VPN connect error 691 help

Discussion in 'Windows Small Business Server' started by John Lenz, Oct 2, 2008.

  1. John Lenz

    John Lenz Guest

    SBS R2
    ISA 2004
    D-Link DIR 130 router (PPTP enabled)

    I used IECW to create my VPN. Every time I use the connect to SBS via VPN
    connector loaded on my laptop, I get a secure connection then it fails on
    error RAS 691 (user name/password invalid) from log see below. I confirmed
    using correct AS username & Password and laptop is part of mobile users
    group.

    How do I get a valid logon authentication?

    Thx
    John

    Client log:

    ******************************************************************
    Operating System : Windows NT 6.0 Service Pack 1
    Dialer Version : 7.2.6001.18000
    Connection Name : Connect to Small Business Server
    All Users/Single User : Single User
    Start Date/Time : 10/2/2008, 17:23:46
    ******************************************************************
    Module Name, Time, Log ID, Log Item Name, Other Info
    For Connection Type, 0=dial-up, 1=VPN, 2=VPN over dial-up
    ******************************************************************
    [cmdial32] 17:23:46 03 Pre-Init Event CallingProcess =
    C:\Windows\Explorer.EXE
    [cmdial32] 17:23:53 04 Pre-Connect Event ConnectionType = 1
    [cmdial32] 17:23:53 06 Pre-Tunnel Event UserName = longjw Domain = LONGSOHO
    DUNSetting = Connect to Small Business Server Tunnel DeviceName = WAN
    Miniport (SSTP) TunnelAddress = vpn.longsoho.com
    [cmdial32] 17:23:57 21 On-Error Event ErrorCode = 691 ErrorSource = RAS
    [cmdial32] 17:23:59 04 Pre-Connect Event ConnectionType = 1
    [cmdial32] 17:23:59 06 Pre-Tunnel Event UserName = longjw Domain = LONGSOHO
    DUNSetting = Connect to Small Business Server Tunnel DeviceName = WAN
    Miniport (SSTP) TunnelAddress = vpn.longsoho.com
    [cmdial32] 17:24:02 21 On-Error Event ErrorCode = 691 ErrorSource = RAS
     
    John Lenz, Oct 2, 2008
    #1
    1. Advertisements

  2. Did you also run the Remote Access Wizard?
     
    Merv Porter [SBS-MVP], Oct 2, 2008
    #2
    1. Advertisements

  3. Hi John,

    Thanks for your post and Merv 's input.

    Based on my research and experience, first, I would like to confirm with
    you that you have finished the CEICW wizard successfully without any error?

    If you are not sure, let's re-run the CEICW wizard again to configure your
    DNS server and other network connection. After successfully re-run CEICW,
    please restart your SBS server.

    Go through the following KB and Rerun CEICW again carefully.

    How to configure Internet access in Windows Small Business Server 2003
    <http://support.microsoft.com/kb/825763/en-us>


    Second, as Merv indicated, run the SBS RAS wizard(Remote Access Wizard) on
    the To Do List to configure VPN and RRAS.


    If the issue persists, please go to the AD Users and Computers console and
    check if the "Pre-Windows 2000 Compatible Access" group does not have "List
    Contents" rights for "This object and all child objects" at the root of the
    domain.

    Grant "Pre-Windows 2000 Compatible Access" group "List Contents" rights for
    "This object and all child objects" at the root of the domain


    By the way, based on research, the 691 error code represents the following
    error message:
    Access denied because username and or password is invalid on the domain.


    This issue may also occur if a third-party RAS device may cause this
    problem if the third-party RAS device incorrectly converts the 648 error
    code to the 691 error code. Please see KB938224

    Error message when you try to connect a Windows XP-based computer to a
    network by using a virtual private network (VPN) connection: "Access denied
    because username and&or password is invalid on the domain"
    http://support.microsoft.com/kb/938224/en-us

    More information:
    ====================
    The Microsoft Internet Security and Acceleration (ISA) Server 2004 firewall
    policy blocks outgoing PPTP connections in Microsoft Windows Small Business
    Server 2003 Premium Edition SP1
    http://support.microsoft.com/kb/923836

    Known issues that may occur if you install Windows Server 2003 SP1 on
    Windows Small Business Server 2003
    http://support.microsoft.com/?id=897342

    List of Error Codes that you may receive when you try to make a dial-up
    connection or a VPN connection in Windows Vista
    http://support.microsoft.com/kb/923944/en-us


    Does the issue still occurs now?


