• We’re currently investigating an issue related to the forum theme and styling that is impacting page layout and visual formatting. The problem has been identified, and we are actively working on a resolution. There is no impact to user data or functionality, this is strictly a front-end display issue. We’ll post an update once the fix has been deployed. Thanks for your patience while we get this sorted.

VPN Connection Issue

R

ReggieDunlap

Senior member
Basics of the issue. Office is divided between 2 floors, 2nd floor and 3rd floor. Primary internet connection is on 3rd floor - 4MB/4MB SHDSL. Internet connection is from Cisco 2811 device (rented from provider) connected to a Netgear FS740T2 Smart Switch. Also behind the Cisco is a Mikrotik Router Board blackbox router connected to the NG switch as well. 2nd and 3rd floors are connected by cat6 line running between patch panels.

2nd floor switch is connected to patch panel and GW is configured correctly. There is no problem with internet connection for the 2nd floor as well as inter-office VPN configured on the Mikrotik Router (and routers in other offices). Problem is when a VPN connection is attempted from a pc on the 2nd floor to a server OUTSIDE our network (VPN over the internet) it fails. Log shows the general ErrorCode = 800. Tried pptpclnt and it fails.

pptpclnt ping results from a pc on the 2nd floor:

Initializing WinSock...
Obtaining host information...
Successfully resolved server's host information
======================================
Enter data to send to server (between 1 and 255 chrs.), then hit enter:
-->test
Successfully connected to server using TCP port 1723 (PPTP)
Sending data to server
Waiting for a reply to the data which was just sent...
Received a reply. Reply contains the following text:
--->
=================================
Connectivity test to TCP Port 1723 was successful!!!
Closing down socket...
=================================
Creating a socket to test GRE protocol traffic...
WSASocket() failed: 10013

and here are the results from a pc on the 3rd floor:
Initializing WinSock...
Obtaining host information...
Successfully resolved server's host information
======================================
Enter data to send to server (between 1 and 255 chrs.), then hit enter:
-->test
Successfully connected to server using TCP port 1723 (PPTP)
Sending data to server
Waiting for a reply to the data which was just sent...
Received a reply. Reply contains the following text:
--->
=================================
Connectivity test to TCP Port 1723 was successful!!!
Closing down socket...
=================================
Creating a socket to test GRE protocol traffic...
Total GRE packets sent = 1
Total GRE packets sent = 2
Total GRE packets sent = 3
Total GRE packets sent = 4
Total GRE packets sent = 5
=====================================
Check server to see if the GRE packets were received successfully
=====================================
Closing down socket
Goodbye!

The server I am trying to VPN connected to is outside our network and outside the Cisco. All ports are open on the Cisco and all protocols are allowed. I dont know why but it looks like the traffic from the second floor either cant find the GW or cant even find the 3rd floor!

Any other opinions or eyes on this would be greatly appreciated.

 
Check to make sure GRE Protocol 47 is enabled\allowed. Often this will be called VPN or PPTP passthrough. Simply allowing TCP port 1723 out isnt enough for PPTP VPNs.

I see in your results it failed at least once.
 
Originally posted by: Genx87
Check to make sure GRE Protocol 47 is enabled\allowed. Often this will be called VPN or PPTP passthrough. Simply allowing TCP port 1723 out isnt enough for PPTP VPNs.

I see in your results it failed at least once.
Click to expand...

GRE 47 is allowed. The results show success when connecting from a pc on the third floor, but it fails when trying from the 2nd floor. BOTH go through the same GW to the internet, so the fact it works from PC's on one floor but not the other is strange.

Also, while physically separated btwn floors, all the computers are on the same subnet and use the same gateway. So essentially, ALL pc's follow the same path out to the internet, but for 3rd floor the VPN establishes fine and from the 2nd floor it will not.
 
Take a laptop between floors, does it work on floor 3 but not on floor 2? If so floor 2 has device in it some where blocking GRE. If that machine works fine at both locations, that eliminates the network (mostly) and indicates that you should be looking at the pc(s) having issues to see what is configured differently from the others. I have no idea how your network is configured but maybe someone on floor 2 decided to "help you" and turned on the Windows Firewall or you have a group policy on the lower floor.

What is this: Mikrotik Router Board blackbox?
 
ok guys quick explanation of the solution, for lack of a better description. Dorsal runs between floors went directly into 24 port patch panels. The switches were connected to the patch panels via their GB ports - the idea being run GB speed btwn floors, then 100MB to the desktops.

moved cables from patch panels (switch 2nd flr and switch 3rd flr) away from port 50 (49&50 were the GB ports) and over to a 10/100 port. Boom! 2nd floor now able to get VPN again.

I'm not a networking/cabling guy, but I guess cause the Cisco device (actual internet connection) was on a 10/100 port, that was why the 2nd flr couldnt connect.

But thanks for the quick replies.
 
Originally posted by: imagoon
Take a laptop between floors, does it work on floor 3 but not on floor 2? If so floor 2 has device in it some where blocking GRE. If that machine works fine at both locations, that eliminates the network (mostly) and indicates that you should be looking at the pc(s) having issues to see what is configured differently from the others. I have no idea how your network is configured but maybe someone on floor 2 decided to "help you" and turned on the Windows Firewall or you have a group policy on the lower floor.

What is this: Mikrotik Router Board blackbox?
Click to expand...

Mikrotik Routers
Seems to be a fairly popular but not terribly expensive router solution in Europe. They can do a lot, but I'm not really a networking/router guy so there's MUCH I don't know about these little things. The one we're using is literally a black box about 6" x 7" but powerfull as it handles bandwidth throttling, firewall, NAT, Mangle, DHCP quite a bit.
 
Originally posted by: ReggieDunlap
ok guys quick explanation of the solution, for lack of a better description. Dorsal runs between floors went directly into 24 port patch panels. The switches were connected to the patch panels via their GB ports - the idea being run GB speed btwn floors, then 100MB to the desktops.

moved cables from patch panels (switch 2nd flr and switch 3rd flr) away from port 50 (49&50 were the GB ports) and over to a 10/100 port. Boom! 2nd floor now able to get VPN again.

I'm not a networking/cabling guy, but I guess cause the Cisco device (actual internet connection) was on a 10/100 port, that was why the 2nd flr couldnt connect.

But thanks for the quick replies.
Click to expand...

Ok that actually indicates that there was a configuration in the switches blocking it, it is however unlikely that it was a gig > 100 base "conversion" issue. (they basically don't exist).

If that solution works for you then great but if you want to dig more in to the why, post the switch configs. Spidey is one of the resident Cisco Gurus that might be able to shed light on what was happening.
 
You must log in or register to reply here.

TRENDING THREADS

Back
Top