PC specific vpn issues

Hello,
I have 10 computers that CAN connect to my SBS 2003 pptp VPN.
I have 1 user who cannot. He is running XP sp2. He gets 721 error.
I can run pptpclnt / pptpsrv successfully from this client, so GRE is
not the issue.

(Dell server / 2 NICs; 1 NIC connected to local network; 1 NIC
connected to public network.
I have rerun CEICW, reinstalled RAS on the server.

I have msconfiged and booted very clean on his PC (no AV, firewall,
defender, etc)

I tried connecting to another company's SBS vpn and have same issue.

I can connect to vpn with his account on another computer.

It fails with any account I try on his computer.

So, it has to be computer specific.

The fact the pptpclnt / pptpsrv succeeded really has me stumped.
Any ideas? Are there any alternative vpn clients that run under xp
and connect to a sbs 2003 vpn?
thanks

Cliff
Fri Jun 27 04:48:42 PDT 2008

You said you could run pptpclnt/pptpsrv successfully from the client...but
just to be clear, pptpsrv needs to be run on the SERVER. Otherwise you only
verified GRE over the loopback interface. Not very effective at all.

Secondly, the pptp ping tools (unfortunately named) only verify GRE. They
do not verify TCP 1723. The fact that other machines are working and the
same account works on other machines tells me a pretty blatant
communications issue with the client, not the server. Also, if
communications were working, but authentication was failing (mismatched
encryption MS-CHAP vs MS-CHAPv2, for example) then the error code would
change. That would no longer be a 721. So the failure is very early in the
PPTP negotiation attempt. That limits the scope of where the problem can
lie.

Sadly that also means this isn't an SBS issue, so I don't think this is the
best group to help you. You can try in the XP group to get more ideas,
otherwise I'd say if you can't pinpoint what is blocking packets, time to
re-image the machine.

Good luck,

-Cliff

"J" <japhyrider2005@yahoo.com> wrote in message
news:b4ceb358-bc68-4eb1-b199-41201dd69564@z66g2000hsc.googlegroups.com...
> Hello,
> I have 10 computers that CAN connect to my SBS 2003 pptp VPN.
> I have 1 user who cannot. He is running XP sp2. He gets 721 error.
> I can run pptpclnt / pptpsrv successfully from this client, so GRE is
> not the issue.
>
> (Dell server / 2 NICs; 1 NIC connected to local network; 1 NIC
> connected to public network.
> I have rerun CEICW, reinstalled RAS on the server.
>
> I have msconfiged and booted very clean on his PC (no AV, firewall,
> defender, etc)
>
> I tried connecting to another company's SBS vpn and have same issue.
>
> I can connect to vpn with his account on another computer.
>
> It fails with any account I try on his computer.
>
> So, it has to be computer specific.
>
> The fact the pptpclnt / pptpsrv succeeded really has me stumped.
> Any ideas? Are there any alternative vpn clients that run under xp
> and connect to a sbs 2003 vpn?
> thanks