    If we cannot resolve the issue after we perform the above steps, please
    help me collect some information for further investigation:

    Information Need
    ==============
    1. If possible, please capture some screenshot when the error messages
    appear and send them to me :
    2. collect related MPS Network report from your SBS 2003 server:

    a. Please download a tool from the following link:
    http://download.microsoft.com/download/b/b/1/bb139fcb-4aac-4fe5-a579-30b0bd9
    15706/MPSRPT_NETWORK.EXE

    b. Double-click the downloaded EXE file to collect the MPS report.
    c. Please send the generated CAB file to me at:

    Hope this helps. Also, if you have any questions or concerns, please do not
    hesitate to let me know.

    Thanks for your earlier feedback!


    Best regards,

    Robbin Meng(MSFT)

    Microsoft CSS Online Newsgroup Support

    Get Secure! - www.microsoft.com/security

    =====================================================
    This newsgroup only focuses on SBS technical issues. If you have issues
    regarding other Microsoft products, you'd better post in the corresponding
    newsgroups so that they can be resolved in an efficient and timely manner.
    You can locate the newsgroup here:
    http://www.microsoft.com/communities/newsgroups/en-us/default.aspx

    When opening a new thread via the web interface, we recommend you check the
    "Notify me of replies" box to receive e-mail notifications when there are
    any updates in your thread. When responding to posts via your newsreader,
    please "Reply to Group" so that others may learn and benefit from your
    issue.

    Microsoft engineers can only focus on one issue per thread. Although we
    provide other information for your reference, we recommend you post
    different incidents in different threads to keep the thread clean. In doing
    so, it will ensure your issues are resolved in a timely manner.

    For urgent issues, you may want to contact Microsoft CSS directly. Please
    check http://support.microsoft.com for regional support phone numbers.

    Any input or comments in this thread are highly appreciated.
    =====================================================

    This posting is provided "AS IS" with no warranties, and confers no rights.
     
    Robbin Meng [MSFT], Oct 3, 2008
    #3
  4. John Lenz

    John Lenz Guest

    Status update:

    I re-ran CEICW and re-did firewall properties to include checking "allow
    access" to all the services

    I re-booted and re-ran Remote access wizard from server manager to
    conclusion

    I looked at firewall/router to insure port 1723 forwarded internally and
    PPTP allowed for GRE 47

    I tested connect to small business server, it opens secure VPPN connection
    and it still failed on following message:

    The VPN connection between your computer and the VPN server could not be
    completed. The most common cause for this failure is that at least one
    Internet device (for example, a firewall or a router) between your computer
    and the VPN server is not configured to allow Generic Routing Encapsulation
    (GRE) protocol packets. If the problem persists, contact your network
    administrator or Internet Service Provider. (Error 806) For customized
    troubleshooting information for this connection.
    This was a new error message from the failed logon.

    I re-installed above and it opens secure VPN connection and still failed as
    above.

    I watched ISA 2004 log during logon attempt.
    - It shows Rule "Allow VPN Client traffic to ISA Server (from destination
    192.168.1.2 -> IP address of SBS server on the ISP NIC) with PPTP
    protocol -> Initiated Connection (port 1723).

    - It then shows Rule "Allow VPN Client traffic to ISA Server (from
    destination 192.168.1.2 -> IP address of SBS server on the ISP NIC) with
    PPTP protocol -> Closed Connection (port 0).

