weird issues with xp pptp server behind rv016

Discussion in 'Cisco Small Business Routers and VPN Solutions' started by crackers8199, Dec 3, 2007.

  1. crackers8199

    crackers8199 LI Guru Member

    i have had many issues with our rv016 here at the office, trying to get a vpn connection to work to no avail...

    finally gave up on the built-in pptp server on the rv016, and decided to use our print server machine here in the office as an xp pptp server as well. set everything up on the print server machine, set it up to allow incoming connections and allow vpn connections. forwarded port 1723 tcp from the rv016 to the static ip of the pptp server...

    no luck. still does not work (will not connect, hangs on "verifying username and password). however, here's an interesting twist - if i forward all traffic (all ports 0-65535) to the pptp server, everything works like a charm. can ping all the internal machines, can rdp into all of them, can do everything we want to be able to do...but that only works if i forward ALL TRAFFIC (both tcp and udp) to the print server.

    pptp passthru is turned on...

    so, my deductive reasoning skills lead me to believe that i'm missing a port or some number of ports that need to be opened up, but i cant figure out which ones. it doesnt seem like a very good practice to me to forward ALL ports to this machine, so what should i do?

    in case this helps, here's the system access log (with my home IP blocked out, obviously)...the pptp server's internal ip is i get an entry in the log whether the connection is successful or not (i.e. even if i have all traffic forward turned off and the connection fails, there will still be a line generated in the log like the ones below). it seems like the incoming port is changing every time...

    Dec 3 10:20:42 2007	   Connection Accepted	   TCP xx.xx.xx.xx:4366-> on ixp1
    Dec 3 10:26:56 2007	   Connection Accepted	   TCP xx.xx.xx.xx:4379-> on ixp1
    Dec 3 10:34:06 2007	   Connection Accepted	   TCP xx.xx.xx.xx:4390-> on ixp1
    Dec 3 10:41:02 2007	   Connection Accepted	   TCP xx.xx.xx.xx:4402-> on ixp1
    Dec 3 10:49:09 2007	   Connection Accepted	   TCP xx.xx.xx.xx:4524-> on ixp1
    Dec 3 11:12:28 2007	   Connection Accepted	   TCP xx.xx.xx.xx:4585-> on ixp1
    Dec 3 11:13:13 2007	   Connection Accepted	   TCP xx.xx.xx.xx:4587-> on ixp1
    Dec 3 11:14:20 2007	   Connection Accepted	   TCP xx.xx.xx.xx:4590-> on ixp1
    Dec 3 11:15:01 2007	   Connection Accepted	   TCP xx.xx.xx.xx:4592-> on ixp1
    Dec 3 11:24:56 2007	   Connection Accepted	   TCP xx.xx.xx.xx:4631-> on ixp1
    Dec 3 11:25:25 2007	   Connection Accepted	   TCP xx.xx.xx.xx:4632-> on ixp1
  2. DocLarge

    DocLarge Super Moderator Staff Member Member

    Have you forwarded PPTP (tcp) port 1723 to your machine that's acting as your vpn server? 1723 is the assigned port for that protocol.

  3. Toxic

    Toxic Administrator Staff Member

    As doclarge says you need to port forward 1723 to the server and also make sure pptp is not enabled on the RV016.
  4. crackers8199

    crackers8199 LI Guru Member

    ...already stated in the original post that I had forwarded port 1723. Thought that should work, but it doesn't...the thing only works if I forward ALL TRAFFIC.

    Just forwarding 1723 isn't doing hangs on "Verifying username/password" in that case...

    PPTP server on the RV016 is disabled.
  5. DocLarge

    DocLarge Super Moderator Staff Member Member

    Sorry, misread on our part :)

    Based on what you've already surmised (doesn't work with 1723, works when all ports are forwarded), my next guess would be it's a firmware bug... Under "any" circumstances, if you forward to the comuter that's acting as the vpn server, it should accept the incoming connection.

    What's the problem you're having with the onboard PPTP server, by the way?

  6. crackers8199

    crackers8199 LI Guru Member

    The on-board PPTP server allows me to connect and view computers via windows file sharing, but cannot ping and cannot RDP to any of the local machines...

    See this thread for details:

    Is there any way I can forward all ports to the XP machine and somehow allow only pptp traffic through? It seems like quite a dangerous practice to forward all traffic to one machine...
  7. DocLarge

    DocLarge Super Moderator Staff Member Member

    The only way I'm aware that you can "only" focus on pptp traffic is to forward 1723 to the machine in question (your print server).

    I saw a suggestion that someone made by asking you to install "ethereal." Have you tried that yet? You've been kicking this around since July, so I either have to commend your patience, or ask why haven't you given up? :)

    Seriously, I'd look around for a "cheap" alternative router to put in place of your RV016 for the sake of testing the "same" configuration. If it works with (let's say) a WRV200 ($75) you safely say port forwarding is broke on the RV016...

    By the way, what type of connection are you on, xDSL or cable modem?

  8. crackers8199

    crackers8199 LI Guru Member

    Comcast cable modem

    Haven't given up yet because it's pretty much going to become a necessity for us here if we get any major snow or ice storms this winter. We can all VPN into the office and work from home...

    Not sure about getting a new router, as we just spent close to $400 on the RV016 and are very happy with it except for this minor detail. I will try flashing the new firmware tomorrow morning, and see if that fixes anything.

    Here's a question though - what's up with the different port numbers for each line on the log I posted?
  9. DocLarge

    DocLarge Super Moderator Staff Member Member

    Those are just packets using "any" available route to communicate with your "would-be" vpn server. The first open port that's available (and so on...) will be the "avenue" used to connect with your server.

  10. crackers8199

    crackers8199 LI Guru Member

    Flashing the firmware to 2.0.18 (from 2.0.17) did nothing...

