Re: VPN connect error 691 help - new postings

Robbin,

I checked with Comcast (my ISP) and they verified that they pass GRE 47. I next went to Linksys (Router BEFSR41) and they said to open port 500 as well as 1723. I did and now I get a VPN connection but it is limited and un authenticated. I am eMailing you the screen shots.

Closer. And again thanks for your help. What do you want me to do now?

John

""Robbin Meng [MSFT]"" <v-robmen@xxxxxxxxxxxxxxxxxxxx> wrote in message news:4kkTnGsKJHA.1656@xxxxxxxxxxxxxxxxxxxxxxxxx

Hi John,

Thanks for your prompt reply with detailed test results.

Based on the research of the main error message we received during the GRE
47 port tests, I found the following explanation of the error code:

WSAECONNRESET (10054)
o Translation : Connection reset by peer.
o Description : An existing connection was forcibly closed by the remote
host. This error typically occurs if the peer program on the remote host is
suddenly stopped, the host is restarted, or the remote host uses a hard
close. See setsockopt
(http://msdn2.microsoft.com/en-us/library/ms740476.aspx) for more
information about the SO_LINGER option on the remote socket. This error may
also result if a connection was broken because of keep-alive activity that
detects a failure while one or more operations are in progress. Operations
that were in progress fail with WSAENETRESET. Subsequent operations fail
with WSAECONNRESET.

WSAECONNREFUSED (10061)
o Translation : Connection refused.
o Description : No connection can be made because the destination computer
actively refuses it. This error typically results from trying to connect to
a service that is inactive on the foreign host, that is, one that does not
have a server program running.

From the test result of PPTP Ping tool, no GRE packets were received on the
server. This problem generally occurs when the GRE 47 Protocol is blocked
on router or firewall.

First of all, I suggest you contact the manufacturer of the router to
ensure that GRE Protocol 47 is allowed on your router. In addition, please
check ISA server configuration to ensure PPTP connection is enabled.

If the problem continues, please also enable ISA logging and reproduce this
issue to see whether there are any rules that block the traffic.

Information Need
==============
1. If possible, please capture some screenshot when the error messages
appear and send them to me : v-robmen@xxxxxxxxxxxxx ;
2. Please help to gather the ISA server information:

1) Download the file from the following URL:

http://www.isatools.org/tools/isainfo.zip

2) Extract all files to a folder on ISA server.

3) Double click Isainfo.js. This will generate 2 files
ISAInfo2004-<computer-name>.log and ISAInfo2004-<computer-name>.xml in the
current folder.

4) Please send these files to me at v-robmen@xxxxxxxxxxxxx .

3. Gather the ISA logs:

1) Schedule a down time.

2) Open ISA 2004 management console.

3) Expand the server node and highlight 'Monitoring'.

4) In the right pane, switch to the 'Logging' tab, make sure the 'Task
Pane' is showed there.

5) In the 'Task Pane', click 'Configure Firewall Logging' under 'Logging
Tasks', and then switch the 'log storage format' from 'MSDE database'
(default) to 'File'.

6) Switch to the 'Fields' tab, click 'Select All', and then click OK.

7) In the 'Task Pane', click 'Configure Web Proxy Logging' under 'Logging
Tasks', and then switch the 'log storage format' from 'MSDE database'
(default) to 'File'.

8) Switch to the 'Fields' tab, click 'Select All', and then click OK.

9) Click 'Apply' to save changes and update the configuration.

10) Temporarily disable the Firewall service. To do that, please click
Monitoring | Services tab, and then right click 'Microsoft Firewall' to
choose 'Stop'.

11) Clear the current existing W3C logs. To do that, go to the log saving
directory and clean any existing .W3C logs. By default, the logs will be
saved to 'C:\Program Files\Microsoft ISA Server\ISALogs'. (Some MDF may not
be able to deleted, that's normal.) You may backup them first and then
delete them.

12) Go back to the ISA 2004 management console, and then Start the stopped
'Microsoft Firewall' service.

13) Reproduce the problem, stop the service, and then gather the resulting
W3C files to me for analysis.

14) Please also let me know the IP address of the testing clients so that I
can filter the data.


Hope this helps. Also, if you have any questions or concerns, please do not
hesitate to let me know.

Thanks for your earlier feedback!

Best regards,

Robbin Meng(MSFT)

Microsoft CSS Online Newsgroup Support

Get Secure! - www.microsoft.com/security

=====================================================
This newsgroup only focuses on SBS technical issues. If you have issues
regarding other Microsoft products, you'd better post in the corresponding
newsgroups so that they can be resolved in an efficient and timely manner.
You can locate the newsgroup here:
http://www.microsoft.com/communities/newsgroups/en-us/default.aspx

When opening a new thread via the web interface, we recommend you check the
"Notify me of replies" box to receive e-mail notifications when there are
any updates in your thread. When responding to posts via your newsreader,
please "Reply to Group" so that others may learn and benefit from your
issue.

Microsoft engineers can only focus on one issue per thread. Although we
provide other information for your reference, we recommend you post
different incidents in different threads to keep the thread clean. In doing
so, it will ensure your issues are resolved in a timely manner.

For urgent issues, you may want to contact Microsoft CSS directly. Please
check http://support.microsoft.com for regional support phone numbers.

Any input or comments in this thread are highly appreciated.
=====================================================

This posting is provided "AS IS" with no warranties, and confers no rights.


.

Relevant Pages

  • Re: DHCP Problem
    ... Add/Remove Programs doesn't show a item for SP3 and ISA shows the version at ... Unable to contact a DHCP server. ... The client computer's logs are a mess due to not being able to renew ip ... Ethernet adapter Server Local Area Connection: ...
    (microsoft.public.backoffice.smallbiz)
  • Re: DHCP Problem
    ... Also ISA best practice report says ISA Server is at SP3 ... The client computer's logs are a mess due to not being able to renew ip ... Ethernet adapter Server Local Area Connection: ...
    (microsoft.public.backoffice.smallbiz)
  • Site2Site VPN - Web page requests returns FWX_E_TERMINATING
    ... The branch site is connected using a ISA to ISA site to site VPN and there ... The gateway or proxy server lost connection to the Web server ... When I review ISA monitoring logs at the branchsite I see the same error. ... Object source: Internet Processing time: 110 ...
    (microsoft.public.isa.vpn)
  • Re: ISA 06 PPTP VPN via NAT
    ... In fact, GRE packets are what is used to transfer the data, while the TCP connection is only used for command channels. ... A LOT of cheap/stupid equipment and admins are unaware of this fact - and then, for example, filter out GRE. ... If any of my users try and connect to a remote VPN server they recieve an error and the connection does not iniaite, I can see packets on port tcp/1723 leaving the box, none of the users are running the ISA firewall client. ... My ISP connection is just plain old ethernet with no pppoe just a static IP address, if I plug my laptop into it I can VPN no problems at all, my cisco PIX can also NAT PPTP connections out of it, I've even gone so far as rolling back to Windows 2003 & ISA 2004 with no success, formatted and started again a couple of times. ...
    (microsoft.public.isa.vpn)
  • RE: PPTP VPN connection problems
    ... We have a tool called PPTPping, it may help you to narrow down the GRE 47 ... we will use PPTP Ping utility to determine whether any hardware ... | Thread-Topic: PPTP VPN connection problems ...
    (microsoft.public.windows.server.sbs)
Loading