J
Fri Jun 27 06:20:44 PDT 2008

On Jun 27, 4:48=A0am, "Cliff Galiher" <cgali...@gmail.com> wrote:
> You said you could run pptpclnt/pptpsrv successfully from the client...bu=
t
> just to be clear, pptpsrv needs to be run on the SERVER. =A0Otherwise you=
only
> verified GRE over the loopback interface. =A0Not very effective at all.
>
> Secondly, the pptp ping tools (unfortunately named) only verify GRE. =A0T=
hey
> do not verify TCP 1723. =A0The fact that other machines are working and t=
he
> same account works on other machines tells me a pretty blatant
> communications issue with the client, not the server. =A0Also, if
> communications were working, but authentication was failing (mismatched
> encryption MS-CHAP vs MS-CHAPv2, for example) then the error code would
> change. =A0That would no longer be a 721. =A0So the failure is very early=
in the
> PPTP negotiation attempt. =A0That limits the scope of where the problem c=
an
> lie.
>
> Sadly that also means this isn't an SBS issue, so I don't think this is t=
he
> best group to help you. =A0You can try in the XP group to get more ideas,
> otherwise I'd say if you can't pinpoint what is blocking packets, time to
> re-image the machine.
>
> Good luck,
>
> -Cliff
>
> "J" <japhyrider2...@yahoo.com> wrote in message
>
> news:b4ceb358-bc68-4eb1-b199-41201dd69564@z66g2000hsc.googlegroups.com...
>
>
>
> > Hello,
> > I have 10 computers that CAN connect to my SBS 2003 pptp VPN.
> > I have 1 user who cannot. =A0He is running XP sp2. =A0He gets 721 error=
.
> > I can run pptpclnt / pptpsrv successfully from this client, so GRE is
> > not the issue.
>
> > (Dell server / 2 NICs; 1 NIC connected to local network; 1 NIC
> > connected to public network.
> > I have rerun CEICW, reinstalled RAS on the server.
>
> > I have msconfiged and booted very clean on his PC (no AV, firewall,
> > defender, etc)
>
> > I tried connecting to another company's SBS vpn and have same issue.
>
> > I can connect to vpn =A0with his account on another computer.
>
> > It fails with any account I try on his computer.
>
> > So, it has to be computer specific.
>
> > The fact the pptpclnt / pptpsrv succeeded really has me stumped.
> > Any ideas? =A0Are there any alternative vpn clients that run under xp
> > and connect to a sbs 2003 vpn?
> > thanks- Hide quoted text -
>
> - Show quoted text -

Thanks Cliff,
Yes, to clarfiy, I did run pptpsrv on the server at the same time
I agree with your post

Dave
Fri Jun 27 09:21:13 PDT 2008

This is often caused by the firewall on the remote PC. For example, WLOC
blocks outbound VPN in its default configuration. I am 99% sure the
built-in Vista firewall does as well. It seems like you've just about
conclusively proved this to be that one PC, and firewall settings are the
place I'd look first.


"J" <japhyrider2005@yahoo.com> wrote in message
news:b4ceb358-bc68-4eb1-b199-41201dd69564@z66g2000hsc.googlegroups.com...
> Hello,
> I have 10 computers that CAN connect to my SBS 2003 pptp VPN.
> I have 1 user who cannot. He is running XP sp2. He gets 721 error.
> I can run pptpclnt / pptpsrv successfully from this client, so GRE is
> not the issue.
>
> (Dell server / 2 NICs; 1 NIC connected to local network; 1 NIC
> connected to public network.
> I have rerun CEICW, reinstalled RAS on the server.
>
> I have msconfiged and booted very clean on his PC (no AV, firewall,
> defender, etc)
>
> I tried connecting to another company's SBS vpn and have same issue.
>
> I can connect to vpn with his account on another computer.
>
> It fails with any account I try on his computer.
>
> So, it has to be computer specific.
>
> The fact the pptpclnt / pptpsrv succeeded really has me stumped.
> Any ideas? Are there any alternative vpn clients that run under xp
> and connect to a sbs 2003 vpn?
> thanks

Joe
Fri Jun 27 09:55:18 PDT 2008

J wrote:
> Hello,
> I have 10 computers that CAN connect to my SBS 2003 pptp VPN.
> I have 1 user who cannot. He is running XP sp2. He gets 721 error.
> I can run pptpclnt / pptpsrv successfully from this client, so GRE is
> not the issue.
>
> (Dell server / 2 NICs; 1 NIC connected to local network; 1 NIC
> connected to public network.
> I have rerun CEICW, reinstalled RAS on the server.
>
> I have msconfiged and booted very clean on his PC (no AV, firewall,
> defender, etc)
>
> I tried connecting to another company's SBS vpn and have same issue.
>
> I can connect to vpn with his account on another computer.
>
> It fails with any account I try on his computer.
>
> So, it has to be computer specific.
>
> The fact the pptpclnt / pptpsrv succeeded really has me stumped.
> Any ideas? Are there any alternative vpn clients that run under xp
> and connect to a sbs 2003 vpn?

Not that I'm aware of. Are you able to take a laptop to the remote
location, or does he have a second PC?