    Going to try installing ethereal on the server now and see what that shows. I'll post my results here momentarily...
  11. crackers8199

    crackers8199 LI Guru Member

    I'm not entirely sure how to interpret these, but it looks like when I only forward port 1723 that GRE isn't getting through. There are no entries in the logs for GRE with only 1723 forwarded...when I forward all traffic, there are plenty.
  12. crackers8199

    crackers8199 LI Guru Member

    The more I look at this, the more I see that GRE isn't getting through even though I have PPTP Pass Through enabled. It only gets through when I forward all traffic to the server...

    How can I fix this without opening up my entire network to attack?
  13. crackers8199

    crackers8199 LI Guru Member

    Confirmed that GRE is not getting through unless ALL TRAFFIC is forwarded (or the server is put in the DMZ) - used the pptp server and ping tools that are included with XP to verify it.

    So, the question is...what now? How do I go about fixing this?
  14. DocLarge

    DocLarge Super Moderator Staff Member Member

    If the firmware doesn't fix being able to pass GRE packets, the onboard pptp server doesn't work, and you're getting nowhere with quicvkpn, you may need to look at another option for vpn. Hmm, how about "SSL VPN" at no additional cost?

    That being said, have a look at "SSL Explorer":

    Not bad for a free solution...

  15. crackers8199

    crackers8199 LI Guru Member

    Seems kinda crappy that the damn thing doesn't work, even though it's advertised as doing so...
  16. DocLarge

    DocLarge Super Moderator Staff Member Member

    I haven't seen a lot of people buying the RV016 to be honest; most folks go for either the RV042 or the RV082. How long have you had it? Can you do a return? If not, I'd go with SSL explorer if you must have vpn "if" your company doesn't want to spring for a WRV200. I know without a doubt it passes GRE packets...

  17. crackers8199

    crackers8199 LI Guru Member

    We've had it since about July, so a return won't work.

    Anyway, I've gotten it somewhat working by putting the print-server in the DMZ, and setting up ZoneAlarmPro on it to block all traffic but open up GRE and port 1723 for PPTP.

    The issue I'm having now is that XP seems to only want to allow me one user connection at a time...I know this isn't a MS forum, but any ideas on that one?
  18. DocLarge

    DocLarge Super Moderator Staff Member Member

    When you say it's only allowing one connection at a time, are implying it's only letting one person connect "out" at a time or just letting one person connect "in" at one time? If only one person can connect out, traditionally, that's an issue with the router.

  19. crackers8199

    crackers8199 LI Guru Member

    Only one person can connect IN. Seems that's a limitation of the non-server versions of XP, so we're pretty much screwed there as well...

    I'm also looking for free versions of PPTP server software that might be available for Windows, as well as the possibility of installing Ubuntu on the print server and going that route. If at all possible, I'd like our employees to be able to use the built-in XP VPN client to avoid confusion...
  20. fiat

    fiat Network Guru Member

    Check out OpenVPN at They are also a SLL based VPN. There is even a Windows GUI interface for the OpenVPN server available at

    This would require that you install client software on each computer. The install is simple and once you understand how things work the configuration is easy to handle too.

    OpenVPN can bridge connections to your network. Bridging works on XP but not on Win2k. One problem with XP is that you can only have 10 incoming connections at one time. Anything above that "requires" a Windows server.

    OpenVPN also runs on Linux so you could run a Linux OpenVPN server in bridge mode and have it pass your remote desktop requests through to the Windows computers in your business.
  21. crackers8199

    crackers8199 LI Guru Member

    10 incoming connections? I thought the limit was 1. If we can have 10, that'd actually work for do I go about raising it from 1 to 10?
  22. fiat

    fiat Network Guru Member

    Do you have XP Professional? Its limit is 10.

    Note that these are connections to the computer and not 10 concurrent remote desktop sessions on a single XP computer.
  23. crackers8199

    crackers8199 LI Guru Member

    Ah, such is the XP Pro on that machine.

    Anyway, I think I'm just going back to using the onboard PPTP server, since that's where we've had the most success so far...anyone have any idea though why I can reach the router, and can see all the networked machines in the office via Windows File Sharing...but I cannot ping any of the office machines, and I cannot RDP into any of them either?

    This is the main problem that has been keeping me from declaring this issue as resolved for the past five months...
  24. MikeMc

    MikeMc Network Guru Member

    I am not sure why you are having the problem with the RV016. We have 10+ installed just for what you are doing and no problems with any site.

    If you have the connection to the RV016 ok but cannot RDP then I would ask a few more questions:

    1. You mentioned zone alarm, are you running zone alarm on the machines that you are trying to RDP to?

    2. You mentioned that the a machine did not have XP, I assume that it must be windows 2000. Windows 2000 does not do incoming RDP.

    3. Is the firewall turned on in the VPN?

    4. Are you having a problem pinging the VPN or the computer on the LAN side of the VPN?

    5. Have you tried tracert to see where the packet is going?

    6. Is the RV016 acting as your DNS/DHCP server or are you running other servers?

    7. Do you have any other routers involved in your network?

    8. Can you ping through the tunnel by ip address instead of name? If so are you on a domain and are you using the entire domain name in the ping request?

    9. Check the network setup on the computers on the lan with ipconfig /all make sure that the gateway is pointing at the linksys vpn and the dns addresses are ok.

    As I said earlier, we are using the MS XP PPTP client to connect to the RV016 to do RDP, file sharing, FTP and such without any problem. Reduce the problem to basics, turn off all firewalls including the XP firewall. Don't just turn it off through the GUI, go into the services control panel and disable the Windows Firewall Service (I have run to situations where the firewall GUI said it was off but it was not).

    Good luck,

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice