Re: Repost - Unable to authenticate a VPN

From: David Copeland [MSFT] (davidcop_at_online.microsoft.com)
Date: 03/19/04 

Date: Fri, 19 Mar 2004 11:00:30 -0600

Mark,

Yes, Thanks I did get the trace.. looking at it I didn't see any of the name
resolution to find the server (assuming it was attempting to connect by
name) and only saw LCP traffic.. and no GRE type traffic.. Currently
setting up a repro.. at least from that trace.. it appears to be missing a
significant amount of expected traffic to create the vpn. 

-- 
Hope that helps,
David Copeland
Microsoft Small Business Server Support
This posting is provided "AS IS" with no warranties, and confers no rights.
Newsgroups:
SBS v4.x : microsoft.public.backoffice.smallbiz
SBS 2000: microsoft.public.backoffice.smallbiz2000
SBS 2003: microsoft.public.windows.server.sbs
"MarkC" <mark@mrccit_nospam.com> wrote in message 
news:OXSCkHdDEHA.688@tk2msftngp13.phx.gbl...
> Done.  Sent you the email.  Let me know if you did not get it at mark @
> techcareteam.com  (remove spaces)
> "David Copeland [MSFT]" <davidcop@online.microsoft.com> wrote in message
> news:OFZ%23n6RDEHA.3080@TK2MSFTNGP10.phx.gbl...
>> Mark,
>>
>> Ok, can you install the support tools from the XP cd and then if we can
> get
>> a network trace of the machine attempting to make the VPN connection 
>> using
>> the connection manager client..
>> To install the support tools go to the following directory on the XP cd
>> \support\tools and then run the setup.exe
>>
>> Once the tools are installed then we will need to run netcap to get the
>> trace.. You should be able to run netcap /? from the \program
> files\support
>> tools directory to make sure we make the buffer size large enough using
>> /B:10  /C: to specify the filename and /N: to make sure we get the right
>> nic..
>>
>> On the client from a command prompt
>> nbtstat -R
>> ipconfig /flushdns
>>
>> Once you have the trace started, then run the connection manager ... once
>> you get the error stop the trace.
>>
>> Once you get the trace if you could email me a copy I will take a look at
> it
>> to.. To email me you will need to remove the "online." from my address.
>>
>> -- 
>>
>> Thanks,
>> David Copeland
>> Microsoft Small Business Server Support
>>
>> This posting is provided "AS IS" with no warranties, and confers no
> rights.
>>
>> Newsgroups:
>> SBS v4.x : microsoft.public.backoffice.smallbiz
>> SBS 2000: microsoft.public.backoffice.smallbiz2000
>> SBS 2003: microsoft.public.windows.server.sbs
>>
>>
>> "MarkC" <mark@mrccit_nospam.com> wrote in message
>> news:eE1KNsRDEHA.2308@tk2msftngp13.phx.gbl...
>> > Hi David,
>> > That is exactly what I did.  The address resolves fine.  The connection
> I
>> > make from the conection manager works fine.  It's the SBS created
>> > connection
>> > that fails.
>> > Thanks,
>> > Mark
>> >
>> >
>> > "David Copeland [MSFT]" <davidcop@online.microsoft.com> wrote in 
>> > message
>> > news:eCh9NoRDEHA.3404@TK2MSFTNGP10.phx.gbl...
>> >> Mark,
>> >>
>> >> Sorry, missed that it was from an internal client.. but just to be
> sure..
>> >> does the name server1.ACME.com  resolve to the internal or external IP
>> >> address?
>> >>
>> >> On the client can you make a new vpn connection and specify the
> server's
>> >> internal IP address (to try and rule out any issues with the 
>> >> connection
>> >> manager/configuration)
>> >>
>> >>
>> >>
>> >> -- 
>> >>
>> >> Hope that helps,
>> >> David Copeland
>> >> Microsoft Small Business Server Support
>> >>
>> >> This posting is provided "AS IS" with no warranties, and confers no
>> > rights.
>> >>
>> >> Newsgroups:
>> >> SBS v4.x : microsoft.public.backoffice.smallbiz
>> >> SBS 2000: microsoft.public.backoffice.smallbiz2000
>> >> SBS 2003: microsoft.public.windows.server.sbs
>> >>
>> >>
>> >> "MarkC" <mark@mrccit_nospam.com> wrote in message
>> >> news:%23enINhRDEHA.3472@TK2MSFTNGP09.phx.gbl...
>> >> > Hi David,
>> >> > That is what I did (see my message below).  The results below are
>> >> > internal.
>> >> > This server isnt's running ISA either.  The only thing between the
> test
>> >> > client and the server is a switch.
>> >> >
>> >> > "David Copeland [MSFT]" <davidcop@online.microsoft.com> wrote in
>> >> > message
>> >> > news:O9XQLcRDEHA.3256@TK2MSFTNGP09.phx.gbl...
>> >> >> Mark,
>> >> >>
>> >> >> Getting the error 721 and timing out when trying to authenticate 
>> >> >> the
>> >> >> username/password typically is a sign that IP Protocol 74 (GRE) is