Have you definitely confirmed that what is by far the most common reason
for one-computer-doesn't-do-VPN is not the case, that the remote
location isn't using the same network address as the SBS?

J
Fri Jun 27 14:14:58 PDT 2008

On Jun 27, 9:55=A0am, Joe <j...@jretrading.com> wrote:
> J wrote:
> > Hello,
> > I have 10 computers that CAN connect to my SBS 2003 pptp VPN.
> > I have 1 user who cannot. =A0He is running XP sp2. =A0He gets 721 error=
.
> > I can run pptpclnt / pptpsrv successfully from this client, so GRE is
> > not the issue.
>
> > (Dell server / 2 NICs; 1 NIC connected to local network; 1 NIC
> > connected to public network.
> > I have rerun CEICW, reinstalled RAS on the server.
>
> > I have msconfiged and booted very clean on his PC (no AV, firewall,
> > defender, etc)
>
> > I tried connecting to another company's SBS vpn and have same issue.
>
> > I can connect to vpn =A0with his account on another computer.
>
> > It fails with any account I try on his computer.
>
> > So, it has to be computer specific.
>
> > The fact the pptpclnt / pptpsrv succeeded really has me stumped.
> > Any ideas? =A0Are there any alternative vpn clients that run under xp
> > and connect to a sbs 2003 vpn?
>
> Not that I'm aware of. Are you able to take a laptop to the remote
> location, or does he have a second PC?
>
> Have you definitely confirmed that what is by far the most common reason
> =A0 for one-computer-doesn't-do-VPN is not the case, that the remote
> location isn't using the same network address as the SBS?- Hide quoted te=
xt -
>
> - Show quoted text -

Yes, he has tried a 2nd pc and it works fine.
It is a different IP address....thanks

Joe
Sat Jun 28 06:45:40 PDT 2008

J wrote:
> On Jun 27, 9:55 am, Joe <j...@jretrading.com> wrote:
>> J wrote:
>>> Hello,
>>> I have 10 computers that CAN connect to my SBS 2003 pptp VPN.
>>> I have 1 user who cannot. He is running XP sp2. He gets 721 error.
>>> I can run pptpclnt / pptpsrv successfully from this client, so GRE is
>>> not the issue.
>>> (Dell server / 2 NICs; 1 NIC connected to local network; 1 NIC
>>> connected to public network.
>>> I have rerun CEICW, reinstalled RAS on the server.
>>> I have msconfiged and booted very clean on his PC (no AV, firewall,
>>> defender, etc)
>>> I tried connecting to another company's SBS vpn and have same issue.
>>> I can connect to vpn with his account on another computer.
>>> It fails with any account I try on his computer.
>>> So, it has to be computer specific.
>>> The fact the pptpclnt / pptpsrv succeeded really has me stumped.
>>> Any ideas? Are there any alternative vpn clients that run under xp
>>> and connect to a sbs 2003 vpn?
>> Not that I'm aware of. Are you able to take a laptop to the remote
>> location, or does he have a second PC?
>>
>> Have you definitely confirmed that what is by far the most common reason
>> for one-computer-doesn't-do-VPN is not the case, that the remote
>> location isn't using the same network address as the SBS?- Hide quoted text -
>>
>> - Show quoted text -
>
> Yes, he has tried a 2nd pc and it works fine.
> It is a different IP address....thanks

It may be time to get serious, then. We've tried guessing the common
problems, but there's no substitute for actually seeing what's going on.
Do you have routers at either or both ends which can keep logs?
Presumably you can reach the SBS from the remote computer using RWW, so
you can run Network Monitor on the SBS and watch it remotely. RWW and
PPTP don't interfere with each other.

Here follows a log from Wireshark (free download) running on an XP Pro
machine during a short but textbook-perfect PPTP session using the
default SBS and XP setup. If you also have a good remote machine, then
you can probably compare logs and get a better idea of the point of
failure. If the line wrap isn't good on your email client, copy it out
to a text editor and wrap it properly, it's a pain to follow otherwise.
The 192.168.99. network is the remote one, .1 being the local gateway
server and 211 an Acer laptop.

