blocked by my firewall. While I've been pretty > aggressive about restricting unnecessary ports, I'm fairly certian that I've > got everything that needs to be open is open on my end, and my ISP (since > I'm connecting from home) swears that they're not blocking anything. > [Maybe, just as a favor, someone could verify the ports that I need to have > open on my office firewall, in case that's part of the problem.] > > I've put a lot of effort into figuring this out, and I'm getting pretty > frustrated about the whole affair. Part of the problem is that I'm not a > network admin of any sort--I'm a developer, a programmer, an MCSD, a DBA... > you get the idea. This network is supposed to be my development and testing > environment. But administering the network is not just taking my time, it's > over my head! > > Thanks for any assistance you can give. > > --Boris Nikolaevich > >
- Next message: Richard Rickard: "Cisco VPN and ISA 2000"
- Previous message: Johnny X: "Re: VPN Authentication Problems"
- In reply to: Boris Nikolaevich: "Mysterious VPN Errors"
- Next in thread: Boris Nikolaevich: "Re: Mysterious VPN Errors"
- Reply: Boris Nikolaevich: "Re: Mysterious VPN Errors"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