    - One second before closing connection it shows "Allow VPN Client traffic to
    ISA Server (from destination 192.168.1.2 -> IP address of SBS server on the
    ISP NIC) with PPTP protocol -> Initiated Connection (port 1723). It then
    shows Rule "Allow VPN Client traffic to ISA Server (from destination
    192.168.1.2 -> IP address of SBS server on the ISP NIC) with PPTP
    protocol -> Closed Connection (port 0).


    The closing connection occurs some 40 seconds after initiate which
    corresponds to the WinVista client activity.

    I then created a new VPN connection (win Vista ultimate SP1) and it created
    secure VPN connection and failed on logon (use Windows domain logon, P/W and
    domain ID)

    I watched ISA 2004 log during logon attempt.

    - It shows Rule "Allow VPN Client traffic to ISA Server (from destination
    192.168.1.2 -> IP address of SBS server on the ISP NIC) with PPTP
    protocol -> Initiated Connection (port 1723).

    - It then shows Rule "Allow VPN Client traffic to ISA Server (from
    destination 192.168.1.2 -> IP address of SBS server on the ISP NIC) with
    PPTP protocol -> Closed Connection (port 0)

    The closing connection occurs some 30 seconds after initiate which
    corresponds to the WinVista client activity.

    I found the Pre-Windows 2000 Compatible Access GPO in built-in but it did
    not "List Contents" rights

    I seem to be getting through the ISA firewall but nowhere after that. Any
    help is appreciated.


     
    John Lenz, Oct 6, 2008
    #4
  5. Hi John,

    Thanks for your reply with detailed information.

    Before we go further, I would like to confirm with you with that:

    Did you still receive the 691 error in the VPN log on the Windows Vista
    computer when trying to use the "connect to small business server" icon on
    the client's desktop to VPN? Or the error message has changed to "The VPN
    connection between your computer and the VPN server could not be completed.
    The most common cause for this failure is that at least one Internet device
    (for example, a firewall or a router) between your computer and the VPN
    server is not configured to allow Generic Routing Encapsulation (GRE)
    protocol packets. If the problem persists, contact your network
    administrator or Internet Service Provider. (Error 806) For customized
    troubleshooting information for this connection." ?

    According to your reply, a secure connection was established when you tried
    to connect the second time. What happened after you typed user name and
    password? If you received any error messages, please let me know WORD BY
    WORD.

    Please let me know if the 691 error messages still occur when you use
    "connect to small business server" icon on the client's desktop to VPN or
    create a VPN connection manually from the Vista computer to your SBS server.

    Since the VPN issue occurs on Windows Vista clients, please test if it also
    occurs to Windows XP clients.

    Note: If you receive any error message, please write down the message
    recorded in the VPN log as well as other error messages if any.


    For the current new error message issue, please check the following:

    1. Please check the account you are using for test in AD Users and
    Computers console and ensure this account is in the "SBS Mobile Users"
    group. You may use a working account to initial the VPN connection on the
    problematic to isolate whether this is an account related issue.

    2. If you have MacAfee Host Intrusion Prevention installed on the Vista
    computer, please uninstall it from Add/Remove programs.

    3. Please temporary disable all third-party applications on the client and
    the SBS Server for a testing purpose, sometimes this issue could be
    occurred due to anti-virus application block the necessary port on the
    client, to do so:

    A. Click Start, click Run, type "msconfig" (without the quotation marks)
    and click OK.
    B. Select "Selective Startup" and remove the check box for "Load Startup
    Items".
    C. On the "Services" tab, click Enable All.
    D. Check "Hide all Microsoft Services", click Disable All and clear "Hide
    all Microsoft Services".
    E. Click the OK button and then Click Yes to restart your computer.
    F. Try again.


    If the problem continues, please confirm the following information and
    perform some tests to isolate the root cause:

    Please perform the following tests and let me know the results.

    Test 1:
    ---------------------------
    Please try to VPN the SBS Server from a internal client, configure the VPN
    gateway points to SBS internal network interface on the testing client.
    Will you receive the error message?