The PPTP stuff is over TCP port 1723, the PPP stuff is over protocol 47,
GRE. If you're not seeing a GRE reply, you need to know whether the
request got out of the client, hence SBS Network Monitor and if
possible, router logs. With suitable routers, it's possible to see the
logs in real time on web browsers, which can run at both ends
simultaneously.

No. Time Source Destination Protocol
Info
1 0.000000 192.168.99.211 192.168.99.1 DNS
Standard query A server.domain.invalid
2 0.000815 192.168.99.1 192.168.99.211 DNS
Standard query response A <server public IP>
3 0.012561 192.168.99.211 <server public IP> TCP
3601 > pptp [SYN] Seq=0 Len=0 MSS=1460
4 0.079428 <server public IP> 192.168.99.211 TCP
pptp > 3601 [SYN, ACK] Seq=0 Ack=1 Win=16384 Len=0 MSS=1418
5 0.079533 192.168.99.211 <server public IP>
PPTP Start-Control-Connection-Request
6 0.152806 <server public IP> 192.168.99.211
PPTP Start-Control-Connection-Reply
7 0.152924 192.168.99.211 <server public IP>
PPTP Outgoing-Call-Request
8 0.223595 <server public IP> 192.168.99.211
PPTP Outgoing-Call-Reply
9 0.235646 192.168.99.211 <server public IP>
PPTP Set-Link-Info
10 0.245156 192.168.99.211 <server public IP> PPP
LCP Configuration Request
11 0.312005 <server public IP> 192.168.99.211 PPP
LCP Configuration Request
12 0.312398 192.168.99.211 <server public IP> PPP
LCP Configuration Reject
13 0.313346 <server public IP> 192.168.99.211 PPP
LCP Configuration Ack
14 0.378925 <server public IP> 192.168.99.211 PPP
LCP Configuration Request
15 0.379402 192.168.99.211 <server public IP> PPP
LCP Configuration Ack
16 0.379794 192.168.99.211 <server public IP> PPP
LCP Identification
17 0.379957 192.168.99.211 <server public IP> PPP
LCP Identification
18 0.446295 <server public IP> 192.168.99.211
PPTP Set-Link-Info
19 0.446373 192.168.99.211 <server public IP>
PPTP Set-Link-Info
20 0.446688 <server public IP> 192.168.99.211 PPP
CHAP Challenge
21 0.447570 192.168.99.211 <server public IP> PPP
CHAP Response
22 0.530231 <server public IP> 192.168.99.211 PPP
CHAP Success (MESSAGE='S=26C494188D0F66E61F75281C6C9032693EAB9536')
23 0.530646 <server public IP> 192.168.99.211 PPP
CBCP Callback Request
24 0.531024 192.168.99.211 <server public IP> PPP
CBCP Callback Response
25 0.596975 <server public IP> 192.168.99.211 PPP
CBCP Callback Ack
26 0.601686 192.168.99.211 <server public IP> PPP
CCP Configuration Request
27 0.601937 192.168.99.211 <server public IP> PPP
IPCP Configuration Request
28 0.602618 <server public IP> 192.168.99.211 PPP
CCP Configuration Request
29 0.602915 192.168.99.211 <server public IP> PPP
CCP Configuration Nak
30 0.604057 <server public IP> 192.168.99.211 PPP
IPCP Configuration Request
31 0.604358 192.168.99.211 <server public IP> PPP
IPCP Configuration Ack
32 0.667929 <server public IP> 192.168.99.211 PPP
CCP Configuration Nak
33 0.668898 <server public IP> 192.168.99.211 PPP
IPCP Configuration Reject
34 0.672052 <server public IP> 192.168.99.211 PPP
CCP Configuration Request
35 0.679482 192.168.99.211 <server public IP> PPP
CCP Configuration Request
36 0.680173 192.168.99.211 <server public IP> PPP
IPCP Configuration Request
37 0.680543 192.168.99.211 <server public IP> PPP
CCP Configuration Ack
38 0.697584 <server public IP> 192.168.99.211 TCP
