Troubleshooting Common VPN issues.

[Today’s post comes to us courtesy Lavinder Kumar]

In this Blog some of the common VPN issues and steps to resolve are discussed. We will be going through some of the issues based on the errors that a client encounters. Please keep in mind that the steps discussed in this blog are basic steps towards resolution.

Issue:- Client receives Error 691. On the server the following events were logged:

Event Source: RemoteAccess
Event Category: None
Event ID: 20189
Date: 11/18/2007
Time: 2:33:04 PMConnection attemp did not match any connection request policy.
User: N/A
Computer: SBS
Description:
The user Domain\User01 connected from 208.29.145.24 but failed an authentication attempt due to the following reason: Authentication was not successful because an unknown user name or incorrect password was used.

Event Type: Warning
Event Source: RemoteAccess
Event Category: None
Event ID: 20189
Date: 11/18/2007
Time: 5:46:01 PM
User: N/A
Computer: SBS
Description:
The user Domain\test connected from 192.168.16.2 but failed an authentication attempt due to the following reason: The connection attempt did not match any connection request policy.

File “c:\windows\system32\ias\ias.mdb” may be corrupt.

STEPS TO RESOLVE

1. Stop RemoteAccess service and close the RRAS console
2. Rename c:\windows\system32\ias\ias.mdb to ias.old
3. Expand a good copy from CD 1 and place in the c:\windows\system32\ias\ directory
4. Restart IAS.
5. Run the SBS RAS wizard.

Issue:- Error 721: The remote computer is not responding.

STEPS TO RESOLVE

This is usually caused if GRE is not properly allowed on the router or on one of the hops.

About GRE protocol:
VPN Tunnels - GRE Protocol 47 Packet Description and Use
https://support.microsoft.com/kb/241251

Issue:- TCP/IP CP reported error 733: A connection to the remote computer could not be completed. You might need to adjust the protocols on this computer.

On the server we may get the following event:-

Event Type: Error
Event Source: RemoteAccess
Event Category: None
Event ID: 20050
Date: 11/7/2008
Time: 3:26:08 PM
User: N/A
Computer: SBS2003
Description:
The user Domain\Admin connected to port VPNx-x has been disconnected because no network protocols were successfully negotiated.

STEPS TO RESOLVE

1. Make sure is there is DHCP Server Running on the network. If yes make sure the SBS Internal IP is excluded from the scope of IP range.
2. Try assigning static IP pool in RRAS for VPN users.
3. Take a system state back of the server.
4. Try resetting TCP/IP stack first:
How to reset "Internet Protocol (TCP/IP)" in Windows Server 2003
https://support.microsoft.com/default.aspx/kb/317518/

5. If the above does not help then reinstall TCP/IP stack using the following knowledge base article.
How to remove and reinstall TCP/IP on a Windows Server 2003 domain controller
https://support.microsoft.com/kb/325356
*please be careful while doing this, if possible call PSS for the same.

6. Reboot the server after the reboot it normal for the server to boot up a bit slow once the server is up test to see if VPN connect from within the network and then externally

Issue:- You receive an "Unable to establish the VPN connection" error message when your Windows Small Business Server 2003-based client computer try to make an outgoing PPTP connection

Error 800: Unable to establish the VPN connection. The VPN server may be unreachable, or security parameters may not be configured properly for this connection.

STEPS TO RESOLVE

Method 1:

1. On the Small Business Server 2003-based server, click To Do List in the left pane of the Server Management console.
2. Under Network Tasks, click Configure Remote Access.
3. Click Next, click Enable Remote Access, click to select the VPN Access check box, and then click Next.
4. Type the fully qualified public domain name (FQDN) of your server, click Next, and then click Finish.
5. When the wizard is completed, click Close.
6. Check if KB 936594 is installed.

Issue:- After connecting to VPN client is unable to access resources .

On ISA 2004 (which is part of SBS 2003 Premium Edition) Event 14147 is logged that the IP is spoofed.

Event Type: Error
Event Source: Microsoft Firewall
Event Category: None
Event ID: 14147
Computer:        SBS
Description:
ISA Server detected routes through the network adapter LAN that do not correlate with the network to which this network adapter belongs. When networks are configured correctly, the IP address ranges included in each array-level network must include all IP addresses that are routable through its network adapters according to their routing tables. Otherwise valid packets may be dropped as spoofed. The following ranges are included in the network's IP address ranges but are not routable through any of the network's adapters x.x.x.x- x.x.x.x ;. Note that this event may be generated once after you add a route, create a remote site network, or configure Network Load Balancing and may be safely ignored if it does not re-occur.

STEPS TO RESOLVE

Step 1. Configure the Network setting on ISA 2004 correctly.

1.Start the ISA Server Management program. To do this, click "Start", point to "All Programs", point to "Microsoft ISA Server", and then click "ISA Server Management".
2. Expand "<name of your ISA Server computer>", and then click "Firewall Policy".
3. In the right pane, click the "Toolbox" tab, and then click "Network Objects".
4. Expand "Networks", and then click the network object that you want to modify. For example, click "Internal".
5. Click "Edit", and then click the "Addresses" tab.
6. Under "Address ranges", click the address range that you experience this issue with, and then click "Remove". For example, click the "192.168.0.1 to 192.168.254" address range.
7. Click "Add Adapter", click to select the check box of the network adapter that you want to add to this particular network, and then click "OK".

Step 2. Try giving static range on the DHCP server to the VPN clients . Try giving a different range of IP address which is different from the internal range of IP.

If the above steps do not help you resolve the issue please call Microsoft Technical Support.

Comments