    Test 2: Ping 1723 port
    ---------------------------
    On the external VPN client, click Start, click Run, type "cmd" (without the
    quotation marks) and click OK. Type the following command and press ENTER:

    telnet <Public IP or FQDN of the SBS server> 1723

    Do you get a blank screen with a blinking cursor? If not, the port 1723 is
    blocked by the VPN client, the router in front of your SBS server, or your
    ISP.


    Test 3: Test GRE Protocol 47
    ---------------------------
    Could you please double-check if GRE Protocol 47 is enabled on your router?
    Based on my experience, there are some similar issues caused by the router.

    PPTP Ping allows you to test whether PPTP traffic, consisting of TCP port
    1723 traffic for PPTP tunnel maintenance and IP protocol 47 for GRE traffic
    for PPTP tunneled data, can be successfully sent and received between a
    client and server computer. PPTP Ping does not verify that a successful
    PTPP connection can be made (which requires a user authentication process),
    only that PPTP traffic can be exchanged with a specified destination.

    <How to get PPTPSRV.exe and PPTPCLNT.exe?>
    Run SUPTOOLS.MSI from support\tools folder in Vista CD-ROM;
    Then search your Vista for PPTPSRV.exe and PPTPCLNT.exe.


    1) On server, open Routing and Remote Access console, right click the RAS
    Server, select "All Tasks" -> Stop. (You can start it after the test), copy
    the Pptpsrv.exe from Vista SP1 client to C:\ on Server. Then run the
    Pptpsrv.exe from command prompt.
    NOTE: You should stop the Routing and Remote Access service on the RRAS
    (VPN) server so that PPTPSRV can bind to port 1723.

    2) Run Pptpclnt.exe [ServerNameorIPaddress] on Vista SP1 client.

    3) When prompted by Pptpclnt.exe, type some text to send to Pptpsrv.exe,
    and then click Enter.
    You see the text received at the host running Pptpsrv.exe. You then see
    five GRE packets sent from Pptpclnt.exe and received at Pptpsrv.exe.

    The following is a successful example. Please compare it with the result on
    the Internet Vista client computer to see if GRE protocol is enabled.

    From PPTPClnt client computer:
    ===========
    C :\Program Files\Support Tools>pptpclnt 192.168.0.1

    Initializing WinSock...
    Obtaining host information...
    Successfully resolved server's host information

    ======================================
    Enter data to send to server (between 1 and 255 chrs.), then hit enter:
    -->test

    Successfully connected to server using TCP port 1723 (PPTP)
    Sending data to server

    Waiting for a reply to the data which was just sent...
    Received a reply. Reply contains the following text:
    --->

    =================================
    Connectivity test to TCP Port 1723 was successful!!!
    Closing down socket...
    =================================

    Creating a socket to test GRE protocol traffic...

    Total GRE packets sent = 1
    Total GRE packets sent = 2
    Total GRE packets sent = 3
    Total GRE packets sent = 4
    Total GRE packets sent = 5

    =====================================
    Check server to see if the GRE packets were received successfully
    =====================================

    Closing down socket

    Goodbye!
    =========


    From PPTPSrv:
    ========
    C:\>pptpsrv

    Now you must run pptpclnt.exe on remote machine

    Waiting for inbound connection on TCP port 1723...
    Inbound connection from client has completed successfully!

    Data received from client:
    ---> test


    Sending the message 'Reply from server' to the client

    =====================================================
    Connectivity test to TCP Port 1723 was successful!!!
    Closing down socket...
    =====================================================

    Created socket for GRE protocol test

    Listening on PROTOCOL 47 for incoming GRE packets...