pptp > 3601 [ACK] Seq=213 Ack=373 Win=65163 Len=0
39 0.745279 <server public IP> 192.168.99.211 PPP
CCP Configuration Ack
40 0.747437 <server public IP> 192.168.99.211 PPP
IPCP Configuration Nak
41 0.747821 192.168.99.211 <server public IP> PPP
IPCP Configuration Request
42 0.811584 <server public IP> 192.168.99.211 PPP
IPCP Configuration Ack
43 0.907557 192.168.99.211 <server public IP> PPP
Comp Compressed data
44 0.926874 192.168.99.211 <server public IP> PPP
Comp Compressed data
46 1.000941 192.168.99.211 <server public IP> PPP
Comp Compressed data
49 1.647263 192.168.99.211 <server public IP> PPP
Comp Compressed data
50 1.815896 192.168.99.211 <server public IP> PPP
Comp Compressed data
51 2.397040 192.168.99.211 <server public IP> PPP
Comp Compressed data
52 3.147041 192.168.99.211 <server public IP> PPP
Comp Compressed data
53 3.900527 192.168.99.211 <server public IP> PPP
Comp Compressed data
54 3.912761 192.168.99.211 <server public IP> PPP
Comp Compressed data
55 4.647114 192.168.99.211 <server public IP> PPP
Comp Compressed data
56 4.999968 Intel_86:43:66 QuantaCo_ec:c6:be ARP
Who has 192.168.99.211? Tell 192.168.99.1
57 4.999992 QuantaCo_ec:c6:be Intel_86:43:66 ARP
192.168.99.211 is at 00:c0:9f:ec:c6:be
58 5.397017 192.168.99.211 <server public IP> PPP
Comp Compressed data
59 6.147963 192.168.99.211 <server public IP> PPP
Comp Compressed data
60 6.898015 192.168.99.211 <server public IP> PPP
Comp Compressed data
61 7.639919 192.168.99.211 <server public IP> PPP
Comp Compressed data
62 7.647107 192.168.99.211 <server public IP> PPP
Comp Compressed data
63 8.365864 192.168.99.211 <server public IP> PPP
Comp Compressed data
64 8.397004 192.168.99.211 <server public IP> PPP
Comp Compressed data
65 9.122657 192.168.99.211 <server public IP> PPP
Comp Compressed data
66 9.166831 192.168.99.211 <server public IP> PPP
Comp Compressed data
67 9.866012 192.168.99.211 <server public IP> PPP
Comp Compressed data
68 10.616591 192.168.99.211 192.168.99.255 BROWSER
Local Master Announcement ACER, Workstation, Server, Dialin Server, NT
Workstation, Potential Browser, Master Browser
69 10.616888 192.168.99.211 <server public IP> PPP
Comp Compressed data
70 10.616919 192.168.99.211 <server public IP> PPP
Comp Compressed data
71 11.812717 192.168.99.211 <server public IP>
PPTP Set-Link-Info
72 11.813319 192.168.99.211 <server public IP> PPP
LCP Termination Request
73 11.879284 <server public IP> 192.168.99.211
PPTP Set-Link-Info
74 11.880155 <server public IP> 192.168.99.211 PPP
LCP Termination Ack
77 12.053151 192.168.99.211 <server public IP> TCP
3601 > pptp [ACK] Seq=397 Ack=237 Win=65299 Len=0
79 12.925049 192.168.99.211 <server public IP>
PPTP Call-Clear-Request
82 12.994826 <server public IP> 192.168.99.211
PPTP Call-Disconnect-Notify
83 12.995212 192.168.99.211 <server public IP>
PPTP Stop-Control-Connection-Request
84 13.060670 <server public IP> 192.168.99.211
PPTP Stop-Control-Connection-Reply
85 13.067586 192.168.99.211 <server public IP> TCP
3601 > pptp [FIN, ACK] Seq=429 Ack=401 Win=65135 Len=0
86 13.132076 <server public IP> 192.168.99.211 TCP
pptp > 3601 [FIN, ACK] Seq=401 Ack=430 Win=65107 Len=0
87 13.132152 192.168.99.211 <server public IP> TCP
3601 > pptp [ACK] Seq=430 Ack=402 Win=65135 Len=0