Troubleshooting VPN connections : Dr. RRAS

These are some of the common errors we come across when we make a VPN connection to a Routing and Remote Access VPN server:

Connection-time errors

Error 800: VPN server is unreachable

This occurs often if the PPTP/L2TP packets cannot reach the VPN server.

Troubleshooting steps

1. See if you can ping the VPN server. [Ping to VPN server may not work if static filters are configured on the VPN server]

2. If you have access to the VPN server, execute the command 'netstat -aon' on the command line. Here, you should see the following lines. The VPN server listens on TCP port 1723 for PPTP traffic and on UDP port 1701 for L2TP traffic.

      TCP 0.0.0.0:1723 0.0.0.0:0 LISTENING

      UDP 0.0.0.0:1701 *:*

If these are not present then it means that the VPN server is not listening for the PPTP/L2TP traffic.

3. You can use the tool PortQry.exe from the VPN client to see if PPTP or L2TP packets are getting dropped in between.

      Use, portqry.exe -n <server_IP_address> -e 1723 for querying the PPTP port and portqry.exe -n <server_IP_address> -e 1701 -p UDP for querying the L2TP port. If the output says 'NOT LISTENING/FILTERED' then there is some issue with the ports on the RRAS server.

4. Another important thing to check if there is a firewall in between which is dropping the packets

Error 721 : GRE protocol blockage

PPTP packets have a GRE(Generic Routing Encapsulation) header in addition to the PPP header. So if the GRE protocol (IP protocol 47) is being blocked by NATs/firewalls in between, this will result in the PPTP connection to fail

Troubleshooting steps:

1. Check the network in between. If there are some firewalls in between, then ensure that IP protocol 47 is allowed to pass through. This is also called 'PPTP passthrough' or 'VPN passthrough' commonly.

2. Another idea would be to try to make a L2TP connection. As it does not require GRE to be blocked the connection will pass (unless there is something else which blocks L2TP traffic also [:)])

3. In case this also does not solve the issue, it would be a good idea to contact the router/firewall's firmware manufacturer.

Error 741/742: Encryption mismatch error

These errors occur either if the client requests an invalid encryption level or if the server does not support an encryption type requested by the client.

Troubleshooting steps:

1. Check the connectoid properties on the VPN client. If 'Require encryption(disconnect if none)' is selected, remove the check and try to connect.

2. On the VPN server check the remote access policies. In the policy's profile, check the 'Encryption' tab to see if the encryption requested by the client is selected there. [If you are using remote RADIUS authentication, then you need to check this on the IAS server]

Janani V

Software Design Engr/Test,

RRAS, Windows Enterprise Networking.

[This posting is provided "AS IS" with no warranties, and confers no rights.]