    Total GRE packets received = 1
    Total GRE packets received = 2
    Total GRE packets received = 3
    Total GRE packets received = 4
    Total GRE packets received = 5

    ======================================
    GRE protocol test was successful!
    ======================================

    Closing socket

    Goodbye!
    ========

    And then, RRAS tracing log is also critical for root cause analysis, enable
    RRAS tracing on Vista client and on server if your server is Windows:
    1) Click "Start" -> "Run" -> type "cmd"
    2) Type "netsh ras set tracing * enabled"
    3) Reproduce the issue
    4) Turn off tracing from a command prompt with "netsh ras set tracing *
    disabled"
    5) The logs are contained in the %SystemRoot%\Tracing folder. Compress them
    and send to me: with title "# 42704589- VPN connect
    error 691 help"


    Meanwhile, please help me collect some information for further
    investigation:

    1. Collect Network related MPS report from your SBS 2003 server:

    a. Please download a tool from the following link:
    http://download.microsoft.com/download/b/b/1/bb139fcb-4aac-4fe5-a579-30b0bd9
    15706/MPSRPT_NETWORK.EXE

    b. Double-click the downloaded EXE file to collect the MPS report.
    c. Please send the generated CAB file to me at:


    Hope this helps. Also, if you have any questions or concerns, please do not
    hesitate to let me know.

    Thanks for your earlier feedback!


    Best regards,

    Robbin Meng(MSFT)

    Microsoft CSS Online Newsgroup Support

    Get Secure! - www.microsoft.com/security

    =====================================================
    This newsgroup only focuses on SBS technical issues. If you have issues
    regarding other Microsoft products, you'd better post in the corresponding
    newsgroups so that they can be resolved in an efficient and timely manner.
    You can locate the newsgroup here:
    http://www.microsoft.com/communities/newsgroups/en-us/default.aspx

    When opening a new thread via the web interface, we recommend you check the
    "Notify me of replies" box to receive e-mail notifications when there are
    any updates in your thread. When responding to posts via your newsreader,
    please "Reply to Group" so that others may learn and benefit from your
    issue.

    Microsoft engineers can only focus on one issue per thread. Although we
    provide other information for your reference, we recommend you post
    different incidents in different threads to keep the thread clean. In doing
    so, it will ensure your issues are resolved in a timely manner.

    For urgent issues, you may want to contact Microsoft CSS directly. Please
    check http://support.microsoft.com for regional support phone numbers.

    Any input or comments in this thread are highly appreciated.
    =====================================================

    This posting is provided "AS IS" with no warranties, and confers no rights.
     
    Robbin Meng [MSFT], Oct 8, 2008
    #5
  6. John Lenz

    John Lenz Guest

    Robbin,

    I posted 2 entries (first ignore -> I found the tools)

    It does not show in news reader but it does appear on the web version.

    Pls advise your thoughts

    Thx

    John
     
    John Lenz, Oct 9, 2008
    #6
  7. Hi John,

    Thanks for your prompt reply with detailed test results.

    Based on the research of the main error message we received during the GRE
    47 port tests, I found the following explanation of the error code:

    WSAECONNRESET (10054)
    o Translation : Connection reset by peer.
    o Description : An existing connection was forcibly closed by the remote
    host. This error typically occurs if the peer program on the remote host is
    suddenly stopped, the host is restarted, or the remote host uses a hard
    close. See setsockopt
    (http://msdn2.microsoft.com/en-us/library/ms740476.aspx) for more
    information about the SO_LINGER option on the remote socket. This error may
    also result if a connection was broken because of keep-alive activity that
    detects a failure while one or more operations are in progress. Operations
    that were in progress fail with WSAENETRESET. Subsequent operations fail
    with WSAECONNRESET.

    WSAECONNREFUSED (10061)
    o Translation : Connection refused.
    o Description : No connection can be made because the destination computer
    actively refuses it. This error typically results from trying to connect to
    a service that is inactive on the foreign host, that is, one that does not
    have a server program running.

    From the test result of PPTP Ping tool, no GRE packets were received on the
    server. This problem generally occurs when the GRE 47 Protocol is blocked
    on router or firewall.

    First of all, I suggest you contact the manufacturer of the router to
    ensure that GRE Protocol 47 is allowed on your router. In addition, please
    check ISA server configuration to ensure PPTP connection is enabled.

    If the problem continues, please also enable ISA logging and reproduce this
    issue to see whether there are any rules that block the traffic.

    Information Need
    ==============
    1. If possible, please capture some screenshot when the error messages
    appear and send them to me : ;
    2. Please help to gather the ISA server information:

    1) Download the file from the following URL:

    http://www.isatools.org/tools/isainfo.zip

    2) Extract all files to a folder on ISA server.

