我有一个客户端(Server 2008 R2)无法连接到我们的生产环境PPTP VPN服务器(Server 2003,运行RRAS).
服务器位于防火墙后面,TCP1723打开以及GRE.我们办公室的其他客户能够很好地连接.我们的办公室位于Juniper SSG5-Serial防火墙之后,但允许所有传出流量,并且其他多个客户端可以毫无问题地连接到VPN服务器.
我还在办公室外的另一个网络上设置了一个完全不同的VPN服务器.功能正常的客户端连接得很好 – Server 2008 R2机器没有.因此,这特别是这台机器的问题.
我重启了它.我已禁用防火墙,两者都没有骰子.
我在服务器/客户端上运行PPTPSRV和PPTPCLNT,它们能够完美地通信 – 表明使用TCP1723和GRE都没有问题.
Server 2008 R2计算机也作为VPN服务器本身(传入连接)运行,并且运行正常.无论是否存在活动的传入连接,我们都会遇到问题.
我不确定我的下一个调试步骤是什么;有什么建议?
编辑:服务器上的事件日志具有来自RasMan的以下警告:
- A connection between the VPN server and the VPN client xxx.xxx.xxx.xxx has been
- established,but the VPN connection cannot be completed. The most common cause
- for this is that a firewall or router between the VPN server and the VPN client
- is not configured to allow Generic Routing Encapsulation (GRE) packets (protocol 47).
- Verify that the firewalls and routers between your VPN server and the Internet allow
- GRE packets. Make sure the firewalls and routers on the user's network are also
- configured to allow GRE packets. If the problem persists,have the user contact
- the Internet service provider (ISP) to determine whether the ISP might be blocking
- GRE packets.
显然,这表明GRE是一个潜在的问题.但看到我有其他客户端连接没有问题,以及PPTPSRV和PPTPCLNT能够通信,我怀疑这可能是一个红色的鲱鱼.
编辑:以下是客户按时间顺序记录的匿名事件:
- CoId={742CB15C-A7E0-47B7-8240-0EFA1139CBD9}: The user XXX\YYY has started dialing a VPN connection using a per-user connection profile named ZZZ. The connection settings are:
- Dial-in User = XXX\YYY
- VpnStrategy = PPTP
- DataEncryption = Require
- PrerequisiteEntry =
- Autologon = No
- UseRasCredentials = Yes
- Authentication Type = CHAP/MS-CHAPv2
- Ipv4DefaultGateway = No
- Ipv4AddressAssignment = By Server
- Ipv4DNSServerAssignment = By Server
- Ipv6DefaultGateway = Yes
- Ipv6AddressAssignment = By Server
- Ipv6DNSServerAssignment = By Server
- IpDnsFlags = Register primary domain suffix
- IpNBTEnabled = Yes
- UseFlags = Private Connection
- ConnectOnWinlogon = No.
- CoId={742CB15C-A7E0-47B7-8240-0EFA1139CBD9}: The user XXX\YYY is trying to establish a link to the Remote Access Server for the connection named ZZZ using the following device:
- Server address/Phone Number = XXX.YYY.ZZZ.KKK
- Device = WAN Miniport (PPTP)
- Port = VPN3-4
- MediaType = VPN.
- CoId={742CB15C-A7E0-47B7-8240-0EFA1139CBD9}: The user XXX\YYY has successfully established a link to the Remote Access Server using the following device:
- Server address/Phone Number = XXX.YYY.ZZZ.KKK
- Device = WAN Miniport (PPTP)
- Port = VPN3-4
- MediaType = VPN.
- CoId={742CB15C-A7E0-47B7-8240-0EFA1139CBD9}: The link to the Remote Access Server has been established by user XXX\YYY.
- CoId={742CB15C-A7E0-47B7-8240-0EFA1139CBD9}: The user XXX\YYY dialed a connection named ZZZ which has Failed. The error code returned on failure is 806.
在客户端上运行Wireshark显示它正在尝试并重试发送“71配置请求”
鉴于这是GRE流量,我认为排除GRE流量被阻止.问题是,服务器为什么不回复?
这是服务器从非功能客户端接收的配置请求(意味着没有响应发送到客户端请求):
这是服务器从工作客户端收到的配置请求:
对我来说,它们看起来是相同的,除了不同的键和幻数,以及一个客户端收到响应而另一个客户端没有收到响应的事实.
认为ISP或其他远程问题的现象.我们已经与员工远程工作了很多次. ISP或远程站点的IT部门阻止VPN流量.
还看到一些家用路由器没有正确允许PPTP的问题.我们直接连接并测试,然后指向ISP或家庭硬件