>> > being
>> >> >> blocked somewhere between the VPN client and the server..  As a
> quick
>> >> >> test
>> >> >> just to see if there appears to be a problem on the server.. can 
>> >> >> you
>> > try
>> >> >> making a VPN connection from an internal client to the server's
>> > internal
>> >> > IP
>> >> >> address using the same username/password.. If that works.. 
>> >> >> depending
>> >> >> on
>> >> > your
>> >> >> network configuration.. you might setup a machine on the external
> side
>> > of
>> >> >> the server, but inside of any router/firewall that may connect your
>> >> > network
>> >> >> to the Internet and see if you can still VPN in..
>> >> >>
>> >> >> Some router/firewall devices may have an option of something like
> PPTP
>> >> >> helper that needs to be enabled to allow the GRE packets in..
>> >> >>
>> >> >> -- 
>> >> >>
>> >> >> Hope that helps,
>> >> >> David Copeland
>> >> >> Microsoft Small Business Server Support
>> >> >>
>> >> >> This posting is provided "AS IS" with no warranties, and confers no
>> >> > rights.
>> >> >>
>> >> >> Newsgroups:
>> >> >> SBS v4.x : microsoft.public.backoffice.smallbiz
>> >> >> SBS 2000: microsoft.public.backoffice.smallbiz2000
>> >> >> SBS 2003: microsoft.public.windows.server.sbs
>> >> >>
>> >> >>
>> >> >> "MarkC" <mark@mrccit_nospam.com> wrote in message
>> >> >> news:%23uCTiZRDEHA.3788@TK2MSFTNGP10.phx.gbl...
>> >> >
>> >> >> >I just tried the SBS VPN client again from a computer within the
> LAN
>> > and
>> >> >> > this is my error (some info changed for privacy reasons).  I can
>> > create
>> >> > a
>> >> >> > VPN connection with the XP Wizard
>> >> >> > and it connects fine.  I have rechecked my configuration several
>> > times
>> >> > but
>> >> >> > can't seem to pinpoint the cause of this.
>> >> >> >
>> >> >> > [cmdial32] 10:33:49 04 Pre-Connect Event ConnectionType = 1
>> >> >> > [cmdial32] 10:33:49 06 Pre-Tunnel Event UserName = jdoe Domain =
>> >> >> > ACME
>> >> >> > DUNSetting = Connect to Small Business Server Tunnel DeviceName =
>> >> >> > TunnelAddress = server1.ACME.com
>> >> >> > [cmdial32] 10:34:26 20 On-Error Event ErrorCode = 721 ErrorSource
> =
>> > RAS
>> >> >> >
>> >> >> > Different error than last time but still no solution in sight.
> Any
>> >> >> > help
>> >> >> > would be awesome!
>> >> >> > Mark
>> >> >> >
>> >> >> >
>> >> >> >
>> >> >> >
>> >> >> > "Jim Behning SBS MVP" <jimbehingmvp@mindspring.com> wrote in
> message
>> >> >> > news:2m3i501g61es1cbsuvqgv5v90cf2nlfk4t@4ax.com...
>> >> >> >> Your routers need to pass 47 gre aka pptp or things will not
> work.
>> >> >> >> I
>> >> >> >> test from my house where I can vpn into any properly configured
>> >> >> >> SBS.
>> >> >> >> If one account does not work then I have something to clear up 
>> >> >> >> on
>> > that
>> >> >> >> SBS or on their router.
>> >> >> >>
>> >> >> >> "MarkC" <mark@mrccit_nospam.com> wrote:
>> >> >> >>
>> >> >> >> >Now I have two other tid-bits to add. I tried creating my own
> VPN
>> >> > client
>> >> >> > and
>> >> >> >> >it works fine internally but not exteranlly.  What was that
>> >> >> >> >earlier
>> >> > post
>> >> >> >> >about opening GRE 47?  I'm sorry but I'm not familiar with GRE
>> > 47...
>> >> >> >> >
>> >> >> >> >Go figure, looked on the server for a log but I never thought 
>> >> >> >> >to
>> > look
>> >> > at
>> >> >> > the
>> >> >> >> >client.
>> >> >> >> >
>> >> >> >> >Here is what I found from the SBS created VPN client on the 
>> >> >> >> >same
>> > lan:
>> >> >> >> >
>> >> >> >> >[cmdial32] 10:33:52 21 On-Error Event ErrorCode = 628
> ErrorSource
>> >> >> >> >=
>> >> > RAS
>> >> >> >> >
>> >> >> >> >Thanks,
>> >> >> >> >Mark
>> >> >> >> >
>> >> >> >> >""Chris Ard [MSFT]"" <ChrisArd@online.microsoft.com> wrote in
>> > message
>> >> >> >> >news:50If0nEDEHA.3464@cpmsftngxa06.phx.gbl...
>> >> >> >> >> So on a client on the internal LAN it does the same thing?
> What
>> >> > error
>> >> >> >> >> message does it return when it times out?
>> >> >> >> >>
>> >> >> >> >> Chris Ard
>> >> >> >> >> Small Business Server
>> >> >> >> >> Enterprise Platforms Support
>> >> >> >> >>
>> >> >> >> >> This posting is provided "AS IS" with no warranties, and
> confers
>> > no
>> >> >> >> >rights.
>> >> >> >> >>
>> >> >> >> >
>> >> >> >>
>> >> >> >> Jim B. SBS  MVP
>> >> >> >> remove the mvp to send email
>> >> >> >
>> >> >> >
>> >> >> >
>> >> >>
>> >> >>
>> >> >
>> >> >
>> >>
>> >>
>> >
>> >
>>
>>
>
>