    3) Double click Isainfo.js. This will generate 2 files
    ISAInfo2004-<computer-name>.log and ISAInfo2004-<computer-name>.xml in the
    current folder.

    4) Please send these files to me at .

    3. Gather the ISA logs:

    1) Schedule a down time.

    2) Open ISA 2004 management console.

    3) Expand the server node and highlight 'Monitoring'.

    4) In the right pane, switch to the 'Logging' tab, make sure the 'Task
    Pane' is showed there.

    5) In the 'Task Pane', click 'Configure Firewall Logging' under 'Logging
    Tasks', and then switch the 'log storage format' from 'MSDE database'
    (default) to 'File'.

    6) Switch to the 'Fields' tab, click 'Select All', and then click OK.

    7) In the 'Task Pane', click 'Configure Web Proxy Logging' under 'Logging
    Tasks', and then switch the 'log storage format' from 'MSDE database'
    (default) to 'File'.

    8) Switch to the 'Fields' tab, click 'Select All', and then click OK.

    9) Click 'Apply' to save changes and update the configuration.

    10) Temporarily disable the Firewall service. To do that, please click
    Monitoring | Services tab, and then right click 'Microsoft Firewall' to
    choose 'Stop'.

    11) Clear the current existing W3C logs. To do that, go to the log saving
    directory and clean any existing .W3C logs. By default, the logs will be
    saved to 'C:\Program Files\Microsoft ISA Server\ISALogs'. (Some MDF may not
    be able to deleted, that's normal.) You may backup them first and then
    delete them.

    12) Go back to the ISA 2004 management console, and then Start the stopped
    'Microsoft Firewall' service.

    13) Reproduce the problem, stop the service, and then gather the resulting
    W3C files to me for analysis.

    14) Please also let me know the IP address of the testing clients so that I
    can filter the data.


    Hope this helps. Also, if you have any questions or concerns, please do not
    hesitate to let me know.

    Thanks for your earlier feedback!

    Best regards,

    Robbin Meng(MSFT)

    Microsoft CSS Online Newsgroup Support

    Get Secure! - www.microsoft.com/security

    =====================================================
    This newsgroup only focuses on SBS technical issues. If you have issues
    regarding other Microsoft products, you'd better post in the corresponding
    newsgroups so that they can be resolved in an efficient and timely manner.
    You can locate the newsgroup here:
    http://www.microsoft.com/communities/newsgroups/en-us/default.aspx

    When opening a new thread via the web interface, we recommend you check the
    "Notify me of replies" box to receive e-mail notifications when there are
    any updates in your thread. When responding to posts via your newsreader,
    please "Reply to Group" so that others may learn and benefit from your
    issue.

    Microsoft engineers can only focus on one issue per thread. Although we
    provide other information for your reference, we recommend you post
    different incidents in different threads to keep the thread clean. In doing
    so, it will ensure your issues are resolved in a timely manner.

    For urgent issues, you may want to contact Microsoft CSS directly. Please
    check http://support.microsoft.com for regional support phone numbers.

    Any input or comments in this thread are highly appreciated.
    =====================================================

    This posting is provided "AS IS" with no warranties, and confers no rights.
     
    Robbin Meng [MSFT], Oct 10, 2008
    #7
  8. John Lenz

    John Lenz Guest

    Robbin,

    I checked with Comcast (my ISP) and they verified that they pass GRE 47. I
    next went to Linksys (Router BEFSR41) and they said to open port 500 as well
    as 1723. I did and now I get a VPN connection but it is limited and un
    authenticated. I am eMailing you the screen shots.

    Closer. And again thanks for your help. What do you want me to do now?

    John

     
    John Lenz, Oct 14, 2008
    #8
  9. Hi John,

    Thanks for your feedback and the screenshot files.

