6
2
So I am running Windows 7 Enterprise. This morning I was able to VPN using the built in VPN (Connect to Work Network etc). I had to change my network's IP address range and now the VPN will not work. It just stalls on the Verifying user name and password... message. But then it returns the 619 error.
Anybody know why changing my machine's IP address would cause this problem? Where should I be looking to try and fix this issue?
I have tried this on a Windows XP machine that also had the IP address range change and this still connects fine using exactly the same connection details.
EDIT
The internal network range changed from 192.x.x.x to 10.x.x.x. This was done on the entire Active Directory. All machines are running fine and the Windows XP machine, that works going to the same client VPN mentioned above is on the same network. Both the XP and the Windows 7 machines are using DHCP served by the Domain Controller. The client domain is not performing any IP range checks/restrictions.
The VPN is outside the internal network, connection is being made via the Internet and not passing through any other machine, other than the normal domain machines, ie DNS etc. This is passing through a router and the router has the relevant VPN passthrough options configured. All internal machines are working correctly with other forms of VPN, ie Cisco, Sonic etc (these were tested on other machines, they are not installed on the Vista or Windows 7 machines).
After further testing, this is occurring on all Windows 7 and Vista machines where they can no longer connect to the client VPN, however all XP machines can still connect fine. This has been tested on three Vista, two Windows 7 and five XP machines. All machines are on DHCP and tests have been done with both the firewalls turned on and off, as well as with fixed IPs being used.
Thanks for your reply harrymc.
The internal network range changed from 192.x.x.x to 10.x.x.x. This was done on the entire Active Directory. All machines are running fine and the Windows XP machine, that works going to the same client VPN mentioned above is on the same network. Both the XP and the Win 7 machines are using DHCP served by the Domain Controller. The client domain is not performing any IP range checks/restrictions. – TravisPUK – 2009-12-27T15:57:24.010
Is the VPN to outside of your network? Does the Win7 machine otherwise connect well to the rest of the network & Internet? And thru which machine? I assume you would have already verified its network connection parameters and turned off any potentially harmful firewall. – harrymc – 2009-12-27T16:11:09.397
Yes the VPN is outside of our network. Yes the WIN 7 machine connects fine to everything else. I have tried this with all firewalls turned off as my google research suggested that it might have been a firewall problem. I am also having the same issue with Vista machines that worked fine prior to the IP address change, although I intermittently had issues with Vista on SP1. – TravisPUK – 2009-12-29T08:28:18.380
See the edit to my answer. – harrymc – 2009-12-29T09:08:07.457
Harrymc, thanks for sticking with me on this. I have tried everything you have mentioned in your edit and still no difference unfortunately. – TravisPUK – 2009-12-29T09:17:34.053
I've edited-in my last-gasp effort. – harrymc – 2009-12-29T12:04:46.477
Last gasp is how I feel about it also harrymc. Thanks for your efforts. The VPN Server I am trying to get to is Windows 2003 server. I think it supports MS-CHAP v2, but the key to this is that prior to the internal IP address change on my network, my Win7 machine could connect to it using the same settings. In fact my Win 7 machine at home can still connect to it so I think it must be linked to firewall, router or similar, but will try your suggestions also.
"include Windows Logon Domain" was already unchecked. – TravisPUK – 2009-12-29T12:28:55.543
Can these Vista/W7 machines connect to other VPN servers on other networks? – harrymc – 2009-12-29T12:34:56.820
It appears so yes. I have tried to replicate the settings of the ones that are working to the one that isn't but no luck. – TravisPUK – 2009-12-29T13:14:04.787
Logic says that if the problem is just with one VPN server, then the problem is there and not on your side. Maybe something changed on that server, by coincidence at the same time as your IP range change? – harrymc – 2009-12-29T13:17:00.653
I agree with the logic, but am sure nothing changed on their end as they were all on holidays at the time. I still keep coming back to the fact that the XP machines are still working fine. I think there must be some sort of mapping or something (shouting out ideas only) like firewall rules etc that is causing this to happen. Thanks again harrymc. – TravisPUK – 2009-12-29T13:20:10.850
Did you try turning off TCP/IP auto-tunning? (not available on XP) – harrymc – 2009-12-29T14:39:53.127
I have tried it both with Auto-Tuning disabled and set to normal, no difference unfortunately. I have also done some further testing with other clients and there are a couple of other VPNs that are no longer working. There also seems to be a common link between the ones that are working and the ones that aren't. The ones that aren't working, previously when connected to them you would lose your internal network functions, ie http etc. The ones that still work, you always had access to the internal network also. Not sure if that makes any difference to the possible solution though. – TravisPUK – 2009-12-31T09:42:44.557
Last question for 2009: Did XP before also lose internal network for these VPNs? – harrymc – 2009-12-31T16:36:21.157
Yes, XP was also blocked from internal network (or external I guess technically, http and others do not work, ie GTalk, Web etc). It still is blocked after the IP Range change. – TravisPUK – 2009-12-31T16:55:03.207
Does this ring any bell: http://nimlabs.org/~nim/dirtynat.html ?
– harrymc – 2010-01-01T12:11:38.870harrymc, not really. The client is definitely on a different range to us, in fact they were one of the reasons we changed from a 192.x.x.x range to a 10.x.x.x one. So if you are thinking that we might be having a range clash, then I don't think so... unless you are thinking of something else. – TravisPUK – 2010-01-05T10:06:17.003
My guess would be that you're being blocked by some software or firmware that doesn't like your new address range. But I lack information for any non-vague analysis. I would examine any router or software that sees this difference in IP, like IPSEC if you use it. Sorry, but this kind of problem can't really be solved at a distance. – harrymc – 2010-01-05T17:15:31.433
harrymc, thanks for the time you have put in, the effort is appreciated. – TravisPUK – 2010-01-07T09:43:07.823
I would be very interested in the solution, once you found it. Please add here a comment as alert. – harrymc – 2010-01-07T10:46:23.233