pptp connects 1st time only, error 2nd time

  • Thread starter Thread starter scott
  • Start date Start date
S

scott

Hi,

I can establish a PPTP connection from a win2ksp3 clinet to win2ksp3
advanced server first time. Upon disconnecting and attempting a connection
again i get error 721.

(NOTE: both were on SP4 before I rolled them back to SP3 following this
problem).

I applied the registy fix metioned in knowledgebase articles:

271731 PPTP clients cannot connect to a PPTP server that has multiple IP
http://support.microsoft.com/?id=271731

810839 VPN Client Cannot Establish a Connection After You Install a Service
Pack
http://support.microsoft.com/?id=810839

(NOTE: this fix suggested adding the ValidateAddress DWORD value and setting
to "0" which is off)

If I leave the machines for a few days and attempt the connection again its
ok. As suggested above, after disconnecting again and attempting to connect
again i get error 721 (or error 650 on win98se).

I attempted to restart all machines involved but this does not help.

There is a firewall between the clinet and server. When attemping a
connection within the firewall its always ok (from XPsp1)

Can someone please help ? Is this some sort of routing problem with the
firewall ?

PPTP 1723 and GRE protocol 47 (NOT PORT 47) are allowed to pass via the
firewall.

Thanks for any help.
Scott.
 
in addition,

i have noted that if i leave it for a few hours it seems to sort itself out
but when establishing a connection, disconneting and tyring to connect again
i always get error 721.
 
Firewall reports the following.

02/09/2004 17:24:01 Firewall rule match: TCP (Wan to Lan, rule:2)
99.99.99.99:23107 192.168.1.199:1723 ACCESS FORWARD

02/09/2004 17:24:01 Firewall rule NOT match: TCP (Wan to Lan, rule:1)
99.99.99.99:23107 192.168.1.199:1723 CHECK NEXT RULE

It seems that 1723 is being forwarded and blocked. I would assume from the
error 721 that GRE is the problem. Dont undertand why this would work 1 out
of 100 times i try and connect.

Thanks
Scott.
 
The 721 in a case like this usually results when the reply comes from a
different IP address (ie different from the IP address to which it was
sent).

Maybe there is something funny happening on the LAN. It connects first
time, but then a router sends a redirect and later attempts try to use a
different IP. You would need to monitor the LAN traffic and look for ICMP
redirect messages to see this.
 
Thanks for the reply.

Did a really interesting test this morning.

From external IP 1 a windows 2000 machine connnected.
From external IP 1 a windows 2000 machine disconnected.
From external IP 1 a windows 2000 machine connnected.
From external IP 1 a windows 2000 machine disconneted.

Seemed to be working fine.

From external IP 1 a windows 2000 machine connnected.
From external IP 2 a windows 98 machine could not connect.
From external IP 1 a windows 2000 machine disconnected.
 
Thanks for the reply.

Did a really interesting test this morning. Please read from start to finish
to get a idea of the problem as i aint that articulate:

From external IP 1 a windows 2000 machine connnected.
From external IP 1 a windows 2000 machine disconnected.
From external IP 1 a windows 2000 machine connnected.
From external IP 1 a windows 2000 machine disconneted.

Seemed to be working fine.

From external IP 1 a windows 2000 machine connnected.
From external IP 2 a windows 98 machine could not connect.
From external IP 1 a windows 2000 machine manually disconnected.
From external IP 2 a windows 98 machine could connected.
From external IP 1 a windows 2000 machine could not connect.
From INTERNAL LAN an XP clinet could connect then manually disconnected.

Seemed to suggest only 1 machine could connect from external source. 10 mini
wan ports are avaialble on ras server.
(NOTE: I will try multi 2000 and XP machines soon).

From external IP 2 a windows 98 machine manually disconnected.
From external IP 2 a windows 98 machine could not connect.
From external IP 1 a windows 2000 machine could not connect.

SO WINDOWS 2000 machines can connect on and off (and probably MANY 2000
machines).

HOWEVER, as soon as window 98 connnects any other connections stops working
for a day.

Does this mean that all PPTP GRE traffic is going to a single WIN98
connected PPTP clinet. Hence when a second machine tries to connect it does
not get a reply ?

Thanks
Scott.
 
When running PPTPSRV on server (from windows toolkit ) and PPTPCLNT on
clinet i get the following results:

--------------------------------------------------------------------
error 10048 binding socket
WAEADDRINUSE: address allready in use

Created Socket for GRE protocol test
Listening on PROTOCOL 47 for incoming GRE packets...
--------------------------------------------------------------------

Like when testing the incoming PPTP connections this test displays the same
results i.e somtimes it works sometimes it does not. More often it works in
the morning first thing until a windows 98 PPTP connection is established.

Testing today has shown that 2000 pptp connect, disconnect, connect works
until 98 connects and disconnets. At this point no connections can be made.

Any ideas welcome ?

Thanks
Scott.
 
FIREWALL REPORTING GRE FOWARD

----------------------------------------------------------------------------
-------------------------------

No. Time Source IP Destination IP Note

1|02/10/2004 12:05:43 99.99.99.99:27511 |192.168.1.199:1723 |ACCESS FORWARD

Firewall rule match: TCP (Wan to Lan, rule:2)
 
Got a better test:

NET
v
ROUTER
v
ROUTER > win2k clinet (WS012)
v
FIREWALL
v
RAS SERVER

- The win2k clinet (WS012) on the middle router (DMZ) can ALWAYS establish a
PPTP connection to RAS SERVER.
- This connection passes through the FIREWALL.
- Once this connection has been made all other external PPTP WIN2k clients
can connect.
- After WS012 disconnects and after several mins all external WIN2k that
attempt connection get error 721.

What the heck is going on ?

Thanks for any information at all.
Scott.
 
futher testing showed:

win98 on external ip connect ok (firewall report PPTP 1723 + GRE)

win 98 manually disconet, reconnect (frewall report PPTP 1723 only)

Its like GRE was lost during the second connection. IE second time GRE did
not make it as far as the FIREWALL.

Im checking middle ROUTER.
 
Back
Top