    I am glad to know the VPN session can be connected now. Regarding your
    concern about why it shows "limited and unauthenticated", First, regarding
    the "limited", since Windows Vista enables IPv6 by default and we are
    actually using IPv4 for VPN, it is by design and normal to behavior to show
    as limited. We can safely ignore it.

    As for the "unauthenticated" showed on the Network and Sharing Center page,
    I would like to confirm if it is the same when you manually create a VPN
    connection using Windows "Setup a connection or network" connection? If
    the issue both occurs when using the SBS shortcut to setup VPN and manually
    create VPN connection, let's try the following steps to continue:

    Seeing that we are logged into an Active Directory Domain we will use
    Kerberos for authentication. If a Kerberos packet gets fragmented it can
    definitely break the authentication process.

    Let's try to make the following registry change the MTU Settings for VPN
    Connections:

    To change the MTU settings for VPN connections, add the ProtocolType DWORD
    value, the PPPProtocolType DWORD value, and the TunnelMTU DWORD value to
    the following registry key:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Ndiswan\Parameters\Protocols\0

    To do so, follow these steps.

    1. Click Start, click Run, type regedit in the Open box, and then click OK.
    2. Locate and then click the following subkey in the registry:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NdisWan\Parameters
    3. Add a Protocols subkey (if it does not already exist). To do so:
    a. On the Edit menu, point to New, and then click Key.
    b. Type Protocols, and then press ENTER.

    4. Add a 0 (zero) subkey to the Protocols subkey. To do so:
    a. Click the Protocols sub key that you created in step 3.
    b. On the Edit menu, point to New, and then click Key.
    c. Type 0 (zero), and then press ENTER.

    5. Click the 0 subkey that you created in step 4.
    6. On the Edit menu, point to New, and then click DWORD Value.
    7. In the Value data box, type ProtocolType, and then click OK.
    8. On the Edit menu, click Modify.
    9. In the Value data box, type 800, make sure Hexadecimal is selected under
    Base, and then click OK.
    10. On the Edit menu, point to New, and then click DWORD Value.
    11. Type PPPProtocolType, and then press ENTER.
    12. On the Edit menu, click Modify.
    13. In the Value data box, type 21, make sure Hexadecimal is selected under
    Base, and then click OK.
    14. On the Edit menu, point to New, and then click DWORD Value.
    15. Type TunnelMTU, and then press ENTER.
    16. On the Edit menu, click Modify.
    17. Under Base, click Decimal, type the MTU size that you want in the Value
    data box, and then click OK.
    18. Quit Registry Editor.
    19. Restart your computer.

    More information, please refer to :

    HOW TO: Change the Default Maximum Transmission Unit (MTU) Size Settings
    for PPP Connections or for VPN Connections
    http://support.microsoft.com/kb/826159

    How to Troubleshoot Black Hole Router Issues
    http://support.microsoft.com/default.aspx?scid=kb;EN-US;314825

    Hope this helps. Also, if you have any questions or concerns, please do not
    hesitate to let me know.

    Thank you for your time and cooperation.


    Best regards,
    Robbin Meng(MSFT)
    Microsoft CSS Online Newsgroup Support
    Get Secure! - www.microsoft.com/security
     
    Robbin Meng [MSFT], Oct 16, 2008
    #9
  10. John Lenz

    John L Guest

    Robbin,

    Sorry for the delay, my post did not take.

    I manually created a VPN connection and tested it. I connected and
    authenticated. The SBS connection connects but does not authenticate.

    WHy does the SBS not authenticate? WHat do you want me to test?

    Thx for your patience
    --
    John L


     
    John L, Oct 20, 2008
    #10
  11. Hi John,

    I checked the screen shots carefully. For the SBS connection, the
    "Connection-specific DNS suffix" is configured as "LongXXXX.local";
    however, for the manually created network connection, the
    "Connection-specific DNS suffix" is empty. I think that this is the
    difference. When DNS suffix is configured, the client will not try to
    authenticate with domain; as a result, it is not listed as
    "Unauthenticated". But this explanation has not been fully confirmed and
    may need more tests from your side. So let's continue our troubleshooting
    by trying the below steps:

    1. Go on with the steps about "change the MTU Settings for VPN
    Connections" I listed in our previous posts. If it doesn't change anything,
    try step 2.

