Welcome to ISAserver.org

Unable to establish a PPTP VPN connection

Users viewing this topic: none

Logged in as: Guest

Printable Version

All Forums >> [ISA 2006 Firewall] >> VPN >> Unable to establish a PPTP VPN connection

Page: [1]

Message

<< Older Topic Newer Topic >>

Unable to establish a PPTP VPN connection - 28.Feb.2008 8:14:17 PM

Kazi

Posts: 2
Joined: 28.Feb.2008
Status: offline

I am having a problem establishing a VPN (PPTP) connection from the Internet to my ISA 2006 Standard Edition. Receiving Error 800: Unable to establish VPN connection
<Internet>--<Cisco 1721>--ISA 2006>--<Internal Network>
I have configured VPN pass through on the Cisco router and applied the access-list for inbound and outbound on each interface.
access-list 101 permit ip any any
access-list 101 permit gre any any
access-list 101 permit tcp any any eq 1723
The ISA log logs an initiated PPTP connection on port 1723 from the client with system policy “Allow VPN traffic to ISA server” then there is a denied connection logged. Also, I have tested the connection using PPTP tools. Here are the results.
C:\Dloads\ISA\PPTP Tools>pptpclnt xxx.xxx.xxx.xxx
Initializing WinSock...
Obtaining host information...
Successfully resolved server's host information
======================================
Enter data to send to server (between 1 and 255 chrs.), then hit enter:
-->1
Successfully connected to server using TCP port 1723 (PPTP)
Sending data to server
Waiting for a reply to the data which was just sent...
Error 10054 calling recv():
WSAECONNRESET: Connection reset by peer
Creating a socket to test GRE protocol traffic...
Total GRE packets sent = 1
Total GRE packets sent = 2
Total GRE packets sent = 3
Total GRE packets sent = 4
Total GRE packets sent = 5
=====================================
Check server to see if the GRE packets were received successfully
=====================================
Closing down socket
Goodbye!

Post #: 1

Featured Links*

RE: Unable to establish a PPTP VPN connection - 13.Mar.2008 8:41:36 AM

samh

Posts: 2
Joined: 13.Mar.2008
Status: offline

This is exactly the same error we are experiencing.
It only occured after after reinstalling Service Pack 2, and then reinstalling ISA 2006, using a copy of our saved firewall policy config.

Is it related to Routing and remote access?

Any help would be greatly appreciated!

(in reply to Kazi)

Post #: 2

RE: Unable to establish a PPTP VPN connection - 13.Mar.2008 12:29:19 PM

Kazi

Posts: 2
Joined: 28.Feb.2008
Status: offline

The problem is coming from the RSS (Receive Side Scaling) feature in the Win2003 SP2.

I had to disable this feature to allow incoming PPTP session. A reboot is required.

To disable it, go into the registry :
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
and set the key "EnableRSS" to 0.

(in reply to samh)

Post #: 3

RE: Unable to establish a PPTP VPN connection - 13.Mar.2008 12:54:17 PM

samh

Posts: 2
Joined: 13.Mar.2008
Status: offline

Yeah, i have disabled this. I did it as part of my reinstall of SP2 and ISA2006. Any other ideas? Is there somewhere else where RSS might be turned off?

Thanks for your quick reply

(in reply to Kazi)

Post #: 4

RE: Unable to establish a PPTP VPN connection - 29.Apr.2008 2:45:06 PM

mikepiet

Posts: 9
Joined: 8.Jan.2007
Status: offline

I was researching this issue today and came across this post. I am having the exact same issue. My firewall team is adamant that GRE (type 47) has been given access from the outside world to the ISA server.

Similar to the original poster, I see the exact same results when running pptpsrv (from ISA box) and pptpclt (from my home).

I am able to successfully establish a VPN from my internal network. I did this just to test and would not usually do this in production.

But again, 1723 is open but clients are not authenticating. I did check the registry key mentioned in the previous post and it is set to zero.

The machine is an ISA 2006 box running on Server 2003 SP2. The ISA box is joined to the domain.

Hope someone can help. Thanks in advanced.

Michael

(in reply to Kazi)

Post #: 5