    2. Dis-join Windows Vista computer from SBS domain and re-join it to
    domain. First remove it from SBS console then join it to a WorkGroup. Then
    create a new computer from the SBS console. After that, log on the Windows
    Vista computer to rejoin domain by using Client Network Configuration
    wizard(http://servername/connectcomputer ) which should re-create a new SBS
    VPN connection icon on the desktop.

    3. Modify the HOST file on Vista
    client(C:\Windows\system32\drivers\etc\HOST) to add and new record
    "SBS_Internal_IP www.LongXXXX.com" so that we point the
    www.LongXXXX.com to your SBS server internal IP address.

    Note: I assume the SBS VPN connection client(Connect to SBS shortcut) on
    the Windows Vista computer desktop is trying to connect to www.LongXXXX.com
    when connecting.

    Try to test the issue again. What's the result now?

    Considering the current situation if the problem continues, please collect
    the following information:

    1. Can you access a network share in SBS domain properly by using SBS
    generated VPN connection?
    2. Can you access a network share in SBS domain properly by using the
    manually created VPN connection?
    I just wonder if the " unauthenticated " will affect the Windows Vista
    client from accessing any server resources?

    Hope this will make some progress. Thanks!


    Best Regards,
    Robbin Meng
     
    Robbin Meng [MSFT], Oct 21, 2008
    #11
  12. John Lenz

    John L Guest

    Robbin,


    I took my laptop to Caribou coffee and got right in via SBS connection. I
    had full access to all network drives and sharepoint. It is working. My other
    test (what we have been working on) was from my home office where I have the
    Vista PC on a backup ISP so I could go out to come back into the server.

    One final quesiton, does the VPN client send only SBS traffic and let normal
    internet out the ISP connection or is all traffic routed through SBS?

    Thx for your patience.
     
    John L, Oct 22, 2008
    #12
  13. Hi John,

    Thanks for updating me.

    Since after you changed another location and network connection the issue
    disappeared, I think it is not the SBS server issue but local client
    network connection issue. I am not sure if you have followed the steps to
    modify the MTU size. You may still have a try.

    Regarding your question about VPN client traffic, by default the SBS VPN
    connection created by the SBSpackage.exe (CMAK) have the option "use
    default gateway on the remote network". With that, a default route (0.0.0.0
    0.0.0.0)will be created when creating the VPN connection with the SBS
    server IP address as destination address (gateway). Because it has a lower
    metric than the default gateway on the NIC, all traffic including Internet
    access will be routed to the SBS server.

    To split the Internet access to use local connection, you can manually
    create a VPN connection without selecting the option "use default gateway
    on the remote network". A route table entry to the SBS network segment will
    be created with the SBS server IP address as the gateway (you can verify it
    by "route print"). Then only the traffic to the SBS private network segment
    will be routed to the SBS server. Other traffic will go normal Internet out
    the ISP connection.

    More information about " Split Tunneling " for your reference:

    The Cable Guy Strong and Weak Host Models
    http://technet.microsoft.com/en-us/magazine/cc137807.aspx

    VPN Client Security Part 1: Split Tunneling Issues
    http://www.isaserver.org/tutorials/VPN_Client_Security_Issues.html

    Hope this helps.

    Thanks for your earlier feedback!


    Best regards,

    Robbin Meng(MSFT)
     
    Robbin Meng [MSFT], Oct 23, 2008
    #13
  14. John Lenz

    John L Guest

    Robbin,

    Thanks for all you help. It is nice to "one off the punch list". I will look
    to split the tunnel.
     
    John L, Oct 23, 2008
    #14
  15. Hi John,

    You are welcome. As always, if there is anything else I can be of help,
    please just let me know. :)

    Again, thank you for your time and cooperation.


    Best regards,
    Robbin Meng(MSFT)
     
    Robbin Meng [MSFT], Oct 24, 2008
    #15
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.